eBPF Security Monitoring with Tetragon: The Kernel Doesn't Lie

Stop trusting your binaries. Seriously. If you are still relying on LD_PRELOAD hooks, userspace agents, or standard sidecars for security monitoring in 2025, you are securing a house by locking the screen door while leaving the basement window wide open. Advanced attackers don't knock; they manipulate library calls, replace binaries, or inject code directly into memory. They bypass your userspace tools entirely.

The only source of truth left is the kernel. The kernel cannot be gaslit. This is where eBPF (Extended Berkeley Packet Filter) changes the game, and specifically, where Isovalent's Tetragon becomes critical infrastructure.

The Gap in Norwegian Data Sovereignty

Operating out of Oslo, we face specific challenges. The Datatilsynet doesn't care if your intrusion detection system thought everything was fine. They care about what actually happened. Under strict GDPR interpretations and the lingering impact of Schrems II, you need cryptographic proof of what network connections your pods are opening. Are they talking to a server in Frankfurt, or did a supply-chain compromised library just ping a non-compliant endpoint in a restricted jurisdiction?

Most monitoring tools give you logs. Tetragon gives you syscall enforcement. It sits in the kernel, watching every process execution, network socket, and file access in real-time. It’s low overhead, high fidelity, and absolutely ruthless.

Why Tetragon? (And Why Your Kernel Matters)

Tetragon works by attaching eBPF programs to kernel tracepoints and kprobes. It doesn't just log events; it can kill a process the moment it tries to execute a prohibited syscall. This happens effectively at line-rate.

Pro Tip: eBPF requires a modern Linux kernel. Many budget VPS providers stick you on ancient kernels or restrictive virtualization technologies (like older Virtuozzo containers) that disable eBPF to save overhead. This is a security risk. At CoolVDS, our KVM instances run mainline kernels (6.x series) by default, ensuring full BTF (BPF Type Format) support required for modern observability tools.

War Story: The Invisible Miner

Last year, I audited a cluster for a fintech client. Their metrics looked fine. CPU usage was slightly elevated, but the node exporter didn't show any rogue processes. top and ps showed nothing. Why? Because the attacker had replaced the coreutils binaries with rootkits that filtered out their own process IDs.

However, once we loaded Tetragon, the silence broke. We immediately saw connect syscalls to a known mining pool IP. The userspace tools were lying. The kernel—via Tetragon—pointed the finger right at the compromised PID.

Deploying Tetragon on Kubernetes

Let's get technical. We will deploy Tetragon into a Kubernetes cluster. We assume you are running a compliant K8s distribution (v1.30+) on CoolVDS infrastructure.

First, add the Helm repo:

helm repo add cilium https://helm.cilium.io/
helm repo update
helm install tetragon cilium/tetragon -n kube-system

Once the daemonset is rolling, we need to verify it captures execution events. The default profile is usually generous. We want to be specific.

Use the tetra CLI (installed on the node or via a toolbox pod) to inspect events in real-time. This command gives you a raw JSON stream of everything happening on the node:

kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -c export-stdout -f | tetra getevents -o compact

Defining a Tracing Policy

Observability is nice, but enforcement is better. Let's create a TracingPolicy that detects and kills any process trying to modify /etc/passwd or /etc/shadow. This is a classic privilege escalation move.

Create a file named block-shadow-write.yaml:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "block-shadow-writes"
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    args:
    - index: 0
      type: "int"
    - index: 1
      type: "file"
    selectors:
    - matchPIDs:
      - operator: NotIn
        followForks: true
        values:
        - 1 # Allow init/systemd
      matchArgs:
      - index: 1
        operator: "Prefix"
        values:
        - "/etc/shadow"
        - "/etc/passwd"
      matchActions:
      - action: Sigkill

Apply this to your cluster:

kubectl apply -f block-shadow-write.yaml

Now, if an attacker gets a shell inside a pod and tries echo "hacker:..." >> /etc/shadow, the process doesn't just get permission denied—it gets SIGKILL immediately. The shell vanishes. The event is logged with the full context: namespace, pod, container image ID, and the exact arguments used.

Network Observability & GDPR

For Norwegian businesses, knowing where data flows is a legal requirement. Tetragon allows you to trace socket instantiation. Here is how you verify network egress at the kernel level, bypassing any proxy settings that might mask the destination.

Check your log output for connect events. You can filter this to specific namespaces.

{
  "process_kprobe": {
    "process": {
      "exec_id": "MTA6MTY2ODYy...",
      "pid": 1452,
      "binary": "/usr/bin/curl",
      "arguments": "https://untrusted-api.com/data",
      "pod": {
        "namespace": "payment-gateway",
        "name": "backend-7b9f6d9"
      }
    },
    "function_name": "tcp_connect",
    "args": [
      { "sock_addr": { "addr": "192.0.2.55", "port": 443 } }
    ]
  }
}

This JSON output confirms exactly what binary initiated the connection and where it went. No guesswork.

Performance Considerations

eBPF is efficient, but it is not magic. Attaching kprobes to high-frequency kernel functions (like scheduler events or memory allocation) can introduce overhead. In our benchmarks on CoolVDS NVMe-optimized instances, the overhead of standard Tetragon security profiles is negligible (<1% CPU). However, if you enable full L7 data extraction on high-throughput ingest nodes, you will see CPU usage climb.

Infrastructure matters. You need high single-core performance to handle the context switching and map lookups efficiently. We specifically tune our host nodes to minimize "noisy neighbor" interrupts, which is critical when you are running sensitive latency-bound instrumentation like this.

Conclusion: Trust the Architecture

Security in 2025 is about reducing the blast radius and increasing the cost of attack. By moving your monitoring into the kernel with Tetragon, you force attackers to burn zero-days just to evade detection. For Norwegian enterprises, this level of visibility isn't just "nice to have"—it is arguably the baseline for proving control over your data.

Don't let legacy virtualization hold back your security posture. You need a platform that exposes the modern kernel features eBPF relies on.

Ready to lock down your infrastructure? Deploy a CoolVDS KVM instance in Oslo today and start seeing what's actually happening on your servers.