DEVOPSdigest

Isovalent announced the general availability of Isovalent Enterprise for Tetragon, extending the existing open source Cilium Tetragon project that provides kernel-level programmability for runtime Kubernetes security use cases.

Cilium Tetragon, the open source project within the Cloud Native Computing Foundation (CNCF) and sub-project of Cilium, has reached a significant milestone with the OSS 1.0 release. Just like Cilium gave platform teams a standard interface and greatly evolved performance in Kubernetes networking, Tetragon harnesses the power of eBPF to define how security and operations teams instrument Kubernetes runtime security--with lower overhead, higher performance, and a richer stream of data closer to the kernel and beyond the limited telemetry purview of security scanners.

Tetragon is an eBPF-based security observability and runtime enforcement platform designed to give security and operations teams richer telemetry data for runtime security, while eliminating the performance overhead of proprietary security vendors' agents. Isovalent extends the open source project with enterprise features that further security teams visibility into L7 networking events (HTTP, DNS, TLS/SSL handshake analysis), granular control over Tetragon security policies and workflows, improved in-kernel smart collection for lower CPU & memory overhead, and more. In benchmarking comparisons, Tetragon's kernel-based runtime telemetry collection resulted in near baseline overhead and minimal resource utilization across core security and observability use cases, read the benchmarking results and more.

Tetragon is built around eBPF and in-kernel filtering and aggregation logic, providing deep visibility without traditional agents or application changes. It gives platform and security teams a powerful observability layer that can introspect the entire system ranging from low-level kernel visibility to track file accesses, network activity, or capability changes, all the way up into the application layers covering aspects such as function calls into vulnerable libraries, tracing process execution, or understanding HTTP requests made.

Tetragon is able to enforce security policies across the operating system in a real time preventive manner instead of reacting to events asynchronously. Tetragon has the ability to specify allow lists for access control at several layers. Security policies can be injected via Kubernetes (CRDs), a JSON API, or systems such as Open Policy Agent (OPA).

"As Cilium standardized the Kubernetes networking experience across cloud providers and infrastructure, with Tetragon we're seeking to give platform and security teams the same experience for runtime security," said Thomas Graf, Cilium Creator and CTO and co-founder at Isovalent. "And by bringing Kubernetes security observability and enforcement closer to the kernel, we're giving you deeper visibility and control combined with incredible performance gains compared to existing technologies."

With Tetragon, every file, system interaction, network interaction, escalation of privileges, every process ever executed or network port opened is observable to security teams. This degree of granularity made possible by the eBPF and Cilium-based close-to-the-kernel lineage gives platform teams the right combination of extracting only what they need, while defining filters and aggregations based on high level signals.

With its origins as a security primitive inside of Cilium, Tetragon also gives platform teams the advantage of combining network and runtime visibility. By using Cilium as the networking layer to connect workloads across cloud, on-prem and edge, and deploying Tetragon for runtime security--platform teams get a single Kubernetes-optimized operating model for their entire infrastructure, complete with a distributed firewall.