Goal
Replace Falco's userspace detection with Tetragon's kernel-level eBPF enforcement.
Tasks
- Deploy Tetragon via Helm in kube-system namespace
- Configure TracingPolicy CRDs for process execution, file access, network connect
- Wire Tetragon JSON export to argus-agent webhook
- Add Tetragon-specific alert parsing in webhook.py
- Test: detect shell spawn, file read, outbound connection at kernel level
Why this matters
Tetragon can BLOCK syscalls in real-time, not just alert. Zero-day resistant. Falco alerts after the fact; Tetragon can prevent the action entirely.
Acceptance criteria
- Tetragon running on all 3 nodes
- Shell spawn in prod container blocked within 100ms
- Alerts appear in Argus incident feed
Goal
Replace Falco's userspace detection with Tetragon's kernel-level eBPF enforcement.
Tasks
Why this matters
Tetragon can BLOCK syscalls in real-time, not just alert. Zero-day resistant. Falco alerts after the fact; Tetragon can prevent the action entirely.
Acceptance criteria