From 9b7ce77029a7b63c531eb9efe90e09d0f0b34962 Mon Sep 17 00:00:00 2001 From: Oleh Neichev Date: Sat, 23 Mar 2024 13:50:27 +0200 Subject: [PATCH] doc: document how to use the container selector This change describes how to use the container selector in tracing policies. Also, this change renames the "K8s namespace and pod label filtering" page to "K8s Policy Filtering" to make the name more generic. Fixes: #1879 Signed-off-by: Oleh Neichev --- .../concepts/tracing-policy/k8s-filtering.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/content/en/docs/concepts/tracing-policy/k8s-filtering.md b/docs/content/en/docs/concepts/tracing-policy/k8s-filtering.md index 7f4d0dbdd24..f8e65ee24a3 100644 --- a/docs/content/en/docs/concepts/tracing-policy/k8s-filtering.md +++ b/docs/content/en/docs/concepts/tracing-policy/k8s-filtering.md @@ -17,10 +17,15 @@ action the Tetragon agent should perform when the specified situation occurs. Th is generating an event, but there are others (e.g., returning an error without executing a function, or killing the corresponding process). -Here we discuss how to apply tracing policies only on a subset of pods running on the system via -two mechanisms: namespaced policies, and pod-label filters. Tetragon implements both mechanisms -in-kernel via eBPF. This is important for both observability and enforcement use-cases. For -observability, copying only the relevant events from kernel- to user-space reduces overhead. For +Here we discuss how to apply tracing policies only on a subset of pods running on the system via +the followings mechanisms: +- namespaced policies +- pod-label filters +- container field filters + +Tetragon implements these mechanisms in-kernel via eBPF. This is important for both observability +and enforcement use-cases. +For observability, copying only the relevant events from kernel- to user-space reduces overhead. For enforcement, performing the enforcement action in the kernel avoids the race-condition of doing it in user-space. For example, let us consider the case where we want to block an application from performing a system call. Performing the filtering in-kernel means that the application will never @@ -328,7 +333,7 @@ kubectl exec -it lseek-pod -c sidecar -- python3 Traceback (most recent call last): File "", line 1, in OSError: [Errno 9] Bad file descriptor - >>> +>>> ``` But containers matching the name `main` will: @@ -339,5 +344,5 @@ kubectl exec -it lseek-pod -c main -- python3 ``` >>> import os >>> os.lseek(-1, 0, 0) -Killed +command terminated with exit code 137 ```