2025-03-31 –, The Nash
In the fight to secure Kubernetes, we’re assembling a team of "Security Avengers" to defend your clusters from modern threats. Among the CNCF’s eBPF-based tools—Falco, Tetragon, KubeArmor, and Kubescape—each brings unique strengths, much like the Avengers. Despite their shared mission, their distinct features, architectures, and resource impacts make selecting the right "hero" a strategic decision.
This session unveils benchmarking results to help you choose the best fit for your Kubernetes security needs. We’ll explore key questions:
- What specialized features does each tool offer?
- How complex are setup and maintenance?
- How effectively do they detect and defend against attacks?
- What performance impact do they have?
Join us to compare these Kubernetes guardians, evaluate their real-world pros and cons, and discover the "Security Avenger" that aligns with your cluster’s defense strategy.
Containers are essentially processes running within our worker nodes, often with limited permissions to minimize the risk of exposing critical data to potential attackers. However, just like any security system, there’s always the possibility of weaknesses—much like a thief finding a way around a locked door. This is why “security cameras” are essential in our clusters, monitoring for suspicious activity and enabling us to react quickly to prevent breaches.
In the CNCF ecosystem, we have an array of eBPF-based tools like Falco, Tetragon, KubeArmor, and Kubescape that serve as these "security cameras" by detecting and responding to potentially harmful events in real-time. However, with so many options, a common question in the community is: Which solution best fits my needs? This talk aims to answer that question by providing the results of a detailed benchmark specifically designed to clarify the strengths and weaknesses of each tool in terms of configuration, security coverage, and performance impact.
Our benchmark covers five critical areas:
Permissions Required: Assessing the level of access each solution needs to operate.
Ease of Configuration: Evaluating how complex or intuitive setup and maintenance are for each tool.
Event Data: Analyzing the quality and detail of information each solution provides when an alert is triggered.
Feature Set: Comparing the security capabilities and unique functionalities of each solution.
Resource Usage: Measuring the impact on cluster performance with tools like eBPFtop to assess resource overhead.
By deploying intentionally vulnerable applications in a controlled cluster environment, and simulating suspicious behavior, we tested how each agent performs under real-world conditions. Following this talk, community members will gain a clearer view of how Falco, Tetragon, KubeArmor, and Kubescape stack up in key areas like configuration simplicity, resource efficiency, and security features.
For deeper insights, the full benchmark will be available on GitHub, allowing the community to explore the raw data and results independently. This transparency ensures that everyone can make data-driven decisions on the best solution for their security needs, contributing to a stronger, more resilient Kubernetes ecosystem.
Ben is the Co-founder and Chief Technology Officer (CTO) of ARMO, a cybersecurity company focused on securing cloud-native environments. He has a deep background in cybersecurity, cloud security, and software and system engineering, playing a key role in the creation of Kubescape, an open-source Cloud-Native Application Protection Platform (CNAPP) that helps organizations secure their Kubernetes clusters and workloads.
Before founding ARMO, Ben worked at NDS, Siemens, and Cisco in various roles, including security researcher, software architect, and various leadership roles. His experience spans network security, secure software development, and DevSecOps, contributing to his expertise in building advanced security solutions.
In addition to his industry work, Ben is a lecturer for a graduate course in Information Security at Hadassah College.
Henrik is a Cloud Native Advocate at Dynatrace and a CNCF Ambassador . Prior to Dynatrace, Henrik has worked more than 15 years, as Performance Engineer. Henrik Rexed Is Also one of the Organizer of the conferences named WOPR, KCD Austria and the owner of the Youtube Channel IsitObservable.