This sort of context is crucial. Let’s say a pod makes an attempt to exfiltrate knowledge by making an outbound request to an exterior endpoint. In a standard setup, you may see the egress visitors and block the IP. However that doesn’t reply the true query: What course of made the decision, from which container, and what was it doing earlier than that? Tetragon can tie the community stream to a particular binary operating in a particular pod and implement a coverage that stops the conduct mid-execution. It’s microsegmentation enforced on the stage of identification and intent, not simply connectivity.
Implementing insurance policies earlier than dangerous conduct executes
Most cloud-native safety instruments generate alerts. They observe suspicious exercise and ship logs to SIEMs or dashboards for human triage. This mannequin doesn’t scale in Kubernetes. With 1000’s of ephemeral workloads, alert quantity explodes and investigation timelines stretch past the purpose of usefulness. By the point a group sees the alert, the container could already be spun down.
Tetragon flips this mannequin. As a result of it operates within the kernel utilizing eBPF, it will probably filter, combination, and act on occasions earlier than they depart the host. It doesn’t simply report suspicious conduct; it will probably cease it. For instance, if a container begins an sudden shell course of, Tetragon can problem a SIGKILL or override instantly. If a file entry doesn’t match coverage, the motion will be blocked at run time, not merely logged for later overview. Builders can write Kubernetes-native insurance policies that outline precisely what processes are allowed to run, what information they will contact, and the place they will join.
