Tracing Policy
Tetragon’s TracingPolicy is a user-configurable Kubernetes custom resource (CR) that
allows users to trace arbitrary events in the kernel and optionally define
actions to take on a match. Policies consist of a hook point (kprobes,
tracepoints, and uprobes are supported), and selectors for in-kernel filtering
and specifying actions. For more details, see
hook points page and the
selectors page.
For the complete custom resource definition (CRD) refer to Tracing Policy API documentation.
TracingPolicy allows for powerful, yet low-level configuration and, as such,
requires knowledge about the Linux kernel and containers to avoid unexpected
issues such as TOCTOU bugs.Tracing Policies can be loaded and unloaded at runtime in Tetragon, or on startup using flags.
- With Kubernetes, you can use
kubectlto add and remove aTracingPolicy. - You can use
tetragRPC CLI to add and remove aTracingPolicy. - You can use the
--tracing-policyand--tracing-policy-dirflags to statically add policies at startup time, see more in the daemon configuration page.
Hence, even though Tracing Policies are structured as a Kubernetes CR, they can also be used in non-Kubernetes environments using the last two loading methods.
Example
Learn the basics of Tracing Policy via an example
Argument types
Argument types for data retrieval
Hook points
Hook points for Tracing Policies and arguments description
Options
Pass options to hook
Selectors
Perform in-kernel BPF filtering and actions on events
Tags
Use Tags to categorize events
Kubernetes Identity Aware Policies
Tetragon in-kernel filtering based on Kubernetes namespaces, pod labels, and container fields
Enforcement Mode
Configuring enforcement in tracing policies