TracingPolicy, let’s understand via an example that will be
explained, part by part, in this document:
apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "fd-install" spec: kprobes: - call: "fd_install" syscall: false args: - index: 0 type: "int" - index: 1 type: "file" selectors: - matchArgs: - index: 1 operator: "Equal" values: - "/tmp/tetragon" matchActions: - action: Sigkill
apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "fd-install"
The first part follows a common pattern among all Cilium Policies or more widely Kubernetes object. It first declares the Kubernetes API used, then the kind of Kubernetes object it is in this API and an arbitrary name for the object that has to comply with Kubernetes naming convention.
spec: kprobes: - call: "fd_install" syscall: false args: - index: 0 type: "int" - index: 1 type: "file"
The beginning of the specification describe the hook point to use. Here we are
using a kprobe, hooking on the kernel function
fd_install. That’s the kernel
function that gets called when a new file descriptor needs to be created. We
indicate that it’s not a syscall, but a regular kernel function. We then
specify the argument of the specified function symbol to be able to extract
and optionally perform filtering on them.
See the hook points page for further information on the various hook points available and arguments.
selectors: - matchArgs: - index: 1 operator: "Equal" values: - "/tmp/tetragon" matchActions: - action: Sigkill
Selectors allow you to filter on the events to extract only a subset of the events based on different properties and optionally take an enforcement action.
In the example, we filter on the argument at index 1, passing a
to the function. Tetragon has the knowledge on how to apply the
operator over a Linux kernel
file struct and you can basically match on the
path of the file.
Then we add the
Sigkill action, meaning, that any match of the selector
should send a SIGKILL signal to the process that initiated the event.
Learn more about the various selectors in the dedicated selectors page.
First, let’s create the
/tmp/tetragon file with some content:
echo eBPF! > /tmp/tetragon
Starting Tetragon with the above
TracingPolicy, for example putting the
policy in the
example.yaml file, compiling the project locally and starting
Tetragon with (you can do similar things with container image releases, see the
docker run command in the Try Tetragon on Linux guide:
sudo ./tetragon --bpf-lib bpf/objs --tracing-policy example.yaml
/tmp/tetragon file with
Should result in the following events:
🚀 process /usr/bin/cat /tmp/tetragon 📬 open /usr/bin/cat /tmp/tetragon 💥 exit /usr/bin/cat /tmp/tetragon SIGKILL
And the shell will return: