implementing-runtime-security-with-tetragon
Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon for kernel-level threat detection and policy enforcement.
Best use case
implementing-runtime-security-with-tetragon is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon for kernel-level threat detection and policy enforcement.
Teams using implementing-runtime-security-with-tetragon should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-runtime-security-with-tetragon/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-runtime-security-with-tetragon Compares
| Feature / Agent | implementing-runtime-security-with-tetragon | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon for kernel-level threat detection and policy enforcement.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Implementing Runtime Security with Tetragon
## Overview
Tetragon is a CNCF project under Cilium that provides flexible Kubernetes-aware security observability and runtime enforcement using eBPF. By operating at the Linux kernel level, Tetragon can monitor and enforce policies on process execution, file access, network connections, and system calls with less than 1% performance overhead -- far more efficient than traditional user-space security agents.
## When to Use
- When deploying or configuring implementing runtime security with tetragon capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
## Prerequisites
- Kubernetes cluster v1.24+ with Helm 3.x installed
- Linux kernel 5.4+ (5.10+ recommended for full eBPF feature support)
- kubectl access with cluster-admin privileges
- Familiarity with eBPF concepts and Kubernetes security primitives
## Core Concepts
### eBPF-Based Security
Tetragon attaches eBPF programs directly to kernel functions, enabling:
- **Process lifecycle tracking**: Monitor every process creation, execution, and termination across all pods
- **File integrity monitoring**: Detect unauthorized reads/writes to sensitive files
- **Network observability**: Track all TCP/UDP connections with full pod context
- **System call filtering**: Enforce policies on dangerous syscalls like ptrace, mount, or unshare
### TracingPolicy Custom Resources
Tetragon uses `TracingPolicy` CRDs to define what kernel events to observe and what actions to take:
```yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-privilege-escalation
spec:
kprobes:
- call: "security_bprm_check"
syscall: false
args:
- index: 0
type: "linux_binprm"
selectors:
- matchBinaries:
- operator: "In"
values:
- "/bin/su"
- "/usr/bin/sudo"
- "/usr/bin/passwd"
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchActions:
- action: Post
```
### Enforcement Actions
Tetragon can take three types of actions directly in the kernel:
1. **Sigkill**: Immediately terminate the offending process
2. **Signal**: Send a configurable signal to the process
3. **Override**: Override the return value of a kernel function to deny an operation
## Installation and Configuration
### Step 1: Install Tetragon with Helm
```bash
helm repo add cilium https://helm.cilium.io
helm repo update
helm install tetragon cilium/tetragon \
--namespace kube-system \
--set tetragon.enableProcessCred=true \
--set tetragon.enableProcessNs=true \
--set tetragon.grpc.address="localhost:54321"
```
### Step 2: Install the Tetragon CLI
```bash
GOOS=$(go env GOOS)
GOARCH=$(go env GOARCH)
curl -L --remote-name-all \
https://github.com/cilium/tetragon/releases/latest/download/tetra-${GOOS}-${GOARCH}.tar.gz
tar -xzvf tetra-${GOOS}-${GOARCH}.tar.gz
sudo install tetra /usr/local/bin/
```
### Step 3: Verify Installation
```bash
kubectl get pods -n kube-system -l app.kubernetes.io/name=tetragon
tetra status
```
## Practical Implementation
### Detecting Container Escape Attempts
Create a TracingPolicy to detect processes attempting to escape container namespaces:
```yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-container-escape
spec:
kprobes:
- call: "__x64_sys_setns"
syscall: true
args:
- index: 0
type: "int"
- index: 1
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchActions:
- action: Sigkill
```
### Monitoring Sensitive File Access
Detect reads of sensitive credentials:
```yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: monitor-sensitive-files
spec:
kprobes:
- call: "security_file_open"
syscall: false
args:
- index: 0
type: "file"
selectors:
- matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/shadow"
- "/etc/kubernetes/pki"
- "/var/run/secrets/kubernetes.io"
matchActions:
- action: Post
```
### Blocking Crypto-Miner Execution
Prevent known crypto-mining binaries from executing:
```yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: block-cryptominers
spec:
kprobes:
- call: "security_bprm_check"
syscall: false
args:
- index: 0
type: "linux_binprm"
selectors:
- matchBinaries:
- operator: "In"
values:
- "/usr/bin/xmrig"
- "/tmp/xmrig"
- "/usr/bin/minerd"
matchActions:
- action: Sigkill
```
### Observing Events with Tetra CLI
Stream runtime events in real-time:
```bash
# Watch all process execution events
kubectl exec -n kube-system ds/tetragon -c tetragon -- \
tetra getevents -o compact --process-only
# Filter events for a specific namespace
kubectl exec -n kube-system ds/tetragon -c tetragon -- \
tetra getevents -o compact --namespace production
# Export events in JSON for SIEM integration
kubectl exec -n kube-system ds/tetragon -c tetragon -- \
tetra getevents -o json | tee /var/log/tetragon-events.json
```
## Integration with SIEM and Alerting
### Export to Elasticsearch
```yaml
# tetragon-helm-values.yaml
export:
stdout:
enabledCommand: true
enabledArgs: true
filenames:
- /var/log/tetragon/tetragon.log
elasticsearch:
enabled: true
url: "https://elasticsearch.monitoring:9200"
index: "tetragon-events"
```
### Prometheus Metrics
Tetragon exposes metrics at `:2112/metrics`:
```yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: tetragon-metrics
namespace: kube-system
spec:
selector:
matchLabels:
app.kubernetes.io/name: tetragon
endpoints:
- port: metrics
interval: 15s
```
## Key Metrics and Alerts
| Metric | Description | Alert Threshold |
|--------|-------------|-----------------|
| `tetragon_events_total` | Total security events observed | Spike > 3x baseline |
| `tetragon_policy_events_total` | Events matching TracingPolicies | Any Sigkill action |
| `tetragon_process_exec_total` | Process executions tracked | Anomalous new binaries |
| `tetragon_missed_events_total` | Dropped events due to buffer overflow | > 0 sustained |
## References
- [Tetragon Official Documentation](https://tetragon.io/docs/)
- [Cilium Tetragon GitHub Repository](https://github.com/cilium/tetragon)
- [CNCF Tetragon Project Page](https://www.cncf.io/projects/tetragon/)
- [eBPF Security Observability with Tetragon - CoreWeave](https://docs.coreweave.com/security/tutorials/ebpf-observability)
- [Kubernetes Security: eBPF & Tetragon for Runtime Monitoring](https://medium.com/@noah_h/kubernetes-security-ebpf-tetragon-for-runtime-monitoring-policy-enforcement-819b6ed97953)Related Skills
world-runtime
Firecracker microVM + Morph Infinibranch WorldRuntime for parallel verse execution. Entities branch/snapshot in <250ms.
triaging-security-incident
Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis.
triaging-security-incident-with-ir-playbook
Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response teams, and initiate appropriate response procedures.
triaging-security-alerts-in-splunk
Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document triage decisions for handoff to Tier 2/3 analysts.
tizen-security-compliance
Maps security requirements to implementation. Coordinates compliance against FIPS 140-3, OCF, CommonCriteria, and Tizen specification.
testing-websocket-api-security
Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket upgrade, Cross-Site WebSocket Hijacking (CSWSH), injection attacks through WebSocket messages, insufficient input validation, denial-of-service via message flooding, and information leakage through WebSocket frames. The tester intercepts WebSocket handshakes and messages using Burp Suite, crafts malicious payloads, and tests for authorization bypass on WebSocket channels. Activates for requests involving WebSocket security testing, WS penetration testing, CSWSH attack, or real-time API security assessment.
testing-jwt-token-security
Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization bypass vulnerabilities during security engagements.
testing-api-security-with-owasp-top-10
Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated and manual testing techniques.
static-security-analyzer
Wrapper around Tizen Studio static analyzer. Detects memory leaks, buffer overflows, and coding vulnerabilities in C/C++/JavaScript.
security-requirement-extraction
Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.
performing-wireless-security-assessment-with-kismet
Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring.
performing-ssl-tls-security-assessment
Assess SSL/TLS server configurations using the sslyze Python library to evaluate cipher suites, certificate chains, protocol versions, HSTS headers, and known vulnerabilities like Heartbleed and ROBOT.