What This Cheat Sheet Covers
This topic spans 16 focused tables and 137 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Architecture and CNCF PositioningTable 2: TracingPolicy CRD StructureTable 3: Hook PointsTable 4: Selector FiltersTable 5: Enforcement Actions and ModesTable 6: Event Types and OutputTable 7: Kubernetes Identity-Aware PoliciesTable 8: Installation and DeploymentTable 9: Persistent Enforcement and Policy LifecycleTable 10: File System and Credential MonitoringTable 11: Network ObservabilityTable 12: Observability Policy LibraryTable 13: Performance and MetricsTable 14: SIEM and Alerting IntegrationsTable 15: Tetragon vs Falco Trade-offsTable 16: Troubleshooting and Diagnostics
Table 1: Architecture and CNCF Positioning
Before writing a single policy it pays to understand where Tetragon sits β a Cilium sub-project that runs eBPF programs directly inside the Linux kernel for security observability and runtime enforcement, with no kernel modules or patches. The rows here cover the moving parts you actually touch: the per-node DaemonSet, the BTF/CO-RE machinery that lets one binary span kernel versions, the tetra CLI, and the gRPC API everything talks to.
| Concept | Example | Description |
|---|---|---|
Isovalent (Cisco 2024), CNCF sub-project of Cilium | β’ eBPF-based security observability and runtime enforcement tool β’ runs programs directly in the Linux kernel β’ no kernel patches or modules required | |
/sys/fs/bpf/tetragon β pinned BPF maps | β’ Extended Berkeley Packet Filter lets sandboxed programs run in the Linux kernel β’ Tetragon uses eBPF for in-kernel filtering and enforcement without kernel/userspace boundary crossings | |
tetragon DaemonSet + tetragon-operator Deployment | β’ Tetragon agent (DaemonSet) runs on every node β’ operator handles CRD lifecycle β’ BPF programs loaded per-node at startup and when policies are applied | |
Cilium ecosystem: Tetragon for enforcement, Hubble for observability | β’ CNCF sandbox β incubating project under Cilium umbrella β’ integrates with Cilium for network policy and Hubble for network observability |