在现代化的 IT 架构中,外围防火墙已不足以应对威胁。Tetragon 利用 eBPF 技术,将安全防御下沉至 Linux 内核最深处,实现真正的实时阻断。 In modern IT architectures, perimeter firewalls are no longer enough. Tetragon utilizes eBPF technology to embed security deep into the Linux kernel for true real-time enforcement.
为了让不同背景的利益相关者达成共识,我们提供两种视角的解读。 To establish common ground for different stakeholders, we offer two perspectives.
以前的安全工具(如日志分析)就像是摄像头。它能录下小偷行窃的过程,但当你发现录像时,小偷早就跑了,财产也损失了。这是“异步检测”。 Legacy tools (like log analysis) are like CCTV cameras. They record the thief stealing, but by the time you check the footage, the thief—and your data—are gone. This is "Asynchronous Detection".
Sidecar 代理就像在每个房间门口设安检。虽然能阻拦,但每个人进出都要排队,导致大楼(服务器)拥堵,性能下降,且容易被绕过。 Sidecar proxies are like airport security at every single door. They block threats but create massive queues (latency), slow down the building (server), and can be bypassed.
Tetragon 就像人体免疫细胞,直接驻扎在血液(内核)中。只要识别到病毒(恶意进程),无需等待大脑指令,直接吞噬(Kill)病毒。这是“同步阻断”。 Tetragon acts like white blood cells living in the bloodstream (Kernel). Upon detecting a virus (malware), it instantly neutralizes (Kills) it without waiting for brain instructions. This is "Synchronous Enforcement".
利用 eBPF (Extended Berkeley Packet Filter),Tetragon 能够在不修改内核源码、不加载内核模块的情况下,安全地动态追踪内核函数(kprobes, tracepoints)。 Using eBPF, Tetragon safely and dynamically traces kernel functions (kprobes, tracepoints) without modifying kernel source code or loading risky kernel modules.
传统 eBPF 工具只输出 PID/IP。Tetragon 维护了一个内核内的状态表,能够即时将底层的系统调用映射到 Kubernetes 的 Pod, Namespace, Service 等高层元数据。 Standard eBPF tools only see PIDs/IPs. Tetragon maintains in-kernel state tables to instantly map low-level syscalls to Kubernetes metadata like Pods, Namespaces, and Services.
Tetragon 的独特之处在于它不仅仅是“观察者”。它使用 bpf_send_signal 辅助函数,在恶意 syscall 完成之前,直接在内核态终止进程,杜绝了 TOCTOU 攻击。 Tetragon isn't just an observer. It uses the `bpf_send_signal` helper to kill processes directly from kernel space *before* the malicious syscall completes, eliminating TOCTOU attacks.
Tetragon 如何在内核层拦截一次恶意的文件写入请求。 How Tetragon intercepts a malicious file write request at the kernel layer.
在关键任务系统中,安全不能以牺牲性能为代价。 In mission-critical systems, security cannot come at the cost of performance.
传统工具(如 ptrace 或用户态代理)需要在用户空间和内核空间之间反复复制数据。这就像每次寄信都要亲自跑去邮局。 Traditional tools (like ptrace or user-space agents) must constantly copy data between User Space and Kernel Space. This is like driving to the post office for every single letter.
Tetragon 运行在内核中,数据处理就像在自家客厅完成,无需出门。这使得性能损耗从典型的 15%-20% 降低到了 < 1%。 Tetragon runs inside the kernel. Data processing happens right in your living room—no travel needed. This drops performance overhead from 15-20% down to < 1%.
威胁: 攻击者修改 /etc/passwd 或 /etc/ld.so.preload 以实现持久化驻留。
Threat: Attackers modifying /etc/passwd or /etc/ld.so.preload for persistence.
对策: 配置 Tetragon 监控特定路径的 write 系统调用,一旦触发立即 Kill。
Action: Tetragon monitors `write` syscalls on sensitive paths and kills the process instantly on trigger.
威胁: 应用漏洞导致黑客启动了一个连接到外部 C2 服务器的 Shell。 Threat: App vulnerability allowing hackers to spawn a shell connected to a C2 server.
对策: 监控 connect 和 execve,如果进程不是预期的二进制文件,禁止网络连接。
Action: Monitor `connect` & `execve`. If the process isn't an approved binary, block the network.
威胁: 特权容器试图挂载宿主机文件系统或访问 Namespace 之外的资源。 Threat: Privileged containers attempting to mount host filesystems or access outside Namespace.
对策: 强制执行 Namespace 隔离策略,禁止非法的 Capability 提权。 Action: Enforce strict Namespace isolation and deny illegal Capability escalation.
Tetragon 使用 Kubernetes CRD (Custom Resource Definitions) 进行管理,简单易读。 Tetragon uses Kubernetes CRD (Custom Resource Definitions), making it simple and readable.
请尝试以攻击者的身份操作系统。注意观察 eBPF 的响应速度。 Try operating as an attacker. Notice the speed of the eBPF response.