CoursesRuntime & eBPF securityEnforcement: Tetragon & Cilium

Tetragon in-kernel enforcement

TracingPolicy and synchronous Sigkill.

Expert35 min · lesson 10 of 15

Falco detects; Tetragon can detect and enforce. Built on eBPF by the Cilium team, Tetragon adds in-kernel enforcement — synchronously killing a process when a policy matches — which closes the gap between seeing an attack and stopping it.

Observability plus in-kernel enforcement

Tetragon attaches eBPF programs that observe process execution, file access, network activity, and privilege changes with very low overhead, filtering in the kernel so only relevant events reach userspace. Its differentiator is enforcement: a TracingPolicy can specify an action — including SIGKILL — that the kernel applies the instant a matching event occurs, before the operation completes. A userspace detector like Falco reacts after the syscall returns; Tetragon can stop it mid-flight. Policies are Kubernetes CRDs, so enforcement is declarative and version-controlled alongside your other manifests.

a TracingPolicy that kills on a match
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata: { name: block-sensitive-read }
spec:
kprobes:
- call: "security_file_permission"
syscall: false
selectors:
- matchArgs:
- index: 0
operator: "Equal"
values: ["/etc/shadow"]
matchActions:
- action: Sigkill # kill the process reading /etc/shadow, in-kernel

When to choose enforcement

In-kernel enforcement is powerful precisely because it is synchronous — but that also means a bad policy can kill legitimate processes. Treat it like any enforcement rollout: begin in observation mode (Tetragon as a rich, low-overhead event source feeding your SIEM), identify the truly unambiguous conditions, and enable Sigkill actions in waves with careful validation. Tetragon and Falco are not mutually exclusive — many teams run Tetragon for low-overhead observability and targeted enforcement while keeping Falco’s mature rule ecosystem for broad detection.

Detect vs enforce timing
1malicious action
e.g. read /etc/shadow
2kernel hook (eBPF)
Tetragon evaluates in-kernel
3Sigkill action
process killed before it completes
4vs userspace alert
which fires after the fact
Enforcement closes the detect→respond gap to zero — at the cost of outage risk from a bad rule. Roll out in waves.
Enforcement rules are production-breaking if wrong
A Sigkill TracingPolicy that matches too broadly will terminate legitimate processes synchronously, causing immediate outages. Start every enforcement policy in observe mode, validate the match is unambiguous, and enable killing gradually — the power to stop an attack instantly is also the power to break production instantly.