← Back to index Esc
Kind
TracingPolicyNamespaced
Group
cilium.io
Version
v1alpha1
apiVersion: cilium.io/v1alpha1 kind: TracingPolicyNamespaced metadata: name: example
Tip: use .spec.containerSelector for path-only search
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object required
spec object required
Tracing policy specification.
containerSelector object
ContainerSelector selects containers that this policy applies to. A map of container fields will be constructed in the same way as a map of labels. The name of the field represents the label "key", and the value of the field - label "value". Currently, only the "name" field is supported.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
enum: In, NotIn, Exists, DoesNotExist
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
enforcers []object
A enforcer spec.
calls []string required
Calls where enforcer is executed in
fentries []object
A list of fentry specs.
args []object
A list of function arguments to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
call string required
Name of the function to apply the kprobe spec to.
data []object
A list of data to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
ignore object
Conditions for ignoring this kprobe
callNotFound boolean
Ignores calls that are not present in the system
message string
A short message of 256 characters max that will be included in the event output to inform users what is going on.
return boolean
Indicates whether to collect return value of the traced function.
returnArg object
A return argument to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
returnArgAction string
An action to perform on the return value. Use returnArg to include the return value in the event output. Supported actions are: TrackSock;UntrackSock
selectors []object
Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
macros []string
A list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
matchActions []object
A list of actions to execute when this selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchBinaries []object
A list of binary exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchCapabilities []object
A list of capabilities and IDs
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchCapabilityChanges []object
IDs for capabilities changes
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchData []object
A list of argument filters. MatchData are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchNamespaceChanges []object
IDs for namespace changes
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace types (e.g., Mnt, Pid) to match.
matchNamespaces []object
A list of namespaces and IDs
namespace string required
Namespace selector name.
enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace IDs (or host_ns for host namespace) of namespaces to match.
matchPIDs []object
A list of process ID filters. MatchPIDs are ANDed.
followForks boolean
Matches any descendant processes of the matching PIDs.
isNamespacePID boolean
Indicates whether PIDs are namespace PIDs.
operator string required
PID selector operator.
enum: In, NotIn
values []integer required
Process IDs to match.
matchParentBinaries []object
A list of process parent exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchReturnActions []object
A list of actions to execute when MatchReturnArgs selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchReturnArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
syscall boolean
Indicates whether the traced function is a syscall.
tags []string
Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
maxItems: 16
hostSelector object
HostSelector selects hosts that this policy applies to. For now only ~ (none) and {} (all) is supported.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
enum: In, NotIn, Exists, DoesNotExist
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
kprobes []object
A list of kprobe specs.
args []object
A list of function arguments to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
call string required
Name of the function to apply the kprobe spec to.
data []object
A list of data to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
ignore object
Conditions for ignoring this kprobe
callNotFound boolean
Ignores calls that are not present in the system
message string
A short message of 256 characters max that will be included in the event output to inform users what is going on.
return boolean
Indicates whether to collect return value of the traced function.
returnArg object
A return argument to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
returnArgAction string
An action to perform on the return value. Use returnArg to include the return value in the event output. Supported actions are: TrackSock;UntrackSock
selectors []object
Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
macros []string
A list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
matchActions []object
A list of actions to execute when this selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchBinaries []object
A list of binary exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchCapabilities []object
A list of capabilities and IDs
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchCapabilityChanges []object
IDs for capabilities changes
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchData []object
A list of argument filters. MatchData are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchNamespaceChanges []object
IDs for namespace changes
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace types (e.g., Mnt, Pid) to match.
matchNamespaces []object
A list of namespaces and IDs
namespace string required
Namespace selector name.
enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace IDs (or host_ns for host namespace) of namespaces to match.
matchPIDs []object
A list of process ID filters. MatchPIDs are ANDed.
followForks boolean
Matches any descendant processes of the matching PIDs.
isNamespacePID boolean
Indicates whether PIDs are namespace PIDs.
operator string required
PID selector operator.
enum: In, NotIn
values []integer required
Process IDs to match.
matchParentBinaries []object
A list of process parent exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchReturnActions []object
A list of actions to execute when MatchReturnArgs selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchReturnArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
syscall boolean
Indicates whether the traced function is a syscall.
tags []string
Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
maxItems: 16
lists []object
A list of list specs.
name string required
Name of the list
pattern string
Pattern for 'generated' lists.
type string
Indicates the type of the list values.
enum: syscalls, generated_syscalls, generated_ftrace
validated boolean
List was validated
values []string
Values of the list
loader boolean
Enable loader events
lsmhooks []object
A list of uprobe specs.
args []object
A list of function arguments to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
hook string required
Name of the function to apply the kprobe spec to.
message string
A short message of 256 characters max that will be included in the event output to inform users what is going on.
selectors []object
Selectors to apply before producing trace output. Selectors are ORed.
macros []string
A list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
matchActions []object
A list of actions to execute when this selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchBinaries []object
A list of binary exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchCapabilities []object
A list of capabilities and IDs
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchCapabilityChanges []object
IDs for capabilities changes
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchData []object
A list of argument filters. MatchData are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchNamespaceChanges []object
IDs for namespace changes
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace types (e.g., Mnt, Pid) to match.
matchNamespaces []object
A list of namespaces and IDs
namespace string required
Namespace selector name.
enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace IDs (or host_ns for host namespace) of namespaces to match.
matchPIDs []object
A list of process ID filters. MatchPIDs are ANDed.
followForks boolean
Matches any descendant processes of the matching PIDs.
isNamespacePID boolean
Indicates whether PIDs are namespace PIDs.
operator string required
PID selector operator.
enum: In, NotIn
values []integer required
Process IDs to match.
matchParentBinaries []object
A list of process parent exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchReturnActions []object
A list of actions to execute when MatchReturnArgs selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchReturnArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
tags []string
Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
maxItems: 16
options []object
A list of overloaded options
name string required
Name of the option
value string
Value of the option
podSelector object
PodSelector selects pods that this policy applies to
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
enum: In, NotIn, Exists, DoesNotExist
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
selectorsMacros object
SelectorsMacros is used to define selectors macros, which can be used in probes/hooks selectors by their names.
tracepoints []object
A list of tracepoint specs.
args []object
A list of function arguments to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
event string required
Tracepoint event
message string
A short message of 256 characters max that will be included in the event output to inform users what is going on.
raw boolean
Enable raw tracepoint arguments
selectors []object
Selectors to apply before producing trace output. Selectors are ORed.
macros []string
A list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
matchActions []object
A list of actions to execute when this selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchBinaries []object
A list of binary exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchCapabilities []object
A list of capabilities and IDs
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchCapabilityChanges []object
IDs for capabilities changes
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchData []object
A list of argument filters. MatchData are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchNamespaceChanges []object
IDs for namespace changes
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace types (e.g., Mnt, Pid) to match.
matchNamespaces []object
A list of namespaces and IDs
namespace string required
Namespace selector name.
enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace IDs (or host_ns for host namespace) of namespaces to match.
matchPIDs []object
A list of process ID filters. MatchPIDs are ANDed.
followForks boolean
Matches any descendant processes of the matching PIDs.
isNamespacePID boolean
Indicates whether PIDs are namespace PIDs.
operator string required
PID selector operator.
enum: In, NotIn
values []integer required
Process IDs to match.
matchParentBinaries []object
A list of process parent exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchReturnActions []object
A list of actions to execute when MatchReturnArgs selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchReturnArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
subsystem string required
Tracepoint subsystem
tags []string
Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
maxItems: 16
uprobes []object
A list of uprobe specs.
addrs []integer
List of the traced addresses
args []object
A list of function arguments to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
btfPath string
path for a BTF file for the traced binary
data []object
A list of data to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
message string
A short message of 256 characters max that will be included in the event output to inform users what is going on.
offsets []integer
List of the traced offsets
path string required
Name of the traced binary
refCtrOffsets []integer
List of the traced ref_ctr_offsets
return boolean
Indicates whether to collect return value of the traced function.
returnArg object
A return argument to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
selectors []object
Selectors to apply before producing trace output. Selectors are ORed.
macros []string
A list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
matchActions []object
A list of actions to execute when this selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchBinaries []object
A list of binary exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchCapabilities []object
A list of capabilities and IDs
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchCapabilityChanges []object
IDs for capabilities changes
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchData []object
A list of argument filters. MatchData are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchNamespaceChanges []object
IDs for namespace changes
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace types (e.g., Mnt, Pid) to match.
matchNamespaces []object
A list of namespaces and IDs
namespace string required
Namespace selector name.
enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace IDs (or host_ns for host namespace) of namespaces to match.
matchPIDs []object
A list of process ID filters. MatchPIDs are ANDed.
followForks boolean
Matches any descendant processes of the matching PIDs.
isNamespacePID boolean
Indicates whether PIDs are namespace PIDs.
operator string required
PID selector operator.
enum: In, NotIn
values []integer required
Process IDs to match.
matchParentBinaries []object
A list of process parent exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchReturnActions []object
A list of actions to execute when MatchReturnArgs selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchReturnArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
symbols []string
List of the traced symbols
tags []string
Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
maxItems: 16
usdts []object
A list of usdt specs.
args []object
A list of function arguments to include in the trace output.
btfType string
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.
index integer required
Position of the argument.
format: int32
minimum: 0
label string
Label to output in the JSON
maxData boolean
Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on
resolve string
Resolve the path to a specific attribute
returnCopy boolean
This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.
sizeArgIndex integer
Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.
format: int32
minimum: 0
source string
Source of the data, if missing the default if function arguments
type string required
Argument type.
enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64,... auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
btfPath string
path for a BTF file for the traced binary
message string
A short message of 256 characters max that will be included in the event output to inform users what is going on.
name string required
Usdt name
path string required
Name of the traced binary
provider string required
Usdt provider name
selectors []object
Selectors to apply before producing trace output. Selectors are ORed.
macros []string
A list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
matchActions []object
A list of actions to execute when this selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchBinaries []object
A list of binary exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchCapabilities []object
A list of capabilities and IDs
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchCapabilityChanges []object
IDs for capabilities changes
isNamespaceCapability boolean
Indicates whether these caps are namespace caps.
operator string required
Namespace selector operator.
enum: In, NotIn
type string
Type of capabilities
enum: Effective, Inheritable, Permitted
values []string required
Capabilities to match.
matchData []object
A list of argument filters. MatchData are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
matchNamespaceChanges []object
IDs for namespace changes
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace types (e.g., Mnt, Pid) to match.
matchNamespaces []object
A list of namespaces and IDs
namespace string required
Namespace selector name.
enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
operator string required
Namespace selector operator.
enum: In, NotIn
values []string required
Namespace IDs (or host_ns for host namespace) of namespaces to match.
matchPIDs []object
A list of process ID filters. MatchPIDs are ANDed.
followForks boolean
Matches any descendant processes of the matching PIDs.
isNamespacePID boolean
Indicates whether PIDs are namespace PIDs.
operator string required
PID selector operator.
enum: In, NotIn
values []integer required
Process IDs to match.
matchParentBinaries []object
A list of process parent exec name filters.
maxItems: 1
followChildren boolean
In addition to binaries, match children processes of specified binaries.
operator string required
Filter operation.
enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
values []string required
Value to compare the argument against.
matchReturnActions []object
A list of actions to execute when MatchReturnArgs selector matches
action string required
Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.
enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
argError integer
error value for override action
format: int32
argFd integer
An arg index for the fd for fdInstall action
format: int32
argFqdn string
A FQDN to lookup for the dnsLookup action
argIndex integer
An arg index for the set action
format: int32
argName integer
An arg index for the filename for fdInstall action
format: int32
argRegs []string
An arg value for the regs action
argSig integer
A signal number for signal action
format: int32
argSock integer
An arg index for the sock for trackSock and untrackSock actions
format: int32
argUrl string
A URL for the getUrl action
argValue integer
An arg value for the set action
format: int32
imaHash boolean
Enable collection of file hashes from integrity subsystem. Only valid with the post action.
kernelStackTrace boolean
Enable kernel stack trace export. Only valid with the post action.
rateLimit string
A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
rateLimitScope string
The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
userStackTrace boolean
Enable user stack trace export. Only valid with the post action.
matchReturnArgs []object
A list of argument filters. MatchArgs are ANDed.
args []integer
Position of the operator arguments (in spec file) to apply fhe filter to.
index integer
Position of the argument (in function prototype) to apply fhe filter to.
format: int32
minimum: 0
operator string required
Filter operation.
enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv... Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
values []string
Value to compare the argument against.
tags []string
Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
maxItems: 16

No matches. Try .spec.containerSelector for an exact path

Copied!