This sort of context is essential. Let’s say a pod makes an attempt to exfiltrate information by making an outbound request to an exterior endpoint. In a conventional setup, you would possibly see the egress visitors and block the IP. However that doesn’t reply the actual query: What course of made the decision, from which container, and what was it doing earlier than that? Tetragon can tie the community circulation to a particular binary working in a particular pod and implement a coverage that stops the conduct mid-execution. It’s microsegmentation enforced on the stage of identification and intent, not simply connectivity.
Imposing insurance policies earlier than unhealthy conduct executes
Most cloud-native safety instruments generate alerts. They observe suspicious exercise and ship logs to SIEMs or dashboards for human triage. This mannequin doesn’t scale in Kubernetes. With 1000’s of ephemeral workloads, alert quantity explodes and investigation timelines stretch past the purpose of usefulness. By the point a staff sees the alert, the container might already be spun down.
Tetragon flips this mannequin. As a result of it operates within the kernel utilizing eBPF, it could actually filter, mixture, and act on occasions earlier than they depart the host. It doesn’t simply report suspicious conduct; it could actually cease it. For instance, if a container begins an surprising shell course of, Tetragon can difficulty a SIGKILL or override instantly. If a file entry doesn’t match coverage, the motion could be blocked at run time, not merely logged for later evaluation. Builders can write Kubernetes-native insurance policies that outline precisely what processes are allowed to run, what recordsdata they’ll contact, and the place they’ll join.
