TracingPolicy is a user-configurable Kubernetes custom resource (CR) that
allows users to trace arbitrary events in the kernel and optionally define
actions to take on a match. Policies consist of a hook point (kprobes,
tracepoints, and uprobes are supported), and selectors for in-kernel filtering
and specifying actions. For more details, see
hook points page and the
TracingPolicyallows for powerful, yet low-level configuration and, as such, requires knowledge about the Linux kernel and containers to avoid unexpected issues such as TOCTOU bugs.
For the complete custom resource definition (CRD) refer to the YAML file
One practical way to explore the CRD is to use
kubectl explain against a
Kubernetes API server on which it is installed, for example
kubectl explain tracingpolicy.spec.kprobes provides field-specific documentation and details
on kprobe spec.
Tracing Policies can be loaded and unloaded at runtime in Tetragon, or on startup using flags.
- With Kubernetes, you can use
kubectlto add and remove a
- You can use
tetragRPC CLI to add and remove a
- You can use the
--tracing-policy-dirflags to statically add policies at startup time, see more in the daemon configuration page.
Hence, even though Tracing Policies are structured as a Kubernetes CR, they can also be used in non-Kubernetes environments using the last two loading methods.
Learn the basics of Tracing Policy via an example
Hook points for Tracing Policies and arguments description
Pass options to hook
Perform in-kernel BPF filtering and actions on events
K8s namespace and pod label filtering
Tetragon in-kernel filtering based on Kubernetes namespaces and pod label filters