What This Cheat Sheet Covers
This topic spans 16 focused tables and 137 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Architecture and CNCF PositioningTable 2: TracingPolicy CRD StructureTable 3: Hook PointsTable 4: Selector FiltersTable 5: Enforcement Actions and ModesTable 6: Event Types and OutputTable 7: Kubernetes Identity-Aware PoliciesTable 8: Installation and DeploymentTable 9: Persistent Enforcement and Policy LifecycleTable 10: File System and Credential MonitoringTable 11: Network ObservabilityTable 12: Observability Policy LibraryTable 13: Performance and MetricsTable 14: SIEM and Alerting IntegrationsTable 15: Tetragon vs Falco Trade-offsTable 16: Troubleshooting and Diagnostics
Table 1: Architecture and CNCF Positioning
| Concept | Example | Description |
|---|---|---|
Isovalent (Cisco 2024), CNCF sub-project of Cilium | • eBPF-based security observability and runtime enforcement tool • runs programs directly in the Linux kernel • no kernel patches or modules required | |
/sys/fs/bpf/tetragon — pinned BPF maps | • Extended Berkeley Packet Filter lets sandboxed programs run in the Linux kernel • Tetragon uses eBPF for in-kernel filtering and enforcement without kernel/userspace boundary crossings | |
tetragon DaemonSet + tetragon-operator Deployment | • Tetragon agent (DaemonSet) runs on every node • operator handles CRD lifecycle • BPF programs loaded per-node at startup and when policies are applied | |
Cilium ecosystem: Tetragon for enforcement, Hubble for observability | • CNCF sandbox → incubating project under Cilium umbrella • integrates with Cilium for network policy and Hubble for network observability |