Tetragon 1.7 ships five major features for eBPF-based runtime security observability. A new fentry sensor provides lower-overhead kernel function tracing compared to kprobes, though enforcement policies still require kprobes. Environment variable collection captures runtime process configuration into exec events, with optional redaction of sensitive values. A CEL-to-BPF compiler lets users write complex filtering expressions in Common Expression Language that are compiled to native BPF bytecode and evaluated in-kernel, eliminating userspace context-switch overhead. The matchParentBinaries selector enables filtering events based on parent process lineage, reducing false positives by considering execution context. Finally, the new hostSelector complements existing podSelector and containerSelector to scope tracing policies precisely to host, container, or pod workloads. The release also fixes critical memory leaks, improves ARM support, switches the gRPC server to UNIX domain sockets, and includes 908 commits of additional improvements.
Table of contents
Environment Variable CollectionIn-Kernel Filtering with CEL Expression CompilationFentry Sensor SupportImproved Parent Process Visibility with the matchParentBinaries SelectorGranular Policies with hostSelector SupportConclusionSort: