diff --git a/bpf/process/pfilter.h b/bpf/process/pfilter.h
index 8ff9e01455b..8b3997e28c2 100644
--- a/bpf/process/pfilter.h
+++ b/bpf/process/pfilter.h
@@ -2,6 +2,7 @@
#define __PFILTER_H__
#include "bpf_process_event.h"
+#include "policy_filter.h"
/**
* Process filters (see generic_process_filter)
@@ -427,7 +428,10 @@ selector_process_filter(__u32 *f, __u32 index, struct execve_map_value *enter,
__u32 len;
__u64 i;
- /* Do binary and parent filter first for selector index */
+ /* Do workload filter first for selector index */
+ if (!match_workloads(index))
+ return 0;
+
if (!match_binaries(index, enter, &enter->bin))
return 0;
diff --git a/bpf/process/policy_filter.h b/bpf/process/policy_filter.h
index 95cba33b250..ea342328fa3 100644
--- a/bpf/process/policy_filter.h
+++ b/bpf/process/policy_filter.h
@@ -93,4 +93,22 @@ FUNC_INLINE bool policy_filter_check(u32 policy_id)
return !map_lookup_elem(policy_map, &cgroupid);
}
+struct {
+ __uint(type, BPF_MAP_TYPE_HASH);
+ __uint(max_entries, MAX_SELECTORS);
+ __type(key, __u32); /* selector id */
+ __type(value, __u32); /* policy_id */
+} workloads_map SEC(".maps");
+
+FUNC_INLINE int match_workloads(__u32 selector_id)
+{
+ __u32 *pol_id = 0;
+
+ pol_id = map_lookup_elem(&workloads_map, &selector_id);
+ if (!pol_id)
+ return 1; // no matchWorkload in this selector so match
+
+ return policy_filter_check(*pol_id);
+}
+
#endif /* POLICY_FILTER_MAPS_H__ */
diff --git a/docs/content/en/docs/concepts/tracing-policy/selectors.md b/docs/content/en/docs/concepts/tracing-policy/selectors.md
index 662c46fe931..f9d82dd4e43 100644
--- a/docs/content/en/docs/concepts/tracing-policy/selectors.md
+++ b/docs/content/en/docs/concepts/tracing-policy/selectors.md
@@ -21,6 +21,7 @@ Each selector comprises a set of filters:
- [`matchCapabilities`](#capabilities-filter): filter on Linux capabilities.
- [`matchNamespaceChanges`](#namespace-changes-filter): filter on Linux namespaces changes.
- [`matchCapabilityChanges`](#capability-changes-filter): filter on Linux capabilities changes.
+- [`matchWorkloads`](#workloads-filter): filter on Kubernetes workloads.
And a set of actions that will be performed if the specified filters match:
- [`matchActions`](#actions-filter): apply an action on selector matching.
@@ -716,6 +717,32 @@ matchCapabilityChanges:
See a [demonstration example](https://github.com/cilium/tetragon/blob/main/examples/tracingpolicy/fd_install_cap_changes.yaml)
of this feature.
+## Workloads filter
+
+Workloads filter can be specified under the `matchWorkloads` field and provides
+filtering based on Kubernetes workloads. Inside `matchWorkloads` the user can
+define a `hostSelector`, a `podSelector`, and a `containerSelector`.
+
+This works in a similar way to global workload selectors such as `spec.hostSelector`,
+`spec.podSelector`, and `spec.containerSelector`. More details on these
+can be found in [Filtering semantics]({{< ref "/docs/concepts/tracing-policy/k8s-filtering/#filtering-semantics" >}}).
+
+Loading a tracing policy with `matchWorkloads` outside of Kubernetes will fail
+in a similar way to global workload selectors.
+
+The following match host workloads and pods inside `kube-system` namespace:
+
+```yaml
+matchWorkloads:
+- hostSelector: {}
+ podSelector:
+ matchExpressions:
+ - key: "k8s:io.kubernetes.pod.namespace"
+ operator: In
+ values:
+ - "kube-system"
+```
+
## Actions filter
Actions filters are a list of actions that execute when an appropriate selector
diff --git a/docs/content/en/docs/reference/tracing-policy.md b/docs/content/en/docs/reference/tracing-policy.md
index c2d247dbd07..6f516b10fde 100644
--- a/docs/content/en/docs/reference/tracing-policy.md
+++ b/docs/content/en/docs/reference/tracing-policy.md
@@ -878,6 +878,13 @@ Filters specified in macros will be appended to corresponding filters of the sel
A list of argument filters. MatchArgs are ANDed.
false |
+
+ | matchWorkloads |
+ []object |
+
+ Workloads to match
+ |
+ false |
@@ -1680,12 +1687,11 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicy.spec.hostSelector
-[↩ Parent](#tracingpolicyspec)
+### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicyspecfentriesindexselectorsindex)
+
-HostSelector selects hosts that this policy applies to.
-For now only ~ (none) and {} (all) is supported.
@@ -1697,7 +1703,56 @@ For now only ~ (none) and {} (all) is supported.
- | matchExpressions |
+ containerSelector |
+ object |
+
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+ |
+ false |
+
+ | hostSelector |
+ object |
+
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
+ |
+ false |
+
+ | podSelector |
+ object |
+
+ PodSelector selects pods that this policy applies to
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindex)
+
+
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
[]object |
matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -1716,8 +1771,8 @@ operator is "In", and the values array contains only "value". The requirements a
|
-### TracingPolicy.spec.hostSelector.matchExpressions[index]
-[↩ Parent](#tracingpolicyspechostselector)
+### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindexcontainerselector)
A label selector requirement is a selector that contains values, a key, and an operator that
@@ -1763,11 +1818,12 @@ merge patch.
-### TracingPolicy.spec.kprobes[index]
-[↩ Parent](#tracingpolicyspec)
-
+### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindex)
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
@@ -1779,99 +1835,113 @@ merge patch.
- | call |
- string |
-
- Name of the function to apply the kprobe spec to.
- |
- true |
-
- | args |
- []object |
-
- A list of function arguments to include in the trace output.
- |
- false |
-
- | data |
+ matchExpressions |
[]object |
- A list of data to include in the trace output.
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | ignore |
- object |
+ matchLabels |
+ map[string]string |
- Conditions for ignoring this kprobe
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | message |
+
+
+
+
+### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindexhostselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
string |
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | return |
- boolean |
+ operator |
+ enum |
- Indicates whether to collect return value of the traced function.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Default: false
- |
- false |
-
- | returnArg |
- object |
-
- A return argument to include in the trace output.
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | returnArgAction |
- string |
+ values |
+ []string |
- An action to perform on the return value.
-Use returnArg to include the return value in the event output.
-Supported actions are: TrackSock;UntrackSock
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | selectors |
+
+
+
+
+### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindex)
+
+
+PodSelector selects pods that this policy applies to
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
[]object |
- Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
- |
- false |
-
- | syscall |
- boolean |
-
- Indicates whether the traced function is a syscall.
-
- Default: true
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | tags |
- []string |
+ matchLabels |
+ map[string]string |
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicy.spec.kprobes[index].args[index]
-[↩ Parent](#tracingpolicyspeckprobesindex)
-
+### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindexpodselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -1883,52 +1953,285 @@ Maximum of 16 Tags are supported.
- | index |
- integer |
+ key |
+ string |
- Position of the argument.
-
- Format: int32
- Minimum: 0
+ key is the label key that the selector applies to.
|
true |
- | type |
+ operator |
enum |
- Argument type.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
- | btfType |
- string |
+ values |
+ []string |
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | label |
- string |
+
+
+
+
+### TracingPolicy.spec.hostSelector
+[↩ Parent](#tracingpolicyspec)
+
+
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
- Label to output in the JSON
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | maxData |
- boolean |
+ matchLabels |
+ map[string]string |
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
- |
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+
+ false |
+
+
+
+
+### TracingPolicy.spec.hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspechostselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
+ | operator |
+ enum |
+
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
+ |
+ true |
+
+ | values |
+ []string |
+
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.kprobes[index]
+[↩ Parent](#tracingpolicyspec)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | call |
+ string |
+
+ Name of the function to apply the kprobe spec to.
+ |
+ true |
+
+ | args |
+ []object |
+
+ A list of function arguments to include in the trace output.
+ |
+ false |
+
+ | data |
+ []object |
+
+ A list of data to include in the trace output.
+ |
+ false |
+
+ | ignore |
+ object |
+
+ Conditions for ignoring this kprobe
+ |
+ false |
+
+ | message |
+ string |
+
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
+ |
+ false |
+
+ | return |
+ boolean |
+
+ Indicates whether to collect return value of the traced function.
+
+ Default: false
+ |
+ false |
+
+ | returnArg |
+ object |
+
+ A return argument to include in the trace output.
+ |
+ false |
+
+ | returnArgAction |
+ string |
+
+ An action to perform on the return value.
+Use returnArg to include the return value in the event output.
+Supported actions are: TrackSock;UntrackSock
+ |
+ false |
+
+ | selectors |
+ []object |
+
+ Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
+ |
+ false |
+
+ | syscall |
+ boolean |
+
+ Indicates whether the traced function is a syscall.
+
+ Default: true
+ |
+ false |
+
+ | tags |
+ []string |
+
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.kprobes[index].args[index]
+[↩ Parent](#tracingpolicyspeckprobesindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | index |
+ integer |
+
+ Position of the argument.
+
+ Format: int32
+ Minimum: 0
+ |
+ true |
+
+ | type |
+ enum |
+
+ Argument type.
+
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
+ |
+ true |
+
+ | btfType |
+ string |
+
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
+ |
+ false |
+
+ | label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
+
+ Default: false
+ |
false |
| resolve |
@@ -2322,6 +2625,13 @@ Filters specified in macros will be appended to corresponding filters of the sel
A list of argument filters. MatchArgs are ANDed.
false |
+
+ | matchWorkloads |
+ []object |
+
+ Workloads to match
+ |
+ false |
@@ -3124,8 +3434,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicy.spec.lists[index]
-[↩ Parent](#tracingpolicyspec)
+### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicyspeckprobesindexselectorsindex)
@@ -3140,51 +3450,80 @@ Only valid with the post action and with a rateLimit specified.
- | name |
- string |
-
- Name of the list
- |
- true |
-
- | pattern |
- string |
+ containerSelector |
+ object |
- Pattern for 'generated' lists.
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
false |
- | type |
- enum |
+ hostSelector |
+ object |
- Indicates the type of the list values.
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
- Enum: syscalls, generated_syscalls, generated_ftrace
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
|
false |
- | validated |
- boolean |
+ podSelector |
+ object |
- List was validated
+ PodSelector selects pods that this policy applies to
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindex)
+
+
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | values |
- []string |
+ matchLabels |
+ map[string]string |
- Values of the list
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicy.spec.lsmhooks[index]
-[↩ Parent](#tracingpolicyspec)
-
+### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindexcontainerselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -3196,51 +3535,78 @@ Only valid with the post action and with a rateLimit specified.
- | hook |
+ key |
string |
- Name of the function to apply the kprobe spec to.
+ key is the label key that the selector applies to.
|
true |
- | args |
- []object |
+ operator |
+ enum |
- A list of function arguments to include in the trace output.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | message |
- string |
+ values |
+ []string |
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | selectors |
+
+
+
+
+### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindex)
+
+
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
[]object |
- Selectors to apply before producing trace output. Selectors are ORed.
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | tags |
- []string |
+ matchLabels |
+ map[string]string |
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicy.spec.lsmhooks[index].args[index]
-[↩ Parent](#tracingpolicyspeclsmhooksindex)
-
+### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindexhostselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -3252,103 +3618,123 @@ Maximum of 16 Tags are supported.
- | index |
- integer |
+ key |
+ string |
- Position of the argument.
-
- Format: int32
- Minimum: 0
+ key is the label key that the selector applies to.
|
true |
- | type |
+ operator |
enum |
- Argument type.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
- | btfType |
- string |
+ values |
+ []string |
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | label |
- string |
+
+
+
+
+### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindex)
+
+
+PodSelector selects pods that this policy applies to
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
- Label to output in the JSON
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | maxData |
- boolean |
+ matchLabels |
+ map[string]string |
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | resolve |
+
+
+
+
+### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindexpodselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
string |
- Resolve the path to a specific attribute
-
- Default:
- |
- false |
-
- | returnCopy |
- boolean |
-
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
-
- Default: false
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | sizeArgIndex |
- integer |
+ operator |
+ enum |
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Format: int32
- Minimum: 0
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | source |
- string |
+ values |
+ []string |
- Source of the data, if missing the default if function arguments
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicy.spec.lsmhooks[index].selectors[index]
-[↩ Parent](#tracingpolicyspeclsmhooksindex)
+### TracingPolicy.spec.lists[index]
+[↩ Parent](#tracingpolicyspec)
+
-KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
-results of MatchPIDs and MatchArgs are ANDed.
@@ -3360,24 +3746,244 @@ results of MatchPIDs and MatchArgs are ANDed.
- | macros |
- []string |
+ name |
+ string |
- A list of macros names, defined in spec.selectorsMacros.
-Filters specified in macros will be appended to corresponding filters of the selector.
+ Name of the list
|
- false |
+ true |
- | matchActions |
- []object |
+ pattern |
+ string |
- A list of actions to execute when this selector matches
+ Pattern for 'generated' lists.
|
false |
- | matchArgs |
- []object |
-
+ | type |
+ enum |
+
+ Indicates the type of the list values.
+
+ Enum: syscalls, generated_syscalls, generated_ftrace
+ |
+ false |
+
+ | validated |
+ boolean |
+
+ List was validated
+ |
+ false |
+
+ | values |
+ []string |
+
+ Values of the list
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.lsmhooks[index]
+[↩ Parent](#tracingpolicyspec)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | hook |
+ string |
+
+ Name of the function to apply the kprobe spec to.
+ |
+ true |
+
+ | args |
+ []object |
+
+ A list of function arguments to include in the trace output.
+ |
+ false |
+
+ | message |
+ string |
+
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
+ |
+ false |
+
+ | selectors |
+ []object |
+
+ Selectors to apply before producing trace output. Selectors are ORed.
+ |
+ false |
+
+ | tags |
+ []string |
+
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.lsmhooks[index].args[index]
+[↩ Parent](#tracingpolicyspeclsmhooksindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | index |
+ integer |
+
+ Position of the argument.
+
+ Format: int32
+ Minimum: 0
+ |
+ true |
+
+ | type |
+ enum |
+
+ Argument type.
+
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
+ |
+ true |
+
+ | btfType |
+ string |
+
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
+ |
+ false |
+
+ | label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
+
+ Default: false
+ |
+ false |
+
+ | resolve |
+ string |
+
+ Resolve the path to a specific attribute
+
+ Default:
+ |
+ false |
+
+ | returnCopy |
+ boolean |
+
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
+ |
+ false |
+
+ | sizeArgIndex |
+ integer |
+
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | source |
+ string |
+
+ Source of the data, if missing the default if function arguments
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.lsmhooks[index].selectors[index]
+[↩ Parent](#tracingpolicyspeclsmhooksindex)
+
+
+KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
+results of MatchPIDs and MatchArgs are ANDed.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | macros |
+ []string |
+
+ A list of macros names, defined in spec.selectorsMacros.
+Filters specified in macros will be appended to corresponding filters of the selector.
+ |
+ false |
+
+ | matchActions |
+ []object |
+
+ A list of actions to execute when this selector matches
+ |
+ false |
+
+ | matchArgs |
+ []object |
+
A list of argument filters. MatchArgs are ANDed.
|
false |
@@ -3451,6 +4057,13 @@ Filters specified in macros will be appended to corresponding filters of the sel
A list of argument filters. MatchArgs are ANDed.
false |
+
+ | matchWorkloads |
+ []object |
+
+ Workloads to match
+ |
+ false |
@@ -4253,8 +4866,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicy.spec.options[index]
-[↩ Parent](#tracingpolicyspec)
+### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindex)
@@ -4269,28 +4882,44 @@ Only valid with the post action and with a rateLimit specified.
- | name |
- string |
+ containerSelector |
+ object |
- Name of the option
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
- true |
+ false |
- | value |
- string |
+ hostSelector |
+ object |
- Value of the option
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
+ |
+ false |
+
+ | podSelector |
+ object |
+
+ PodSelector selects pods that this policy applies to
|
false |
-### TracingPolicy.spec.podSelector
-[↩ Parent](#tracingpolicyspec)
+### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindex)
-PodSelector selects pods that this policy applies to
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
@@ -4302,7 +4931,7 @@ PodSelector selects pods that this policy applies to
- | matchExpressions |
+ matchExpressions |
[]object |
matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -4321,8 +4950,8 @@ operator is "In", and the values array contains only "value". The requirements a
|
-### TracingPolicy.spec.podSelector.matchExpressions[index]
-[↩ Parent](#tracingpolicyspecpodselector)
+### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindexcontainerselector)
A label selector requirement is a selector that contains values, a key, and an operator that
@@ -4368,12 +4997,12 @@ merge patch.
-### TracingPolicy.spec.selectorsMacros[key]
-[↩ Parent](#tracingpolicyspec)
+### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindex)
-KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
-results of MatchPIDs and MatchArgs are ANDed.
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
@@ -4385,106 +5014,228 @@ results of MatchPIDs and MatchArgs are ANDed.
- | macros |
- []string |
+ matchExpressions |
+ []object |
- A list of macros names, defined in spec.selectorsMacros.
-Filters specified in macros will be appended to corresponding filters of the selector.
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | matchActions |
- []object |
+ matchLabels |
+ map[string]string |
- A list of actions to execute when this selector matches
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | matchArgs |
- []object |
+
+
+
+
+### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindexhostselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
- A list of argument filters. MatchArgs are ANDed.
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | matchBinaries |
- []object |
+ operator |
+ enum |
- A list of binary exec name filters.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | matchCapabilities |
- []object |
+ values |
+ []string |
- A list of capabilities and IDs
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | matchCapabilityChanges |
+
+
+
+
+### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindex)
+
+
+PodSelector selects pods that this policy applies to
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
[]object |
- IDs for capabilities changes
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | matchData |
- []object |
+ matchLabels |
+ map[string]string |
- A list of argument filters. MatchData are ANDed.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | matchNamespaceChanges |
- []object |
+
+
+
+
+### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindexpodselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
- IDs for namespace changes
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | matchNamespaces |
- []object |
+ operator |
+ enum |
- A list of namespaces and IDs
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | matchPIDs |
- []object |
+ values |
+ []string |
- A list of process ID filters. MatchPIDs are ANDed.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
+
+
+
+
+### TracingPolicy.spec.options[index]
+[↩ Parent](#tracingpolicyspec)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | name |
+ string |
+
+ Name of the option
+ |
+ true |
- | matchParentBinaries |
- []object |
+ value |
+ string |
- A list of process parent exec name filters.
+ Value of the option
|
false |
-
- | matchReturnActions |
+
+
+
+
+### TracingPolicy.spec.podSelector
+[↩ Parent](#tracingpolicyspec)
+
+
+PodSelector selects pods that this policy applies to
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
[]object |
- A list of actions to execute when MatchReturnArgs selector matches
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | matchReturnArgs |
- []object |
+ matchLabels |
+ map[string]string |
- A list of argument filters. MatchArgs are ANDed.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicy.spec.selectorsMacros[key].matchActions[index]
-[↩ Parent](#tracingpolicyspecselectorsmacroskey)
-
+### TracingPolicy.spec.podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecpodselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -4496,32 +5247,197 @@ Filters specified in macros will be appended to corresponding filters of the sel
- | action |
- enum |
+ key |
+ string |
- Action to execute.
-NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
-be removed in version 1.5.
-
- Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
+ key is the label key that the selector applies to.
|
true |
- | argError |
- integer |
+ operator |
+ enum |
- error value for override action
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Format: int32
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | argFd |
- integer |
+ values |
+ []string |
- An arg index for the fd for fdInstall action
-
- Format: int32
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.selectorsMacros[key]
+[↩ Parent](#tracingpolicyspec)
+
+
+KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
+results of MatchPIDs and MatchArgs are ANDed.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | macros |
+ []string |
+
+ A list of macros names, defined in spec.selectorsMacros.
+Filters specified in macros will be appended to corresponding filters of the selector.
+ |
+ false |
+
+ | matchActions |
+ []object |
+
+ A list of actions to execute when this selector matches
+ |
+ false |
+
+ | matchArgs |
+ []object |
+
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchBinaries |
+ []object |
+
+ A list of binary exec name filters.
+ |
+ false |
+
+ | matchCapabilities |
+ []object |
+
+ A list of capabilities and IDs
+ |
+ false |
+
+ | matchCapabilityChanges |
+ []object |
+
+ IDs for capabilities changes
+ |
+ false |
+
+ | matchData |
+ []object |
+
+ A list of argument filters. MatchData are ANDed.
+ |
+ false |
+
+ | matchNamespaceChanges |
+ []object |
+
+ IDs for namespace changes
+ |
+ false |
+
+ | matchNamespaces |
+ []object |
+
+ A list of namespaces and IDs
+ |
+ false |
+
+ | matchPIDs |
+ []object |
+
+ A list of process ID filters. MatchPIDs are ANDed.
+ |
+ false |
+
+ | matchParentBinaries |
+ []object |
+
+ A list of process parent exec name filters.
+ |
+ false |
+
+ | matchReturnActions |
+ []object |
+
+ A list of actions to execute when MatchReturnArgs selector matches
+ |
+ false |
+
+ | matchReturnArgs |
+ []object |
+
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchWorkloads |
+ []object |
+
+ Workloads to match
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.selectorsMacros[key].matchActions[index]
+[↩ Parent](#tracingpolicyspecselectorsmacroskey)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | action |
+ enum |
+
+ Action to execute.
+NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
+be removed in version 1.5.
+
+ Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
+ |
+ true |
+
+ | argError |
+ integer |
+
+ error value for override action
+
+ Format: int32
+ |
+ false |
+
+ | argFd |
+ integer |
+
+ An arg index for the fd for fdInstall action
+
+ Format: int32
|
false |
@@ -5278,8 +6194,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicy.spec.tracepoints[index]
-[↩ Parent](#tracingpolicyspec)
+### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index]
+[↩ Parent](#tracingpolicyspecselectorsmacroskey)
@@ -5294,65 +6210,80 @@ Only valid with the post action and with a rateLimit specified.
- | event |
- string |
-
- Tracepoint event
- |
- true |
-
- | subsystem |
- string |
-
- Tracepoint subsystem
- |
- true |
-
- | args |
- []object |
+ containerSelector |
+ object |
- A list of function arguments to include in the trace output.
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
false |
- | message |
- string |
+ hostSelector |
+ object |
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
|
false |
- | raw |
- boolean |
+ podSelector |
+ object |
- Enable raw tracepoint arguments
+ PodSelector selects pods that this policy applies to
|
false |
-
- | selectors |
+
+
+
+
+### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindex)
+
+
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
[]object |
- Selectors to apply before producing trace output. Selectors are ORed.
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | tags |
- []string |
+ matchLabels |
+ map[string]string |
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicy.spec.tracepoints[index].args[index]
-[↩ Parent](#tracingpolicyspectracepointsindex)
-
+### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindexcontainerselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -5364,103 +6295,124 @@ Maximum of 16 Tags are supported.
- | index |
- integer |
+ key |
+ string |
- Position of the argument.
-
- Format: int32
- Minimum: 0
+ key is the label key that the selector applies to.
|
true |
- | type |
+ operator |
enum |
- Argument type.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
- | btfType |
- string |
+ values |
+ []string |
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | label |
- string |
+
+
+
+
+### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindex)
+
+
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
- Label to output in the JSON
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | maxData |
- boolean |
+ matchLabels |
+ map[string]string |
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | resolve |
+
+
+
+
+### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindexhostselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
string |
- Resolve the path to a specific attribute
-
- Default:
- |
- false |
-
- | returnCopy |
- boolean |
-
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
-
- Default: false
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | sizeArgIndex |
- integer |
+ operator |
+ enum |
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Format: int32
- Minimum: 0
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | source |
- string |
+ values |
+ []string |
- Source of the data, if missing the default if function arguments
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicy.spec.tracepoints[index].selectors[index]
-[↩ Parent](#tracingpolicyspectracepointsindex)
+### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindex)
-KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
-results of MatchPIDs and MatchArgs are ANDed.
+PodSelector selects pods that this policy applies to
@@ -5472,97 +6424,364 @@ results of MatchPIDs and MatchArgs are ANDed.
- | macros |
- []string |
+ matchExpressions |
+ []object |
- A list of macros names, defined in spec.selectorsMacros.
-Filters specified in macros will be appended to corresponding filters of the selector.
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | matchActions |
- []object |
+ matchLabels |
+ map[string]string |
- A list of actions to execute when this selector matches
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | matchArgs |
- []object |
+
+
+
+
+### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindexpodselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
- A list of argument filters. MatchArgs are ANDed.
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | matchBinaries |
- []object |
+ operator |
+ enum |
- A list of binary exec name filters.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | matchCapabilities |
- []object |
+ values |
+ []string |
- A list of capabilities and IDs
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | matchCapabilityChanges |
- []object |
+
+
+
+
+### TracingPolicy.spec.tracepoints[index]
+[↩ Parent](#tracingpolicyspec)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | event |
+ string |
- IDs for capabilities changes
+ Tracepoint event
|
- false |
+ true |
- | matchData |
- []object |
+ subsystem |
+ string |
- A list of argument filters. MatchData are ANDed.
+ Tracepoint subsystem
|
- false |
+ true |
- | matchNamespaceChanges |
+ args |
[]object |
- IDs for namespace changes
+ A list of function arguments to include in the trace output.
|
false |
- | matchNamespaces |
- []object |
+ message |
+ string |
- A list of namespaces and IDs
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
|
false |
- | matchPIDs |
- []object |
+ raw |
+ boolean |
- A list of process ID filters. MatchPIDs are ANDed.
+ Enable raw tracepoint arguments
|
false |
- | matchParentBinaries |
+ selectors |
[]object |
- A list of process parent exec name filters.
+ Selectors to apply before producing trace output. Selectors are ORed.
|
false |
- | matchReturnActions |
- []object |
+ tags |
+ []string |
- A list of actions to execute when MatchReturnArgs selector matches
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
|
false |
-
- | matchReturnArgs |
- []object |
-
+ |
+
+
+
+### TracingPolicy.spec.tracepoints[index].args[index]
+[↩ Parent](#tracingpolicyspectracepointsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | index |
+ integer |
+
+ Position of the argument.
+
+ Format: int32
+ Minimum: 0
+ |
+ true |
+
+ | type |
+ enum |
+
+ Argument type.
+
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
+ |
+ true |
+
+ | btfType |
+ string |
+
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
+ |
+ false |
+
+ | label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
+
+ Default: false
+ |
+ false |
+
+ | resolve |
+ string |
+
+ Resolve the path to a specific attribute
+
+ Default:
+ |
+ false |
+
+ | returnCopy |
+ boolean |
+
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
+ |
+ false |
+
+ | sizeArgIndex |
+ integer |
+
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | source |
+ string |
+
+ Source of the data, if missing the default if function arguments
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.tracepoints[index].selectors[index]
+[↩ Parent](#tracingpolicyspectracepointsindex)
+
+
+KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
+results of MatchPIDs and MatchArgs are ANDed.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | macros |
+ []string |
+
+ A list of macros names, defined in spec.selectorsMacros.
+Filters specified in macros will be appended to corresponding filters of the selector.
+ |
+ false |
+
+ | matchActions |
+ []object |
+
+ A list of actions to execute when this selector matches
+ |
+ false |
+
+ | matchArgs |
+ []object |
+
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchBinaries |
+ []object |
+
+ A list of binary exec name filters.
+ |
+ false |
+
+ | matchCapabilities |
+ []object |
+
+ A list of capabilities and IDs
+ |
+ false |
+
+ | matchCapabilityChanges |
+ []object |
+
+ IDs for capabilities changes
+ |
+ false |
+
+ | matchData |
+ []object |
+
+ A list of argument filters. MatchData are ANDed.
+ |
+ false |
+
+ | matchNamespaceChanges |
+ []object |
+
+ IDs for namespace changes
+ |
+ false |
+
+ | matchNamespaces |
+ []object |
+
+ A list of namespaces and IDs
+ |
+ false |
+
+ | matchPIDs |
+ []object |
+
+ A list of process ID filters. MatchPIDs are ANDed.
+ |
+ false |
+
+ | matchParentBinaries |
+ []object |
+
+ A list of process parent exec name filters.
+ |
+ false |
+
+ | matchReturnActions |
+ []object |
+
+ A list of actions to execute when MatchReturnArgs selector matches
+ |
+ false |
+
+ | matchReturnArgs |
+ []object |
+
A list of argument filters. MatchArgs are ANDed.
|
false |
+
+ | matchWorkloads |
+ []object |
+
+ Workloads to match
+ |
+ false |
@@ -6365,8 +7584,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicy.spec.uprobes[index]
-[↩ Parent](#tracingpolicyspec)
+### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicyspectracepointsindexselectorsindex)
@@ -6381,109 +7600,163 @@ Only valid with the post action and with a rateLimit specified.
- | path |
- string |
-
- Name of the traced binary
- |
- true |
-
- | addrs |
- []integer |
+ containerSelector |
+ object |
- List of the traced addresses
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
false |
- | args |
- []object |
+ hostSelector |
+ object |
- A list of function arguments to include in the trace output.
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
|
false |
- | btfPath |
- string |
+ podSelector |
+ object |
- path for a BTF file for the traced binary
+ PodSelector selects pods that this policy applies to
|
false |
-
- | data |
- []object |
-
- A list of data to include in the trace output.
- |
- false |
-
- | message |
- string |
+
+
+
+
+### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindex)
+
+
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | offsets |
- []integer |
+ matchLabels |
+ map[string]string |
- List of the traced offsets
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | refCtrOffsets |
- []integer |
+
+
+
+
+### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindexcontainerselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
- List of the traced ref_ctr_offsets
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | return |
- boolean |
+ operator |
+ enum |
- Indicates whether to collect return value of the traced function.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Default: false
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | returnArg |
- object |
+ values |
+ []string |
- A return argument to include in the trace output.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | selectors |
+
+
+
+
+### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindex)
+
+
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
[]object |
- Selectors to apply before producing trace output. Selectors are ORed.
- |
- false |
-
- | symbols |
- []string |
-
- List of the traced symbols
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | tags |
- []string |
+ matchLabels |
+ map[string]string |
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicy.spec.uprobes[index].args[index]
-[↩ Parent](#tracingpolicyspecuprobesindex)
-
+### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindexhostselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -6495,102 +7768,77 @@ Maximum of 16 Tags are supported.
- | index |
- integer |
+ key |
+ string |
- Position of the argument.
-
- Format: int32
- Minimum: 0
+ key is the label key that the selector applies to.
|
true |
- | type |
+ operator |
enum |
- Argument type.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
- | btfType |
- string |
-
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
- |
- false |
-
- | label |
- string |
-
- Label to output in the JSON
- |
- false |
-
- | maxData |
- boolean |
-
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
- |
- false |
-
- | resolve |
- string |
-
- Resolve the path to a specific attribute
-
- Default:
- |
- false |
-
- | returnCopy |
- boolean |
+ values |
+ []string |
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
-
- Default: false
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | sizeArgIndex |
- integer |
+
+
+
+
+### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindex)
+
+
+PodSelector selects pods that this policy applies to
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
-
- Format: int32
- Minimum: 0
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | source |
- string |
+ matchLabels |
+ map[string]string |
- Source of the data, if missing the default if function arguments
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicy.spec.uprobes[index].data[index]
-[↩ Parent](#tracingpolicyspecuprobesindex)
-
+### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindexpodselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -6602,22 +7850,182 @@ This field is used only for char_buf and char_iovec types.
- | index |
- integer |
+ key |
+ string |
- Position of the argument.
-
- Format: int32
- Minimum: 0
+ key is the label key that the selector applies to.
|
true |
- | type |
+ operator |
enum |
- Argument type.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Enum: In, NotIn, Exists, DoesNotExist
+ |
+ true |
+
+ | values |
+ []string |
+
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index]
+[↩ Parent](#tracingpolicyspec)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | path |
+ string |
+
+ Name of the traced binary
+ |
+ true |
+
+ | addrs |
+ []integer |
+
+ List of the traced addresses
+ |
+ false |
+
+ | args |
+ []object |
+
+ A list of function arguments to include in the trace output.
+ |
+ false |
+
+ | btfPath |
+ string |
+
+ path for a BTF file for the traced binary
+ |
+ false |
+
+ | data |
+ []object |
+
+ A list of data to include in the trace output.
+ |
+ false |
+
+ | message |
+ string |
+
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
+ |
+ false |
+
+ | offsets |
+ []integer |
+
+ List of the traced offsets
+ |
+ false |
+
+ | refCtrOffsets |
+ []integer |
+
+ List of the traced ref_ctr_offsets
+ |
+ false |
+
+ | return |
+ boolean |
+
+ Indicates whether to collect return value of the traced function.
+
+ Default: false
+ |
+ false |
+
+ | returnArg |
+ object |
+
+ A return argument to include in the trace output.
+ |
+ false |
+
+ | selectors |
+ []object |
+
+ Selectors to apply before producing trace output. Selectors are ORed.
+ |
+ false |
+
+ | symbols |
+ []string |
+
+ List of the traced symbols
+ |
+ false |
+
+ | tags |
+ []string |
+
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].args[index]
+[↩ Parent](#tracingpolicyspecuprobesindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | index |
+ integer |
+
+ Position of the argument.
+
+ Format: int32
+ Minimum: 0
+ |
+ true |
+
+ | type |
+ enum |
+
+ Argument type.
+
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
Default: auto
|
true |
@@ -6693,11 +8101,11 @@ This field is used only for char_buf and char_iovec types.
-### TracingPolicy.spec.uprobes[index].returnArg
+### TracingPolicy.spec.uprobes[index].data[index]
[↩ Parent](#tracingpolicyspecuprobesindex)
-A return argument to include in the trace output.
+
@@ -6790,22 +8198,2783 @@ This field is used only for char_buf and char_iovec types.
false |
- | source |
- string |
+ source |
+ string |
+
+ Source of the data, if missing the default if function arguments
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].returnArg
+[↩ Parent](#tracingpolicyspecuprobesindex)
+
+
+A return argument to include in the trace output.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | index |
+ integer |
+
+ Position of the argument.
+
+ Format: int32
+ Minimum: 0
+ |
+ true |
+
+ | type |
+ enum |
+
+ Argument type.
+
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
+ |
+ true |
+
+ | btfType |
+ string |
+
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
+ |
+ false |
+
+ | label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
+
+ Default: false
+ |
+ false |
+
+ | resolve |
+ string |
+
+ Resolve the path to a specific attribute
+
+ Default:
+ |
+ false |
+
+ | returnCopy |
+ boolean |
+
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
+ |
+ false |
+
+ | sizeArgIndex |
+ integer |
+
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | source |
+ string |
+
+ Source of the data, if missing the default if function arguments
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index]
+[↩ Parent](#tracingpolicyspecuprobesindex)
+
+
+KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
+results of MatchPIDs and MatchArgs are ANDed.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | macros |
+ []string |
+
+ A list of macros names, defined in spec.selectorsMacros.
+Filters specified in macros will be appended to corresponding filters of the selector.
+ |
+ false |
+
+ | matchActions |
+ []object |
+
+ A list of actions to execute when this selector matches
+ |
+ false |
+
+ | matchArgs |
+ []object |
+
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchBinaries |
+ []object |
+
+ A list of binary exec name filters.
+ |
+ false |
+
+ | matchCapabilities |
+ []object |
+
+ A list of capabilities and IDs
+ |
+ false |
+
+ | matchCapabilityChanges |
+ []object |
+
+ IDs for capabilities changes
+ |
+ false |
+
+ | matchData |
+ []object |
+
+ A list of argument filters. MatchData are ANDed.
+ |
+ false |
+
+ | matchNamespaceChanges |
+ []object |
+
+ IDs for namespace changes
+ |
+ false |
+
+ | matchNamespaces |
+ []object |
+
+ A list of namespaces and IDs
+ |
+ false |
+
+ | matchPIDs |
+ []object |
+
+ A list of process ID filters. MatchPIDs are ANDed.
+ |
+ false |
+
+ | matchParentBinaries |
+ []object |
+
+ A list of process parent exec name filters.
+ |
+ false |
+
+ | matchReturnActions |
+ []object |
+
+ A list of actions to execute when MatchReturnArgs selector matches
+ |
+ false |
+
+ | matchReturnArgs |
+ []object |
+
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchWorkloads |
+ []object |
+
+ Workloads to match
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchActions[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | action |
+ enum |
+
+ Action to execute.
+NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
+be removed in version 1.5.
+
+ Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
+ |
+ true |
+
+ | argError |
+ integer |
+
+ error value for override action
+
+ Format: int32
+ |
+ false |
+
+ | argFd |
+ integer |
+
+ An arg index for the fd for fdInstall action
+
+ Format: int32
+ |
+ false |
+
+ | argFqdn |
+ string |
+
+ A FQDN to lookup for the dnsLookup action
+ |
+ false |
+
+ | argIndex |
+ integer |
+
+ An arg index for the set action
+
+ Format: int32
+ |
+ false |
+
+ | argName |
+ integer |
+
+ An arg index for the filename for fdInstall action
+
+ Format: int32
+ |
+ false |
+
+ | argRegs |
+ []string |
+
+ An arg value for the regs action
+ |
+ false |
+
+ | argSig |
+ integer |
+
+ A signal number for signal action
+
+ Format: int32
+ |
+ false |
+
+ | argSock |
+ integer |
+
+ An arg index for the sock for trackSock and untrackSock actions
+
+ Format: int32
+ |
+ false |
+
+ | argUrl |
+ string |
+
+ A URL for the getUrl action
+ |
+ false |
+
+ | argValue |
+ integer |
+
+ An arg value for the set action
+
+ Format: int32
+ |
+ false |
+
+ | imaHash |
+ boolean |
+
+ Enable collection of file hashes from integrity subsystem.
+Only valid with the post action.
+ |
+ false |
+
+ | kernelStackTrace |
+ boolean |
+
+ Enable kernel stack trace export. Only valid with the post action.
+ |
+ false |
+
+ | rateLimit |
+ string |
+
+ A time period within which repeated messages will not be posted. Can be
+specified in seconds (default or with 's' suffix), minutes ('m' suffix)
+or hours ('h' suffix). Only valid with the post action.
+ |
+ false |
+
+ | rateLimitScope |
+ string |
+
+ The scope of the provided rate limit argument. Can be "thread" (default),
+"process" (all threads for the same process), or "global". If "thread" is
+selected then rate limiting applies per thread; if "process" is selected
+then rate limiting applies per process; if "global" is selected then rate
+limiting applies regardless of which process or thread caused the action.
+Only valid with the post action and with a rateLimit specified.
+ |
+ false |
+
+ | userStackTrace |
+ boolean |
+
+ Enable user stack trace export. Only valid with the post action.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchArgs[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ |
+ true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
+ |
+ false |
+
+ | index |
+ integer |
+
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchBinaries[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ |
+ true |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ true |
+
+ | followChildren |
+ boolean |
+
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilities[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Capabilities to match.
+ |
+ true |
+
+ | isNamespaceCapability |
+ boolean |
+
+ Indicates whether these caps are namespace caps.
+
+ Default: false
+ |
+ false |
+
+ | type |
+ enum |
+
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilityChanges[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Capabilities to match.
+ |
+ true |
+
+ | isNamespaceCapability |
+ boolean |
+
+ Indicates whether these caps are namespace caps.
+
+ Default: false
+ |
+ false |
+
+ | type |
+ enum |
+
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchData[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ |
+ true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
+ |
+ false |
+
+ | index |
+ integer |
+
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaceChanges[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Namespace types (e.g., Mnt, Pid) to match.
+ |
+ true |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaces[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | namespace |
+ enum |
+
+ Namespace selector name.
+
+ Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
+ |
+ true |
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Namespace IDs (or host_ns for host namespace) of namespaces to match.
+ |
+ true |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchPIDs[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ PID selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []integer |
+
+ Process IDs to match.
+ |
+ true |
+
+ | followForks |
+ boolean |
+
+ Matches any descendant processes of the matching PIDs.
+
+ Default: false
+ |
+ false |
+
+ | isNamespacePID |
+ boolean |
+
+ Indicates whether PIDs are namespace PIDs.
+
+ Default: false
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchParentBinaries[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ |
+ true |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ true |
+
+ | followChildren |
+ boolean |
+
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchReturnActions[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | action |
+ enum |
+
+ Action to execute.
+NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
+be removed in version 1.5.
+
+ Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
+ |
+ true |
+
+ | argError |
+ integer |
+
+ error value for override action
+
+ Format: int32
+ |
+ false |
+
+ | argFd |
+ integer |
+
+ An arg index for the fd for fdInstall action
+
+ Format: int32
+ |
+ false |
+
+ | argFqdn |
+ string |
+
+ A FQDN to lookup for the dnsLookup action
+ |
+ false |
+
+ | argIndex |
+ integer |
+
+ An arg index for the set action
+
+ Format: int32
+ |
+ false |
+
+ | argName |
+ integer |
+
+ An arg index for the filename for fdInstall action
+
+ Format: int32
+ |
+ false |
+
+ | argRegs |
+ []string |
+
+ An arg value for the regs action
+ |
+ false |
+
+ | argSig |
+ integer |
+
+ A signal number for signal action
+
+ Format: int32
+ |
+ false |
+
+ | argSock |
+ integer |
+
+ An arg index for the sock for trackSock and untrackSock actions
+
+ Format: int32
+ |
+ false |
+
+ | argUrl |
+ string |
+
+ A URL for the getUrl action
+ |
+ false |
+
+ | argValue |
+ integer |
+
+ An arg value for the set action
+
+ Format: int32
+ |
+ false |
+
+ | imaHash |
+ boolean |
+
+ Enable collection of file hashes from integrity subsystem.
+Only valid with the post action.
+ |
+ false |
+
+ | kernelStackTrace |
+ boolean |
+
+ Enable kernel stack trace export. Only valid with the post action.
+ |
+ false |
+
+ | rateLimit |
+ string |
+
+ A time period within which repeated messages will not be posted. Can be
+specified in seconds (default or with 's' suffix), minutes ('m' suffix)
+or hours ('h' suffix). Only valid with the post action.
+ |
+ false |
+
+ | rateLimitScope |
+ string |
+
+ The scope of the provided rate limit argument. Can be "thread" (default),
+"process" (all threads for the same process), or "global". If "thread" is
+selected then rate limiting applies per thread; if "process" is selected
+then rate limiting applies per process; if "global" is selected then rate
+limiting applies regardless of which process or thread caused the action.
+Only valid with the post action and with a rateLimit specified.
+ |
+ false |
+
+ | userStackTrace |
+ boolean |
+
+ Enable user stack trace export. Only valid with the post action.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchReturnArgs[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ |
+ true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
+ |
+ false |
+
+ | index |
+ integer |
+
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | containerSelector |
+ object |
+
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+ |
+ false |
+
+ | hostSelector |
+ object |
+
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
+ |
+ false |
+
+ | podSelector |
+ object |
+
+ PodSelector selects pods that this policy applies to
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindex)
+
+
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ |
+ false |
+
+ | matchLabels |
+ map[string]string |
+
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindexcontainerselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
+ | operator |
+ enum |
+
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
+ |
+ true |
+
+ | values |
+ []string |
+
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindex)
+
+
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ |
+ false |
+
+ | matchLabels |
+ map[string]string |
+
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindexhostselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
+ | operator |
+ enum |
+
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
+ |
+ true |
+
+ | values |
+ []string |
+
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindex)
+
+
+PodSelector selects pods that this policy applies to
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ |
+ false |
+
+ | matchLabels |
+ map[string]string |
+
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindexpodselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
+ | operator |
+ enum |
+
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
+ |
+ true |
+
+ | values |
+ []string |
+
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index]
+[↩ Parent](#tracingpolicyspec)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | name |
+ string |
+
+ Usdt name
+ |
+ true |
+
+ | path |
+ string |
+
+ Name of the traced binary
+ |
+ true |
+
+ | provider |
+ string |
+
+ Usdt provider name
+ |
+ true |
+
+ | args |
+ []object |
+
+ A list of function arguments to include in the trace output.
+ |
+ false |
+
+ | btfPath |
+ string |
+
+ path for a BTF file for the traced binary
+ |
+ false |
+
+ | message |
+ string |
+
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
+ |
+ false |
+
+ | selectors |
+ []object |
+
+ Selectors to apply before producing trace output. Selectors are ORed.
+ |
+ false |
+
+ | tags |
+ []string |
+
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].args[index]
+[↩ Parent](#tracingpolicyspecusdtsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | index |
+ integer |
+
+ Position of the argument.
+
+ Format: int32
+ Minimum: 0
+ |
+ true |
+
+ | type |
+ enum |
+
+ Argument type.
+
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
+ |
+ true |
+
+ | btfType |
+ string |
+
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
+ |
+ false |
+
+ | label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
+
+ Default: false
+ |
+ false |
+
+ | resolve |
+ string |
+
+ Resolve the path to a specific attribute
+
+ Default:
+ |
+ false |
+
+ | returnCopy |
+ boolean |
+
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
+ |
+ false |
+
+ | sizeArgIndex |
+ integer |
+
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | source |
+ string |
+
+ Source of the data, if missing the default if function arguments
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index]
+[↩ Parent](#tracingpolicyspecusdtsindex)
+
+
+KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
+results of MatchPIDs and MatchArgs are ANDed.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | macros |
+ []string |
+
+ A list of macros names, defined in spec.selectorsMacros.
+Filters specified in macros will be appended to corresponding filters of the selector.
+ |
+ false |
+
+ | matchActions |
+ []object |
+
+ A list of actions to execute when this selector matches
+ |
+ false |
+
+ | matchArgs |
+ []object |
+
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchBinaries |
+ []object |
+
+ A list of binary exec name filters.
+ |
+ false |
+
+ | matchCapabilities |
+ []object |
+
+ A list of capabilities and IDs
+ |
+ false |
+
+ | matchCapabilityChanges |
+ []object |
+
+ IDs for capabilities changes
+ |
+ false |
+
+ | matchData |
+ []object |
+
+ A list of argument filters. MatchData are ANDed.
+ |
+ false |
+
+ | matchNamespaceChanges |
+ []object |
+
+ IDs for namespace changes
+ |
+ false |
+
+ | matchNamespaces |
+ []object |
+
+ A list of namespaces and IDs
+ |
+ false |
+
+ | matchPIDs |
+ []object |
+
+ A list of process ID filters. MatchPIDs are ANDed.
+ |
+ false |
+
+ | matchParentBinaries |
+ []object |
+
+ A list of process parent exec name filters.
+ |
+ false |
+
+ | matchReturnActions |
+ []object |
+
+ A list of actions to execute when MatchReturnArgs selector matches
+ |
+ false |
+
+ | matchReturnArgs |
+ []object |
+
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchWorkloads |
+ []object |
+
+ Workloads to match
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchActions[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | action |
+ enum |
+
+ Action to execute.
+NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
+be removed in version 1.5.
+
+ Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
+ |
+ true |
+
+ | argError |
+ integer |
+
+ error value for override action
+
+ Format: int32
+ |
+ false |
+
+ | argFd |
+ integer |
+
+ An arg index for the fd for fdInstall action
+
+ Format: int32
+ |
+ false |
+
+ | argFqdn |
+ string |
+
+ A FQDN to lookup for the dnsLookup action
+ |
+ false |
+
+ | argIndex |
+ integer |
+
+ An arg index for the set action
+
+ Format: int32
+ |
+ false |
+
+ | argName |
+ integer |
+
+ An arg index for the filename for fdInstall action
+
+ Format: int32
+ |
+ false |
+
+ | argRegs |
+ []string |
+
+ An arg value for the regs action
+ |
+ false |
+
+ | argSig |
+ integer |
+
+ A signal number for signal action
+
+ Format: int32
+ |
+ false |
+
+ | argSock |
+ integer |
+
+ An arg index for the sock for trackSock and untrackSock actions
+
+ Format: int32
+ |
+ false |
+
+ | argUrl |
+ string |
+
+ A URL for the getUrl action
+ |
+ false |
+
+ | argValue |
+ integer |
+
+ An arg value for the set action
+
+ Format: int32
+ |
+ false |
+
+ | imaHash |
+ boolean |
+
+ Enable collection of file hashes from integrity subsystem.
+Only valid with the post action.
+ |
+ false |
+
+ | kernelStackTrace |
+ boolean |
+
+ Enable kernel stack trace export. Only valid with the post action.
+ |
+ false |
+
+ | rateLimit |
+ string |
+
+ A time period within which repeated messages will not be posted. Can be
+specified in seconds (default or with 's' suffix), minutes ('m' suffix)
+or hours ('h' suffix). Only valid with the post action.
+ |
+ false |
+
+ | rateLimitScope |
+ string |
+
+ The scope of the provided rate limit argument. Can be "thread" (default),
+"process" (all threads for the same process), or "global". If "thread" is
+selected then rate limiting applies per thread; if "process" is selected
+then rate limiting applies per process; if "global" is selected then rate
+limiting applies regardless of which process or thread caused the action.
+Only valid with the post action and with a rateLimit specified.
+ |
+ false |
+
+ | userStackTrace |
+ boolean |
+
+ Enable user stack trace export. Only valid with the post action.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchArgs[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ |
+ true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
+ |
+ false |
+
+ | index |
+ integer |
+
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchBinaries[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ |
+ true |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ true |
+
+ | followChildren |
+ boolean |
+
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchCapabilities[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Capabilities to match.
+ |
+ true |
+
+ | isNamespaceCapability |
+ boolean |
+
+ Indicates whether these caps are namespace caps.
+
+ Default: false
+ |
+ false |
+
+ | type |
+ enum |
+
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchCapabilityChanges[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Capabilities to match.
+ |
+ true |
+
+ | isNamespaceCapability |
+ boolean |
+
+ Indicates whether these caps are namespace caps.
+
+ Default: false
+ |
+ false |
+
+ | type |
+ enum |
+
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchData[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ |
+ true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
+ |
+ false |
+
+ | index |
+ integer |
+
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchNamespaceChanges[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Namespace types (e.g., Mnt, Pid) to match.
+ |
+ true |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchNamespaces[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | namespace |
+ enum |
+
+ Namespace selector name.
+
+ Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
+ |
+ true |
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Namespace IDs (or host_ns for host namespace) of namespaces to match.
+ |
+ true |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchPIDs[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ PID selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []integer |
+
+ Process IDs to match.
+ |
+ true |
+
+ | followForks |
+ boolean |
+
+ Matches any descendant processes of the matching PIDs.
+
+ Default: false
+ |
+ false |
+
+ | isNamespacePID |
+ boolean |
+
+ Indicates whether PIDs are namespace PIDs.
+
+ Default: false
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchParentBinaries[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ |
+ true |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ true |
+
+ | followChildren |
+ boolean |
+
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchReturnActions[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | action |
+ enum |
+
+ Action to execute.
+NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
+be removed in version 1.5.
+
+ Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
+ |
+ true |
+
+ | argError |
+ integer |
+
+ error value for override action
+
+ Format: int32
+ |
+ false |
+
+ | argFd |
+ integer |
+
+ An arg index for the fd for fdInstall action
+
+ Format: int32
+ |
+ false |
+
+ | argFqdn |
+ string |
+
+ A FQDN to lookup for the dnsLookup action
+ |
+ false |
+
+ | argIndex |
+ integer |
+
+ An arg index for the set action
+
+ Format: int32
+ |
+ false |
+
+ | argName |
+ integer |
+
+ An arg index for the filename for fdInstall action
+
+ Format: int32
+ |
+ false |
+
+ | argRegs |
+ []string |
+
+ An arg value for the regs action
+ |
+ false |
+
+ | argSig |
+ integer |
+
+ A signal number for signal action
+
+ Format: int32
+ |
+ false |
+
+ | argSock |
+ integer |
+
+ An arg index for the sock for trackSock and untrackSock actions
+
+ Format: int32
+ |
+ false |
+
+ | argUrl |
+ string |
+
+ A URL for the getUrl action
+ |
+ false |
+
+ | argValue |
+ integer |
+
+ An arg value for the set action
+
+ Format: int32
+ |
+ false |
+
+ | imaHash |
+ boolean |
+
+ Enable collection of file hashes from integrity subsystem.
+Only valid with the post action.
+ |
+ false |
+
+ | kernelStackTrace |
+ boolean |
+
+ Enable kernel stack trace export. Only valid with the post action.
+ |
+ false |
+
+ | rateLimit |
+ string |
+
+ A time period within which repeated messages will not be posted. Can be
+specified in seconds (default or with 's' suffix), minutes ('m' suffix)
+or hours ('h' suffix). Only valid with the post action.
+ |
+ false |
+
+ | rateLimitScope |
+ string |
+
+ The scope of the provided rate limit argument. Can be "thread" (default),
+"process" (all threads for the same process), or "global". If "thread" is
+selected then rate limiting applies per thread; if "process" is selected
+then rate limiting applies per process; if "global" is selected then rate
+limiting applies regardless of which process or thread caused the action.
+Only valid with the post action and with a rateLimit specified.
+ |
+ false |
+
+ | userStackTrace |
+ boolean |
+
+ Enable user stack trace export. Only valid with the post action.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchReturnArgs[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ |
+ true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
+ |
+ false |
+
+ | index |
+ integer |
+
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | containerSelector |
+ object |
+
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+ |
+ false |
+
+ | hostSelector |
+ object |
+
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
+ |
+ false |
+
+ | podSelector |
+ object |
+
+ PodSelector selects pods that this policy applies to
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindex)
+
+
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ |
+ false |
+
+ | matchLabels |
+ map[string]string |
+
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindexcontainerselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
+ | operator |
+ enum |
+
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
+ |
+ true |
+
+ | values |
+ []string |
+
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindex)
+
+
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ |
+ false |
+
+ | matchLabels |
+ map[string]string |
+
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindexhostselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
+ | operator |
+ enum |
+
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
+ |
+ true |
+
+ | values |
+ []string |
+
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindex)
+
+
+PodSelector selects pods that this policy applies to
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ |
+ false |
+
+ | matchLabels |
+ map[string]string |
+
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+ |
+ false |
+
+
+
+
+### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindexpodselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
+ | operator |
+ enum |
+
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
+ |
+ true |
+
+ | values |
+ []string |
+
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
+ |
+ false |
+
+
+
+## TracingPolicyNamespaced
+[↩ Parent](#ciliumiov1alpha1 )
+
+
+
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | apiVersion |
+ string |
+ cilium.io/v1alpha1 |
+ true |
+
+
+ | kind |
+ string |
+ TracingPolicyNamespaced |
+ true |
+
+
+ | metadata |
+ object |
+ Refer to the Kubernetes API documentation for the fields of the `metadata` field. |
+ true |
+
+ | spec |
+ object |
- Source of the data, if missing the default if function arguments
+ Tracing policy specification.
|
- false |
+ true |
-### TracingPolicy.spec.uprobes[index].selectors[index]
-[↩ Parent](#tracingpolicyspecuprobesindex)
+### TracingPolicyNamespaced.spec
+[↩ Parent](#tracingpolicynamespaced)
-KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
-results of MatchPIDs and MatchArgs are ANDed.
+Tracing policy specification.
@@ -6817,106 +10986,122 @@ results of MatchPIDs and MatchArgs are ANDed.
- | macros |
- []string |
+ containerSelector |
+ object |
- A list of macros names, defined in spec.selectorsMacros.
-Filters specified in macros will be appended to corresponding filters of the selector.
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
false |
- | matchActions |
+ enforcers |
[]object |
- A list of actions to execute when this selector matches
+ A enforcer spec.
|
false |
- | matchArgs |
+ fentries |
[]object |
- A list of argument filters. MatchArgs are ANDed.
+ A list of fentry specs.
|
false |
- | matchBinaries |
- []object |
+ hostSelector |
+ object |
- A list of binary exec name filters.
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
|
false |
- | matchCapabilities |
+ kprobes |
[]object |
- A list of capabilities and IDs
+ A list of kprobe specs.
|
false |
- | matchCapabilityChanges |
+ lists |
[]object |
- IDs for capabilities changes
+ A list of list specs.
|
false |
- | matchData |
- []object |
+ loader |
+ boolean |
- A list of argument filters. MatchData are ANDed.
+ Enable loader events
|
false |
- | matchNamespaceChanges |
+ lsmhooks |
[]object |
- IDs for namespace changes
+ A list of uprobe specs.
|
false |
- | matchNamespaces |
+ options |
[]object |
- A list of namespaces and IDs
+ A list of overloaded options
|
false |
- | matchPIDs |
- []object |
+ podSelector |
+ object |
- A list of process ID filters. MatchPIDs are ANDed.
+ PodSelector selects pods that this policy applies to
|
false |
- | matchParentBinaries |
+ selectorsMacros |
+ map[string]object |
+
+ SelectorsMacros is used to define selectors macros, which can be used
+in probes/hooks selectors by their names.
+ |
+ false |
+
+ | tracepoints |
[]object |
- A list of process parent exec name filters.
+ A list of tracepoint specs.
|
false |
- | matchReturnActions |
+ uprobes |
[]object |
- A list of actions to execute when MatchReturnArgs selector matches
+ A list of uprobe specs.
|
false |
- | matchReturnArgs |
+ usdts |
[]object |
- A list of argument filters. MatchArgs are ANDed.
+ A list of usdt specs.
|
false |
-### TracingPolicy.spec.uprobes[index].selectors[index].matchActions[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.containerSelector
+[↩ Parent](#tracingpolicynamespacedspec)
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
@@ -6928,149 +11113,74 @@ Filters specified in macros will be appended to corresponding filters of the sel
- | action |
- enum |
-
- Action to execute.
-NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
-be removed in version 1.5.
-
- Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
- |
- true |
-
- | argError |
- integer |
+ matchExpressions |
+ []object |
- error value for override action
-
- Format: int32
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | argFd |
- integer |
+ matchLabels |
+ map[string]string |
- An arg index for the fd for fdInstall action
-
- Format: int32
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | argFqdn |
+
+
+
+
+### TracingPolicyNamespaced.spec.containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspeccontainerselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
string |
- A FQDN to lookup for the dnsLookup action
- |
- false |
-
- | argIndex |
- integer |
-
- An arg index for the set action
-
- Format: int32
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | argName |
- integer |
+ operator |
+ enum |
- An arg index for the filename for fdInstall action
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Format: int32
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | argRegs |
+ values |
[]string |
- An arg value for the regs action
- |
- false |
-
- | argSig |
- integer |
-
- A signal number for signal action
-
- Format: int32
- |
- false |
-
- | argSock |
- integer |
-
- An arg index for the sock for trackSock and untrackSock actions
-
- Format: int32
- |
- false |
-
- | argUrl |
- string |
-
- A URL for the getUrl action
- |
- false |
-
- | argValue |
- integer |
-
- An arg value for the set action
-
- Format: int32
- |
- false |
-
- | imaHash |
- boolean |
-
- Enable collection of file hashes from integrity subsystem.
-Only valid with the post action.
- |
- false |
-
- | kernelStackTrace |
- boolean |
-
- Enable kernel stack trace export. Only valid with the post action.
- |
- false |
-
- | rateLimit |
- string |
-
- A time period within which repeated messages will not be posted. Can be
-specified in seconds (default or with 's' suffix), minutes ('m' suffix)
-or hours ('h' suffix). Only valid with the post action.
- |
- false |
-
- | rateLimitScope |
- string |
-
- The scope of the provided rate limit argument. Can be "thread" (default),
-"process" (all threads for the same process), or "global". If "thread" is
-selected then rate limiting applies per thread; if "process" is selected
-then rate limiting applies per process; if "global" is selected then rate
-limiting applies regardless of which process or thread caused the action.
-Only valid with the post action and with a rateLimit specified.
- |
- false |
-
- | userStackTrace |
- boolean |
-
- Enable user stack trace export. Only valid with the post action.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicy.spec.uprobes[index].selectors[index].matchArgs[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.enforcers[index]
+[↩ Parent](#tracingpolicynamespacedspec)
@@ -7085,44 +11195,18 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
- |
- true |
-
- | args |
- []integer |
-
- Position of the operator arguments (in spec file) to apply fhe filter to.
- |
- false |
-
- | index |
- integer |
-
- Position of the argument (in function prototype) to apply fhe filter to.
-
- Format: int32
- Minimum: 0
- |
- false |
-
- | values |
+ calls |
[]string |
- Value to compare the argument against.
+ Calls where enforcer is executed in
|
- false |
+ true |
-### TracingPolicy.spec.uprobes[index].selectors[index].matchBinaries[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.fentries[index]
+[↩ Parent](#tracingpolicynamespacedspec)
@@ -7137,36 +11221,96 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ call |
+ string |
- Filter operation.
-
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ Name of the function to apply the kprobe spec to.
|
true |
- | values |
- []string |
+ args |
+ []object |
- Value to compare the argument against.
+ A list of function arguments to include in the trace output.
|
- true |
+ false |
- | followChildren |
+ data |
+ []object |
+
+ A list of data to include in the trace output.
+ |
+ false |
+
+ | ignore |
+ object |
+
+ Conditions for ignoring this kprobe
+ |
+ false |
+
+ | message |
+ string |
+
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
+ |
+ false |
+
+ | return |
boolean |
- In addition to binaries, match children processes of specified binaries.
+ Indicates whether to collect return value of the traced function.
Default: false
|
false |
+
+ | returnArg |
+ object |
+
+ A return argument to include in the trace output.
+ |
+ false |
+
+ | returnArgAction |
+ string |
+
+ An action to perform on the return value.
+Use returnArg to include the return value in the event output.
+Supported actions are: TrackSock;UntrackSock
+ |
+ false |
+
+ | selectors |
+ []object |
+
+ Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
+ |
+ false |
+
+ | syscall |
+ boolean |
+
+ Indicates whether the traced function is a syscall.
+
+ Default: true
+ |
+ false |
+
+ | tags |
+ []string |
+
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
+ |
+ false |
-### TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilities[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.fentries[index].args[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindex)
@@ -7181,46 +11325,99 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ index |
+ integer |
- Namespace selector operator.
+ Position of the argument.
- Enum: In, NotIn
+ Format: int32
+ Minimum: 0
|
true |
- | values |
- []string |
+ type |
+ enum |
- Capabilities to match.
+ Argument type.
+
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
|
true |
- | isNamespaceCapability |
+ btfType |
+ string |
+
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
+ |
+ false |
+
+ | label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
boolean |
- Indicates whether these caps are namespace caps.
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
Default: false
|
false |
- | type |
- enum |
+ resolve |
+ string |
- Type of capabilities
+ Resolve the path to a specific attribute
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ Default:
+ |
+ false |
+
+ | returnCopy |
+ boolean |
+
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
+ |
+ false |
+
+ | sizeArgIndex |
+ integer |
+
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | source |
+ string |
+
+ Source of the data, if missing the default if function arguments
|
false |
-### TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilityChanges[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.fentries[index].data[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindex)
@@ -7235,101 +11432,102 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ index |
+ integer |
- Namespace selector operator.
+ Position of the argument.
- Enum: In, NotIn
+ Format: int32
+ Minimum: 0
|
true |
- | values |
- []string |
+ type |
+ enum |
- Capabilities to match.
+ Argument type.
+
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
|
true |
- | isNamespaceCapability |
+ btfType |
+ string |
+
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
+ |
+ false |
+
+ | label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
boolean |
- Indicates whether these caps are namespace caps.
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
Default: false
|
false |
- | type |
- enum |
+ resolve |
+ string |
- Type of capabilities
+ Resolve the path to a specific attribute
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ Default:
|
false |
-
-
-
-
-### TracingPolicy.spec.uprobes[index].selectors[index].matchData[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
- |
- true |
- | args |
- []integer |
+ returnCopy |
+ boolean |
- Position of the operator arguments (in spec file) to apply fhe filter to.
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
|
false |
- | index |
+ sizeArgIndex |
integer |
- Position of the argument (in function prototype) to apply fhe filter to.
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
Format: int32
Minimum: 0
|
false |
- | values |
- []string |
+ source |
+ string |
- Value to compare the argument against.
+ Source of the data, if missing the default if function arguments
|
false |
-### TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaceChanges[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.fentries[index].ignore
+[↩ Parent](#tracingpolicynamespacedspecfentriesindex)
+Conditions for ignoring this kprobe
@@ -7341,30 +11539,21 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
+ callNotFound |
+ boolean |
- Namespace types (e.g., Mnt, Pid) to match.
+ Ignores calls that are not present in the system
|
- true |
+ false |
-### TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaces[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.fentries[index].returnArg
+[↩ Parent](#tracingpolicynamespacedspecfentriesindex)
+A return argument to include in the trace output.
@@ -7376,39 +11565,103 @@ Only valid with the post action and with a rateLimit specified.
- | namespace |
- enum |
+ index |
+ integer |
- Namespace selector name.
+ Position of the argument.
- Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
+ Format: int32
+ Minimum: 0
|
true |
- | operator |
+ type |
enum |
- Namespace selector operator.
+ Argument type.
- Enum: In, NotIn
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
|
true |
- | values |
- []string |
+ btfType |
+ string |
- Namespace IDs (or host_ns for host namespace) of namespaces to match.
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
|
- true |
+ false |
+
+ | label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
+
+ Default: false
+ |
+ false |
+
+ | resolve |
+ string |
+
+ Resolve the path to a specific attribute
+
+ Default:
+ |
+ false |
+
+ | returnCopy |
+ boolean |
+
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
+ |
+ false |
+
+ | sizeArgIndex |
+ integer |
+
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | source |
+ string |
+
+ Source of the data, if missing the default if function arguments
+ |
+ false |
-### TracingPolicy.spec.uprobes[index].selectors[index].matchPIDs[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindex)
+KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
+results of MatchPIDs and MatchArgs are ANDed.
@@ -7420,89 +11673,110 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ macros |
+ []string |
- PID selector operator.
-
- Enum: In, NotIn
+ A list of macros names, defined in spec.selectorsMacros.
+Filters specified in macros will be appended to corresponding filters of the selector.
|
- true |
+ false |
- | values |
- []integer |
+ matchActions |
+ []object |
- Process IDs to match.
+ A list of actions to execute when this selector matches
|
- true |
+ false |
- | followForks |
- boolean |
+ matchArgs |
+ []object |
- Matches any descendant processes of the matching PIDs.
-
- Default: false
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchBinaries |
+ []object |
+
+ A list of binary exec name filters.
+ |
+ false |
+
+ | matchCapabilities |
+ []object |
+
+ A list of capabilities and IDs
+ |
+ false |
+
+ | matchCapabilityChanges |
+ []object |
+
+ IDs for capabilities changes
+ |
+ false |
+
+ | matchData |
+ []object |
+
+ A list of argument filters. MatchData are ANDed.
+ |
+ false |
+
+ | matchNamespaceChanges |
+ []object |
+
+ IDs for namespace changes
+ |
+ false |
+
+ | matchNamespaces |
+ []object |
+
+ A list of namespaces and IDs
+ |
+ false |
+
+ | matchPIDs |
+ []object |
+
+ A list of process ID filters. MatchPIDs are ANDed.
|
false |
- | isNamespacePID |
- boolean |
+ matchParentBinaries |
+ []object |
- Indicates whether PIDs are namespace PIDs.
-
- Default: false
+ A list of process parent exec name filters.
|
false |
-
-
-
-
-### TracingPolicy.spec.uprobes[index].selectors[index].matchParentBinaries[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
+
+ | matchReturnActions |
+ []object |
- Filter operation.
-
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ A list of actions to execute when MatchReturnArgs selector matches
|
- true |
+ false |
- | values |
- []string |
+ matchReturnArgs |
+ []object |
- Value to compare the argument against.
+ A list of argument filters. MatchArgs are ANDed.
|
- true |
+ false |
- | followChildren |
- boolean |
+ matchWorkloads |
+ []object |
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
+ Workloads to match
|
false |
-### TracingPolicy.spec.uprobes[index].selectors[index].matchReturnActions[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchActions[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
@@ -7648,18 +11922,222 @@ Only valid with the post action and with a rateLimit specified.
false |
- | userStackTrace |
- boolean |
+ userStackTrace |
+ boolean |
+
+ Enable user stack trace export. Only valid with the post action.
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchArgs[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ |
+ true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
+ |
+ false |
+
+ | index |
+ integer |
+
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ |
+ true |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ true |
+
+ | followChildren |
+ boolean |
+
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchCapabilities[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Capabilities to match.
+ |
+ true |
+
+ | isNamespaceCapability |
+ boolean |
+
+ Indicates whether these caps are namespace caps.
+
+ Default: false
+ |
+ false |
+
+ | type |
+ enum |
+
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchCapabilityChanges[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Capabilities to match.
+ |
+ true |
+
+ | isNamespaceCapability |
+ boolean |
+
+ Indicates whether these caps are namespace caps.
+
+ Default: false
+ |
+ false |
+
+ | type |
+ enum |
- Enable user stack trace export. Only valid with the post action.
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
|
false |
-### TracingPolicy.spec.uprobes[index].selectors[index].matchReturnArgs[index]
-[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchData[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
@@ -7710,8 +12188,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicy.spec.usdts[index]
-[↩ Parent](#tracingpolicyspec)
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchNamespaceChanges[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
@@ -7726,69 +12204,27 @@ Only valid with the post action and with a rateLimit specified.
- | name |
- string |
-
- Usdt name
- |
- true |
-
- | path |
- string |
-
- Name of the traced binary
- |
- true |
-
- | provider |
- string |
+ operator |
+ enum |
- Usdt provider name
+ Namespace selector operator.
+
+ Enum: In, NotIn
|
true |
- | args |
- []object |
-
- A list of function arguments to include in the trace output.
- |
- false |
-
- | btfPath |
- string |
-
- path for a BTF file for the traced binary
- |
- false |
-
- | message |
- string |
-
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
- |
- false |
-
- | selectors |
- []object |
-
- Selectors to apply before producing trace output. Selectors are ORed.
- |
- false |
-
- | tags |
+ values |
[]string |
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
+ Namespace types (e.g., Mnt, Pid) to match.
|
- false |
+ true |
-### TracingPolicy.spec.usdts[index].args[index]
-[↩ Parent](#tracingpolicyspecusdtsindex)
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchNamespaces[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
@@ -7803,103 +12239,39 @@ Maximum of 16 Tags are supported.
- | index |
- integer |
+ namespace |
+ enum |
- Position of the argument.
+ Namespace selector name.
- Format: int32
- Minimum: 0
+ Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
|
true |
- | type |
+ operator |
enum |
- Argument type.
+ Namespace selector operator.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn
|
true |
- | btfType |
- string |
-
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
- |
- false |
-
- | label |
- string |
-
- Label to output in the JSON
- |
- false |
-
- | maxData |
- boolean |
-
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
- |
- false |
-
- | resolve |
- string |
-
- Resolve the path to a specific attribute
-
- Default:
- |
- false |
-
- | returnCopy |
- boolean |
-
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
-
- Default: false
- |
- false |
-
- | sizeArgIndex |
- integer |
-
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
-
- Format: int32
- Minimum: 0
- |
- false |
-
- | source |
- string |
+ values |
+ []string |
- Source of the data, if missing the default if function arguments
+ Namespace IDs (or host_ns for host namespace) of namespaces to match.
|
- false |
+ true |
-### TracingPolicy.spec.usdts[index].selectors[index]
-[↩ Parent](#tracingpolicyspecusdtsindex)
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchPIDs[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
+
-KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
-results of MatchPIDs and MatchArgs are ANDed.
@@ -7911,103 +12283,89 @@ results of MatchPIDs and MatchArgs are ANDed.
- | macros |
- []string |
-
- A list of macros names, defined in spec.selectorsMacros.
-Filters specified in macros will be appended to corresponding filters of the selector.
- |
- false |
-
- | matchActions |
- []object |
-
- A list of actions to execute when this selector matches
- |
- false |
-
- | matchArgs |
- []object |
-
- A list of argument filters. MatchArgs are ANDed.
- |
- false |
-
- | matchBinaries |
- []object |
-
- A list of binary exec name filters.
- |
- false |
-
- | matchCapabilities |
- []object |
-
- A list of capabilities and IDs
- |
- false |
-
- | matchCapabilityChanges |
- []object |
-
- IDs for capabilities changes
- |
- false |
-
- | matchData |
- []object |
+ operator |
+ enum |
- A list of argument filters. MatchData are ANDed.
+ PID selector operator.
+
+ Enum: In, NotIn
|
- false |
+ true |
- | matchNamespaceChanges |
- []object |
+ values |
+ []integer |
- IDs for namespace changes
+ Process IDs to match.
|
- false |
+ true |
- | matchNamespaces |
- []object |
+ followForks |
+ boolean |
- A list of namespaces and IDs
+ Matches any descendant processes of the matching PIDs.
+
+ Default: false
|
false |
- | matchPIDs |
- []object |
+ isNamespacePID |
+ boolean |
- A list of process ID filters. MatchPIDs are ANDed.
+ Indicates whether PIDs are namespace PIDs.
+
+ Default: false
|
false |
-
- | matchParentBinaries |
- []object |
+
+
+
+
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchParentBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
- A list of process parent exec name filters.
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
|
- false |
+ true |
- | matchReturnActions |
- []object |
+ values |
+ []string |
- A list of actions to execute when MatchReturnArgs selector matches
+ Value to compare the argument against.
|
- false |
+ true |
- | matchReturnArgs |
- []object |
+ followChildren |
+ boolean |
- A list of argument filters. MatchArgs are ANDed.
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
|
false |
-### TracingPolicy.spec.usdts[index].selectors[index].matchActions[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchReturnActions[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
@@ -8163,8 +12521,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicy.spec.usdts[index].selectors[index].matchArgs[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchReturnArgs[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
@@ -8215,8 +12573,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicy.spec.usdts[index].selectors[index].matchBinaries[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
@@ -8231,40 +12589,81 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ containerSelector |
+ object |
- Filter operation.
-
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
- true |
+ false |
- | values |
- []string |
+ hostSelector |
+ object |
- Value to compare the argument against.
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
|
- true |
+ false |
- | followChildren |
- boolean |
+ podSelector |
+ object |
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
+ PodSelector selects pods that this policy applies to
|
false |
-### TracingPolicy.spec.usdts[index].selectors[index].matchCapabilities[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindex)
+
+
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ |
+ false |
+
+ | matchLabels |
+ map[string]string |
+
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+ |
+ false |
+
+
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindexcontainerselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
@@ -8275,49 +12674,78 @@ Only valid with the post action and with a rateLimit specified.
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
| operator |
enum |
- Namespace selector operator.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Capabilities to match.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
- true |
-
- | isNamespaceCapability |
- boolean |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindex)
+
+
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
- Indicates whether these caps are namespace caps.
-
- Default: false
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | type |
- enum |
+ matchLabels |
+ map[string]string |
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicy.spec.usdts[index].selectors[index].matchCapabilityChanges[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindexhostselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -8329,49 +12757,77 @@ Only valid with the post action and with a rateLimit specified.
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
| operator |
enum |
- Namespace selector operator.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Capabilities to match.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
- true |
-
- | isNamespaceCapability |
- boolean |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindex)
+
+
+PodSelector selects pods that this policy applies to
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
- Indicates whether these caps are namespace caps.
-
- Default: false
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | type |
- enum |
+ matchLabels |
+ map[string]string |
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicy.spec.usdts[index].selectors[index].matchData[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindexpodselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -8383,47 +12839,42 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
- |
- true |
-
- | args |
- []integer |
+ key |
+ string |
- Position of the operator arguments (in spec file) to apply fhe filter to.
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | index |
- integer |
+ operator |
+ enum |
- Position of the argument (in function prototype) to apply fhe filter to.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Format: int32
- Minimum: 0
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
| values |
[]string |
- Value to compare the argument against.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicy.spec.usdts[index].selectors[index].matchNamespaceChanges[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.hostSelector
+[↩ Parent](#tracingpolicynamespacedspec)
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
@@ -8435,30 +12886,31 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ matchExpressions |
+ []object |
- Namespace selector operator.
-
- Enum: In, NotIn
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
- true |
+ false |
- | values |
- []string |
+ matchLabels |
+ map[string]string |
- Namespace types (e.g., Mnt, Pid) to match.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
- true |
+ false |
-### TracingPolicy.spec.usdts[index].selectors[index].matchNamespaces[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspechostselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -8470,36 +12922,38 @@ Only valid with the post action and with a rateLimit specified.
- | namespace |
- enum |
+ key |
+ string |
- Namespace selector name.
-
- Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
+ key is the label key that the selector applies to.
|
true |
| operator |
enum |
- Namespace selector operator.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Namespace IDs (or host_ns for host namespace) of namespaces to match.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
- true |
+ false |
-### TracingPolicy.spec.usdts[index].selectors[index].matchPIDs[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+### TracingPolicyNamespaced.spec.kprobes[index]
+[↩ Parent](#tracingpolicynamespacedspec)
@@ -8514,89 +12968,96 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ call |
+ string |
- PID selector operator.
-
- Enum: In, NotIn
+ Name of the function to apply the kprobe spec to.
|
true |
- | values |
- []integer |
+ args |
+ []object |
- Process IDs to match.
+ A list of function arguments to include in the trace output.
|
- true |
+ false |
- | followForks |
- boolean |
+ data |
+ []object |
- Matches any descendant processes of the matching PIDs.
-
- Default: false
+ A list of data to include in the trace output.
|
false |
- | isNamespacePID |
+ ignore |
+ object |
+
+ Conditions for ignoring this kprobe
+ |
+ false |
+
+ | message |
+ string |
+
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
+ |
+ false |
+
+ | return |
boolean |
- Indicates whether PIDs are namespace PIDs.
+ Indicates whether to collect return value of the traced function.
Default: false
|
false |
-
-
-
-
-### TracingPolicy.spec.usdts[index].selectors[index].matchParentBinaries[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
+
+ | returnArg |
+ object |
- Filter operation.
-
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ A return argument to include in the trace output.
|
- true |
+ false |
- | values |
- []string |
+ returnArgAction |
+ string |
- Value to compare the argument against.
+ An action to perform on the return value.
+Use returnArg to include the return value in the event output.
+Supported actions are: TrackSock;UntrackSock
|
- true |
+ false |
- | followChildren |
+ selectors |
+ []object |
+
+ Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
+ |
+ false |
+
+ | syscall |
boolean |
- In addition to binaries, match children processes of specified binaries.
+ Indicates whether the traced function is a syscall.
- Default: false
+ Default: true
+ |
+ false |
+
+ | tags |
+ []string |
+
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
|
false |
-### TracingPolicy.spec.usdts[index].selectors[index].matchReturnActions[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
+### TracingPolicyNamespaced.spec.kprobes[index].args[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindex)
@@ -8611,152 +13072,235 @@ Only valid with the post action and with a rateLimit specified.
- | action |
- enum |
+ index |
+ integer |
- Action to execute.
-NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
-be removed in version 1.5.
+ Position of the argument.
- Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
+ Format: int32
+ Minimum: 0
|
true |
- | argError |
- integer |
+ type |
+ enum |
- error value for override action
+ Argument type.
- Format: int32
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
+ |
+ true |
+
+ | btfType |
+ string |
+
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
|
false |
- | argFd |
- integer |
+ label |
+ string |
- An arg index for the fd for fdInstall action
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
- Format: int32
+ Default: false
|
false |
- | argFqdn |
+ resolve |
string |
- A FQDN to lookup for the dnsLookup action
+ Resolve the path to a specific attribute
+
+ Default:
|
false |
- | argIndex |
- integer |
+ returnCopy |
+ boolean |
- An arg index for the set action
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
- Format: int32
+ Default: false
|
false |
- | argName |
+ sizeArgIndex |
integer |
- An arg index for the filename for fdInstall action
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
Format: int32
+ Minimum: 0
|
false |
- | argRegs |
- []string |
+ source |
+ string |
- An arg value for the regs action
+ Source of the data, if missing the default if function arguments
|
false |
-
- | argSig |
+
+
+
+
+### TracingPolicyNamespaced.spec.kprobes[index].data[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | index |
integer |
- A signal number for signal action
+ Position of the argument.
Format: int32
+ Minimum: 0
|
- false |
+ true |
- | argSock |
- integer |
+ type |
+ enum |
- An arg index for the sock for trackSock and untrackSock actions
+ Argument type.
- Format: int32
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
+ |
+ true |
+
+ | btfType |
+ string |
+
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
|
false |
- | argUrl |
+ label |
string |
- A URL for the getUrl action
+ Label to output in the JSON
|
false |
- | argValue |
- integer |
+ maxData |
+ boolean |
- An arg value for the set action
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
- Format: int32
+ Default: false
|
false |
- | imaHash |
- boolean |
+ resolve |
+ string |
- Enable collection of file hashes from integrity subsystem.
-Only valid with the post action.
+ Resolve the path to a specific attribute
+
+ Default:
|
false |
- | kernelStackTrace |
+ returnCopy |
boolean |
- Enable kernel stack trace export. Only valid with the post action.
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
|
false |
- | rateLimit |
- string |
+ sizeArgIndex |
+ integer |
- A time period within which repeated messages will not be posted. Can be
-specified in seconds (default or with 's' suffix), minutes ('m' suffix)
-or hours ('h' suffix). Only valid with the post action.
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
|
false |
- | rateLimitScope |
+ source |
string |
- The scope of the provided rate limit argument. Can be "thread" (default),
-"process" (all threads for the same process), or "global". If "thread" is
-selected then rate limiting applies per thread; if "process" is selected
-then rate limiting applies per process; if "global" is selected then rate
-limiting applies regardless of which process or thread caused the action.
-Only valid with the post action and with a rateLimit specified.
+ Source of the data, if missing the default if function arguments
|
false |
-
- | userStackTrace |
+
+
+
+
+### TracingPolicyNamespaced.spec.kprobes[index].ignore
+[↩ Parent](#tracingpolicynamespacedspeckprobesindex)
+
+
+Conditions for ignoring this kprobe
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | callNotFound |
boolean |
- Enable user stack trace export. Only valid with the post action.
+ Ignores calls that are not present in the system
|
false |
-### TracingPolicy.spec.usdts[index].selectors[index].matchReturnArgs[index]
-[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.kprobes[index].returnArg
+[↩ Parent](#tracingpolicynamespacedspeckprobesindex)
+A return argument to include in the trace output.
@@ -8768,92 +13312,103 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
+ index |
+ integer |
+
+ Position of the argument.
+
+ Format: int32
+ Minimum: 0
+ |
+ true |
+
+ | type |
enum |
- Filter operation.
+ Argument type.
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
|
true |
- | args |
- []integer |
+ btfType |
+ string |
- Position of the operator arguments (in spec file) to apply fhe filter to.
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
|
false |
- | index |
- integer |
+ label |
+ string |
- Position of the argument (in function prototype) to apply fhe filter to.
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
- Format: int32
- Minimum: 0
+ Default: false
|
false |
- | values |
- []string |
+ resolve |
+ string |
- Value to compare the argument against.
+ Resolve the path to a specific attribute
+
+ Default:
+ |
+ false |
+
+ | returnCopy |
+ boolean |
+
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
+ |
+ false |
+
+ | sizeArgIndex |
+ integer |
+
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
|
false |
-
-
-
-## TracingPolicyNamespaced
-[↩ Parent](#ciliumiov1alpha1 )
-
-
-
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | apiVersion |
- string |
- cilium.io/v1alpha1 |
- true |
-
-
- | kind |
- string |
- TracingPolicyNamespaced |
- true |
-
-
- | metadata |
- object |
- Refer to the Kubernetes API documentation for the fields of the `metadata` field. |
- true |
- | spec |
- object |
+ source |
+ string |
- Tracing policy specification.
+ Source of the data, if missing the default if function arguments
|
- true |
+ false |
-### TracingPolicyNamespaced.spec
-[↩ Parent](#tracingpolicynamespaced)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindex)
-Tracing policy specification.
+KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
+results of MatchPIDs and MatchArgs are ANDed.
@@ -8865,122 +13420,113 @@ Tracing policy specification.
- | containerSelector |
- object |
+ macros |
+ []string |
- ContainerSelector selects containers that this policy applies to.
-A map of container fields will be constructed in the same way as a map of labels.
-The name of the field represents the label "key", and the value of the field - label "value".
-Currently, only the "name" field is supported.
+ A list of macros names, defined in spec.selectorsMacros.
+Filters specified in macros will be appended to corresponding filters of the selector.
|
false |
- | enforcers |
+ matchActions |
[]object |
- A enforcer spec.
+ A list of actions to execute when this selector matches
|
false |
- | fentries |
+ matchArgs |
[]object |
- A list of fentry specs.
+ A list of argument filters. MatchArgs are ANDed.
|
false |
- | hostSelector |
- object |
+ matchBinaries |
+ []object |
- HostSelector selects hosts that this policy applies to.
-For now only ~ (none) and {} (all) is supported.
-
- Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
+ A list of binary exec name filters.
|
false |
- | kprobes |
+ matchCapabilities |
[]object |
- A list of kprobe specs.
+ A list of capabilities and IDs
|
false |
- | lists |
+ matchCapabilityChanges |
[]object |
- A list of list specs.
+ IDs for capabilities changes
|
false |
- | loader |
- boolean |
+ matchData |
+ []object |
- Enable loader events
+ A list of argument filters. MatchData are ANDed.
|
false |
- | lsmhooks |
+ matchNamespaceChanges |
[]object |
- A list of uprobe specs.
+ IDs for namespace changes
|
false |
- | options |
+ matchNamespaces |
[]object |
- A list of overloaded options
+ A list of namespaces and IDs
|
false |
- | podSelector |
- object |
+ matchPIDs |
+ []object |
- PodSelector selects pods that this policy applies to
+ A list of process ID filters. MatchPIDs are ANDed.
|
false |
- | selectorsMacros |
- map[string]object |
+ matchParentBinaries |
+ []object |
- SelectorsMacros is used to define selectors macros, which can be used
-in probes/hooks selectors by their names.
+ A list of process parent exec name filters.
|
false |
- | tracepoints |
+ matchReturnActions |
[]object |
- A list of tracepoint specs.
+ A list of actions to execute when MatchReturnArgs selector matches
|
false |
- | uprobes |
+ matchReturnArgs |
[]object |
- A list of uprobe specs.
+ A list of argument filters. MatchArgs are ANDed.
|
false |
- | usdts |
+ matchWorkloads |
[]object |
- A list of usdt specs.
+ Workloads to match
|
false |
-### TracingPolicyNamespaced.spec.containerSelector
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchActions[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+
-ContainerSelector selects containers that this policy applies to.
-A map of container fields will be constructed in the same way as a map of labels.
-The name of the field represents the label "key", and the value of the field - label "value".
-Currently, only the "name" field is supported.
@@ -8992,74 +13538,149 @@ Currently, only the "name" field is supported.
- | matchExpressions |
- []object |
+ action |
+ enum |
- matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ Action to execute.
+NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
+be removed in version 1.5.
+
+ Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
+ |
+ true |
+
+ | argError |
+ integer |
+
+ error value for override action
+
+ Format: int32
|
false |
- | matchLabels |
- map[string]string |
+ argFd |
+ integer |
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed.
+ An arg index for the fd for fdInstall action
+
+ Format: int32
|
false |
-
-
-
-
-### TracingPolicyNamespaced.spec.containerSelector.matchExpressions[index]
-[↩ Parent](#tracingpolicynamespacedspeccontainerselector)
-
-
-A label selector requirement is a selector that contains values, a key, and an operator that
-relates the key and values.
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | key |
+
+ | argFqdn |
string |
- key is the label key that the selector applies to.
+ A FQDN to lookup for the dnsLookup action
|
- true |
+ false |
- | operator |
- enum |
+ argIndex |
+ integer |
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist.
+ An arg index for the set action
- Enum: In, NotIn, Exists, DoesNotExist
+ Format: int32
|
- true |
+ false |
- | values |
+ argName |
+ integer |
+
+ An arg index for the filename for fdInstall action
+
+ Format: int32
+ |
+ false |
+
+ | argRegs |
[]string |
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch.
+ An arg value for the regs action
+ |
+ false |
+
+ | argSig |
+ integer |
+
+ A signal number for signal action
+
+ Format: int32
+ |
+ false |
+
+ | argSock |
+ integer |
+
+ An arg index for the sock for trackSock and untrackSock actions
+
+ Format: int32
+ |
+ false |
+
+ | argUrl |
+ string |
+
+ A URL for the getUrl action
+ |
+ false |
+
+ | argValue |
+ integer |
+
+ An arg value for the set action
+
+ Format: int32
+ |
+ false |
+
+ | imaHash |
+ boolean |
+
+ Enable collection of file hashes from integrity subsystem.
+Only valid with the post action.
+ |
+ false |
+
+ | kernelStackTrace |
+ boolean |
+
+ Enable kernel stack trace export. Only valid with the post action.
+ |
+ false |
+
+ | rateLimit |
+ string |
+
+ A time period within which repeated messages will not be posted. Can be
+specified in seconds (default or with 's' suffix), minutes ('m' suffix)
+or hours ('h' suffix). Only valid with the post action.
+ |
+ false |
+
+ | rateLimitScope |
+ string |
+
+ The scope of the provided rate limit argument. Can be "thread" (default),
+"process" (all threads for the same process), or "global". If "thread" is
+selected then rate limiting applies per thread; if "process" is selected
+then rate limiting applies per process; if "global" is selected then rate
+limiting applies regardless of which process or thread caused the action.
+Only valid with the post action and with a rateLimit specified.
+ |
+ false |
+
+ | userStackTrace |
+ boolean |
+
+ Enable user stack trace export. Only valid with the post action.
|
false |
-### TracingPolicyNamespaced.spec.enforcers[index]
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchArgs[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
@@ -9074,18 +13695,44 @@ merge patch.
- | calls |
- []string |
+ operator |
+ enum |
- Calls where enforcer is executed in
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
|
true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
+ |
+ false |
+
+ | index |
+ integer |
+
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ false |
-### TracingPolicyNamespaced.spec.fentries[index]
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
@@ -9100,96 +13747,36 @@ merge patch.
- | call |
- string |
+ operator |
+ enum |
- Name of the function to apply the kprobe spec to.
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
|
true |
- | args |
- []object |
-
- A list of function arguments to include in the trace output.
- |
- false |
-
- | data |
- []object |
-
- A list of data to include in the trace output.
- |
- false |
-
- | ignore |
- object |
-
- Conditions for ignoring this kprobe
- |
- false |
-
- | message |
- string |
+ values |
+ []string |
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
+ Value to compare the argument against.
|
- false |
+ true |
- | return |
+ followChildren |
boolean |
- Indicates whether to collect return value of the traced function.
+ In addition to binaries, match children processes of specified binaries.
Default: false
|
false |
-
- | returnArg |
- object |
-
- A return argument to include in the trace output.
- |
- false |
-
- | returnArgAction |
- string |
-
- An action to perform on the return value.
-Use returnArg to include the return value in the event output.
-Supported actions are: TrackSock;UntrackSock
- |
- false |
-
- | selectors |
- []object |
-
- Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
- |
- false |
-
- | syscall |
- boolean |
-
- Indicates whether the traced function is a syscall.
-
- Default: true
- |
- false |
-
- | tags |
- []string |
-
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
- |
- false |
-### TracingPolicyNamespaced.spec.fentries[index].args[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindex)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilities[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
@@ -9204,99 +13791,46 @@ Maximum of 16 Tags are supported.
- | index |
- integer |
-
- Position of the argument.
-
- Format: int32
- Minimum: 0
- |
- true |
-
- | type |
+ operator |
enum |
- Argument type.
+ Namespace selector operator.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn
|
true |
- | btfType |
- string |
-
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
- |
- false |
-
- | label |
- string |
-
- Label to output in the JSON
- |
- false |
-
- | maxData |
- boolean |
-
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
- |
- false |
-
- | resolve |
- string |
+ values |
+ []string |
- Resolve the path to a specific attribute
-
- Default:
+ Capabilities to match.
|
- false |
+ true |
- | returnCopy |
+ isNamespaceCapability |
boolean |
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
+ Indicates whether these caps are namespace caps.
Default: false
|
false |
- | sizeArgIndex |
- integer |
+ type |
+ enum |
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
+ Type of capabilities
- Format: int32
- Minimum: 0
- |
- false |
-
- | source |
- string |
-
- Source of the data, if missing the default if function arguments
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
|
false |
-### TracingPolicyNamespaced.spec.fentries[index].data[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindex)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilityChanges[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
@@ -9311,102 +13845,101 @@ This field is used only for char_buf and char_iovec types.
- | index |
- integer |
-
- Position of the argument.
-
- Format: int32
- Minimum: 0
- |
- true |
-
- | type |
+ operator |
enum |
- Argument type.
+ Namespace selector operator.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn
|
true |
- | btfType |
- string |
+ values |
+ []string |
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
+ Capabilities to match.
|
- false |
+ true |
- | label |
- string |
+ isNamespaceCapability |
+ boolean |
- Label to output in the JSON
+ Indicates whether these caps are namespace caps.
+
+ Default: false
|
false |
- | maxData |
- boolean |
-
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
+ | type |
+ enum |
+
+ Type of capabilities
- Default: false
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
|
false |
-
- | resolve |
- string |
+
+
+
+
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchData[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
- Resolve the path to a specific attribute
+ Filter operation.
- Default:
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
|
- false |
+ true |
- | returnCopy |
- boolean |
+ args |
+ []integer |
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
-
- Default: false
+ Position of the operator arguments (in spec file) to apply fhe filter to.
|
false |
- | sizeArgIndex |
+ index |
integer |
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
+ Position of the argument (in function prototype) to apply fhe filter to.
Format: int32
Minimum: 0
|
false |
- | source |
- string |
+ values |
+ []string |
- Source of the data, if missing the default if function arguments
+ Value to compare the argument against.
|
false |
-### TracingPolicyNamespaced.spec.fentries[index].ignore
-[↩ Parent](#tracingpolicynamespacedspecfentriesindex)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaceChanges[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+
-Conditions for ignoring this kprobe
@@ -9418,21 +13951,30 @@ Conditions for ignoring this kprobe
- | callNotFound |
- boolean |
+ operator |
+ enum |
- Ignores calls that are not present in the system
+ Namespace selector operator.
+
+ Enum: In, NotIn
|
- false |
+ true |
+
+ | values |
+ []string |
+
+ Namespace types (e.g., Mnt, Pid) to match.
+ |
+ true |
-### TracingPolicyNamespaced.spec.fentries[index].returnArg
-[↩ Parent](#tracingpolicynamespacedspecfentriesindex)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaces[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+
-A return argument to include in the trace output.
@@ -9444,103 +13986,39 @@ A return argument to include in the trace output.
- | index |
- integer |
+ namespace |
+ enum |
- Position of the argument.
+ Namespace selector name.
- Format: int32
- Minimum: 0
+ Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
|
true |
- | type |
+ operator |
enum |
- Argument type.
+ Namespace selector operator.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn
|
true |
- | btfType |
- string |
-
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
- |
- false |
-
- | label |
- string |
-
- Label to output in the JSON
- |
- false |
-
- | maxData |
- boolean |
-
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
- |
- false |
-
- | resolve |
- string |
-
- Resolve the path to a specific attribute
-
- Default:
- |
- false |
-
- | returnCopy |
- boolean |
-
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
-
- Default: false
- |
- false |
-
- | sizeArgIndex |
- integer |
-
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
-
- Format: int32
- Minimum: 0
- |
- false |
-
- | source |
- string |
+ values |
+ []string |
- Source of the data, if missing the default if function arguments
+ Namespace IDs (or host_ns for host namespace) of namespaces to match.
|
- false |
+ true |
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindex)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchPIDs[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+
-KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
-results of MatchPIDs and MatchArgs are ANDed.
@@ -9552,103 +14030,89 @@ results of MatchPIDs and MatchArgs are ANDed.
- | macros |
- []string |
-
- A list of macros names, defined in spec.selectorsMacros.
-Filters specified in macros will be appended to corresponding filters of the selector.
- |
- false |
-
- | matchActions |
- []object |
-
- A list of actions to execute when this selector matches
- |
- false |
-
- | matchArgs |
- []object |
-
- A list of argument filters. MatchArgs are ANDed.
- |
- false |
-
- | matchBinaries |
- []object |
-
- A list of binary exec name filters.
- |
- false |
-
- | matchCapabilities |
- []object |
-
- A list of capabilities and IDs
- |
- false |
-
- | matchCapabilityChanges |
- []object |
-
- IDs for capabilities changes
- |
- false |
-
- | matchData |
- []object |
+ operator |
+ enum |
- A list of argument filters. MatchData are ANDed.
+ PID selector operator.
+
+ Enum: In, NotIn
|
- false |
+ true |
- | matchNamespaceChanges |
- []object |
+ values |
+ []integer |
- IDs for namespace changes
+ Process IDs to match.
|
- false |
+ true |
- | matchNamespaces |
- []object |
+ followForks |
+ boolean |
- A list of namespaces and IDs
+ Matches any descendant processes of the matching PIDs.
+
+ Default: false
|
false |
- | matchPIDs |
- []object |
+ isNamespacePID |
+ boolean |
- A list of process ID filters. MatchPIDs are ANDed.
+ Indicates whether PIDs are namespace PIDs.
+
+ Default: false
|
false |
-
- | matchParentBinaries |
- []object |
+
+
+
+
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchParentBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
- A list of process parent exec name filters.
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
|
- false |
+ true |
- | matchReturnActions |
- []object |
+ values |
+ []string |
- A list of actions to execute when MatchReturnArgs selector matches
+ Value to compare the argument against.
|
- false |
+ true |
- | matchReturnArgs |
- []object |
+ followChildren |
+ boolean |
- A list of argument filters. MatchArgs are ANDed.
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
|
false |
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchActions[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnActions[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
@@ -9804,8 +14268,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchArgs[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnArgs[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
@@ -9856,160 +14320,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Filter operation.
-
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
- |
- true |
-
- | values |
- []string |
-
- Value to compare the argument against.
- |
- true |
-
- | followChildren |
- boolean |
-
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
- |
- false |
-
-
-
-
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchCapabilities[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
-
- Capabilities to match.
- |
- true |
-
- | isNamespaceCapability |
- boolean |
-
- Indicates whether these caps are namespace caps.
-
- Default: false
- |
- false |
-
- | type |
- enum |
-
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
- |
- false |
-
-
-
-
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchCapabilityChanges[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
-
- Capabilities to match.
- |
- true |
-
- | isNamespaceCapability |
- boolean |
-
- Indicates whether these caps are namespace caps.
-
- Default: false
- |
- false |
-
- | type |
- enum |
-
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
- |
- false |
-
-
-
-
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchData[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
@@ -10024,47 +14336,44 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
- |
- true |
-
- | args |
- []integer |
+ containerSelector |
+ object |
- Position of the operator arguments (in spec file) to apply fhe filter to.
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
false |
- | index |
- integer |
+ hostSelector |
+ object |
- Position of the argument (in function prototype) to apply fhe filter to.
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
- Format: int32
- Minimum: 0
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
|
false |
- | values |
- []string |
+ podSelector |
+ object |
- Value to compare the argument against.
+ PodSelector selects pods that this policy applies to
|
false |
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchNamespaceChanges[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindex)
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
@@ -10076,30 +14385,31 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ matchExpressions |
+ []object |
- Namespace selector operator.
-
- Enum: In, NotIn
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
- true |
+ false |
- | values |
- []string |
+ matchLabels |
+ map[string]string |
- Namespace types (e.g., Mnt, Pid) to match.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
- true |
+ false |
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchNamespaces[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindexcontainerselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -10111,39 +14421,42 @@ Only valid with the post action and with a rateLimit specified.
- | namespace |
- enum |
+ key |
+ string |
- Namespace selector name.
-
- Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
+ key is the label key that the selector applies to.
|
true |
| operator |
enum |
- Namespace selector operator.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Namespace IDs (or host_ns for host namespace) of namespaces to match.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
- true |
+ false |
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchPIDs[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindex)
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
@@ -10155,48 +14468,31 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- PID selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []integer |
-
- Process IDs to match.
- |
- true |
-
- | followForks |
- boolean |
+ matchExpressions |
+ []object |
- Matches any descendant processes of the matching PIDs.
-
- Default: false
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | isNamespacePID |
- boolean |
+ matchLabels |
+ map[string]string |
- Indicates whether PIDs are namespace PIDs.
-
- Default: false
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchParentBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindexhostselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -10208,39 +14504,41 @@ Only valid with the post action and with a rateLimit specified.
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
| operator |
enum |
- Filter operation.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Value to compare the argument against.
- |
- true |
-
- | followChildren |
- boolean |
-
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchReturnActions[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindex)
+PodSelector selects pods that this policy applies to
@@ -10252,149 +14550,74 @@ Only valid with the post action and with a rateLimit specified.
- | action |
- enum |
-
- Action to execute.
-NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
-be removed in version 1.5.
-
- Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
- |
- true |
-
- | argError |
- integer |
-
- error value for override action
-
- Format: int32
- |
- false |
-
- | argFd |
- integer |
-
- An arg index for the fd for fdInstall action
-
- Format: int32
- |
- false |
-
- | argFqdn |
- string |
-
- A FQDN to lookup for the dnsLookup action
- |
- false |
-
- | argIndex |
- integer |
-
- An arg index for the set action
-
- Format: int32
- |
- false |
-
- | argName |
- integer |
-
- An arg index for the filename for fdInstall action
-
- Format: int32
- |
- false |
-
- | argRegs |
- []string |
-
- An arg value for the regs action
- |
- false |
-
- | argSig |
- integer |
-
- A signal number for signal action
-
- Format: int32
- |
- false |
-
- | argSock |
- integer |
-
- An arg index for the sock for trackSock and untrackSock actions
-
- Format: int32
- |
- false |
-
- | argUrl |
- string |
-
- A URL for the getUrl action
- |
- false |
-
- | argValue |
- integer |
-
- An arg value for the set action
-
- Format: int32
- |
- false |
-
- | imaHash |
- boolean |
+ matchExpressions |
+ []object |
- Enable collection of file hashes from integrity subsystem.
-Only valid with the post action.
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | kernelStackTrace |
- boolean |
+ matchLabels |
+ map[string]string |
- Enable kernel stack trace export. Only valid with the post action.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | rateLimit |
+
+
+
+
+### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindexpodselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
string |
- A time period within which repeated messages will not be posted. Can be
-specified in seconds (default or with 's' suffix), minutes ('m' suffix)
-or hours ('h' suffix). Only valid with the post action.
+ key is the label key that the selector applies to.
|
- false |
-
- | rateLimitScope |
- string |
-
- The scope of the provided rate limit argument. Can be "thread" (default),
-"process" (all threads for the same process), or "global". If "thread" is
-selected then rate limiting applies per thread; if "process" is selected
-then rate limiting applies per process; if "global" is selected then rate
-limiting applies regardless of which process or thread caused the action.
-Only valid with the post action and with a rateLimit specified.
+ | true |
+
+ | operator |
+ enum |
+
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | userStackTrace |
- boolean |
+ values |
+ []string |
- Enable user stack trace export. Only valid with the post action.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchReturnArgs[index]
-[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex)
+### TracingPolicyNamespaced.spec.lists[index]
+[↩ Parent](#tracingpolicynamespacedspec)
@@ -10409,48 +14632,51 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ name |
+ string |
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ Name of the list
|
true |
- | args |
- []integer |
+ pattern |
+ string |
- Position of the operator arguments (in spec file) to apply fhe filter to.
+ Pattern for 'generated' lists.
|
false |
- | index |
- integer |
+ type |
+ enum |
- Position of the argument (in function prototype) to apply fhe filter to.
+ Indicates the type of the list values.
- Format: int32
- Minimum: 0
+ Enum: syscalls, generated_syscalls, generated_ftrace
+ |
+ false |
+
+ | validated |
+ boolean |
+
+ List was validated
|
false |
| values |
[]string |
- Value to compare the argument against.
+ Values of the list
|
false |
-### TracingPolicyNamespaced.spec.hostSelector
+### TracingPolicyNamespaced.spec.lsmhooks[index]
[↩ Parent](#tracingpolicynamespacedspec)
-HostSelector selects hosts that this policy applies to.
-For now only ~ (none) and {} (all) is supported.
+
@@ -10462,31 +14688,51 @@ For now only ~ (none) and {} (all) is supported.
- | matchExpressions |
+ hook |
+ string |
+
+ Name of the function to apply the kprobe spec to.
+ |
+ true |
+
+ | args |
[]object |
- matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ A list of function arguments to include in the trace output.
|
false |
- | matchLabels |
- map[string]string |
+ message |
+ string |
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed.
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
+ |
+ false |
+
+ | selectors |
+ []object |
+
+ Selectors to apply before producing trace output. Selectors are ORed.
+ |
+ false |
+
+ | tags |
+ []string |
+
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
|
false |
-### TracingPolicyNamespaced.spec.hostSelector.matchExpressions[index]
-[↩ Parent](#tracingpolicynamespacedspechostselector)
+### TracingPolicyNamespaced.spec.lsmhooks[index].args[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindex)
+
-A label selector requirement is a selector that contains values, a key, and an operator that
-relates the key and values.
@@ -10498,41 +14744,103 @@ relates the key and values.
- | key |
- string |
+ index |
+ integer |
- key is the label key that the selector applies to.
+ Position of the argument.
+
+ Format: int32
+ Minimum: 0
|
true |
- | operator |
+ type |
enum |
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist.
+ Argument type.
- Enum: In, NotIn, Exists, DoesNotExist
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
|
true |
- | values |
- []string |
+ btfType |
+ string |
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch.
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
+ |
+ false |
+
+ | label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
+
+ Default: false
+ |
+ false |
+
+ | resolve |
+ string |
+
+ Resolve the path to a specific attribute
+
+ Default:
+ |
+ false |
+
+ | returnCopy |
+ boolean |
+
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
+ |
+ false |
+
+ | sizeArgIndex |
+ integer |
+
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | source |
+ string |
+
+ Source of the data, if missing the default if function arguments
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index]
-[↩ Parent](#tracingpolicynamespacedspec)
-
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindex)
+KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
+results of MatchPIDs and MatchArgs are ANDed.
@@ -10544,96 +14852,110 @@ merge patch.
- | call |
- string |
+ macros |
+ []string |
- Name of the function to apply the kprobe spec to.
+ A list of macros names, defined in spec.selectorsMacros.
+Filters specified in macros will be appended to corresponding filters of the selector.
|
- true |
+ false |
- | args |
+ matchActions |
[]object |
- A list of function arguments to include in the trace output.
+ A list of actions to execute when this selector matches
|
false |
- | data |
+ matchArgs |
[]object |
- A list of data to include in the trace output.
+ A list of argument filters. MatchArgs are ANDed.
|
false |
- | ignore |
- object |
+ matchBinaries |
+ []object |
- Conditions for ignoring this kprobe
+ A list of binary exec name filters.
|
false |
- | message |
- string |
+ matchCapabilities |
+ []object |
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
+ A list of capabilities and IDs
|
false |
- | return |
- boolean |
+ matchCapabilityChanges |
+ []object |
- Indicates whether to collect return value of the traced function.
-
- Default: false
+ IDs for capabilities changes
+ |
+ false |
+
+ | matchData |
+ []object |
+
+ A list of argument filters. MatchData are ANDed.
+ |
+ false |
+
+ | matchNamespaceChanges |
+ []object |
+
+ IDs for namespace changes
+ |
+ false |
+
+ | matchNamespaces |
+ []object |
+
+ A list of namespaces and IDs
|
false |
- | returnArg |
- object |
+ matchPIDs |
+ []object |
- A return argument to include in the trace output.
+ A list of process ID filters. MatchPIDs are ANDed.
|
false |
- | returnArgAction |
- string |
+ matchParentBinaries |
+ []object |
- An action to perform on the return value.
-Use returnArg to include the return value in the event output.
-Supported actions are: TrackSock;UntrackSock
+ A list of process parent exec name filters.
|
false |
- | selectors |
+ matchReturnActions |
[]object |
- Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
+ A list of actions to execute when MatchReturnArgs selector matches
|
false |
- | syscall |
- boolean |
+ matchReturnArgs |
+ []object |
- Indicates whether the traced function is a syscall.
-
- Default: true
+ A list of argument filters. MatchArgs are ANDed.
|
false |
- | tags |
- []string |
+ matchWorkloads |
+ []object |
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
+ Workloads to match
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].args[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindex)
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchActions[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
@@ -10648,99 +14970,149 @@ Maximum of 16 Tags are supported.
- | index |
+ action |
+ enum |
+
+ Action to execute.
+NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
+be removed in version 1.5.
+
+ Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
+ |
+ true |
+
+ | argError |
integer |
- Position of the argument.
+ error value for override action
Format: int32
- Minimum: 0
|
- true |
+ false |
- | type |
- enum |
+ argFd |
+ integer |
- Argument type.
+ An arg index for the fd for fdInstall action
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Format: int32
|
- true |
+ false |
- | btfType |
+ argFqdn |
string |
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
+ A FQDN to lookup for the dnsLookup action
|
false |
- | label |
- string |
+ argIndex |
+ integer |
- Label to output in the JSON
+ An arg index for the set action
+
+ Format: int32
|
false |
- | maxData |
- boolean |
+ argName |
+ integer |
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
+ An arg index for the filename for fdInstall action
- Default: false
+ Format: int32
|
false |
- | resolve |
- string |
+ argRegs |
+ []string |
- Resolve the path to a specific attribute
+ An arg value for the regs action
+ |
+ false |
+
+ | argSig |
+ integer |
+
+ A signal number for signal action
- Default:
+ Format: int32
|
false |
- | returnCopy |
- boolean |
+ argSock |
+ integer |
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
+ An arg index for the sock for trackSock and untrackSock actions
- Default: false
+ Format: int32
|
false |
- | sizeArgIndex |
+ argUrl |
+ string |
+
+ A URL for the getUrl action
+ |
+ false |
+
+ | argValue |
integer |
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
+ An arg value for the set action
Format: int32
- Minimum: 0
|
false |
- | source |
+ imaHash |
+ boolean |
+
+ Enable collection of file hashes from integrity subsystem.
+Only valid with the post action.
+ |
+ false |
+
+ | kernelStackTrace |
+ boolean |
+
+ Enable kernel stack trace export. Only valid with the post action.
+ |
+ false |
+
+ | rateLimit |
string |
- Source of the data, if missing the default if function arguments
+ A time period within which repeated messages will not be posted. Can be
+specified in seconds (default or with 's' suffix), minutes ('m' suffix)
+or hours ('h' suffix). Only valid with the post action.
+ |
+ false |
+
+ | rateLimitScope |
+ string |
+
+ The scope of the provided rate limit argument. Can be "thread" (default),
+"process" (all threads for the same process), or "global". If "thread" is
+selected then rate limiting applies per thread; if "process" is selected
+then rate limiting applies per process; if "global" is selected then rate
+limiting applies regardless of which process or thread caused the action.
+Only valid with the post action and with a rateLimit specified.
+ |
+ false |
+
+ | userStackTrace |
+ boolean |
+
+ Enable user stack trace export. Only valid with the post action.
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].data[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindex)
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchArgs[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
@@ -10755,102 +15127,91 @@ This field is used only for char_buf and char_iovec types.
- | index |
- integer |
-
- Position of the argument.
-
- Format: int32
- Minimum: 0
- |
- true |
-
- | type |
+ operator |
enum |
- Argument type.
+ Filter operation.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
|
true |
- | btfType |
- string |
-
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
- |
- false |
-
- | label |
- string |
+ args |
+ []integer |
- Label to output in the JSON
+ Position of the operator arguments (in spec file) to apply fhe filter to.
|
false |
- | maxData |
- boolean |
+ index |
+ integer |
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
+ Position of the argument (in function prototype) to apply fhe filter to.
- Default: false
+ Format: int32
+ Minimum: 0
|
false |
- | resolve |
- string |
+ values |
+ []string |
- Resolve the path to a specific attribute
-
- Default:
+ Value to compare the argument against.
|
false |
-
- | returnCopy |
- boolean |
-
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
+ |
+
+
+
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
- Default: false
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
|
- false |
+ true |
- | sizeArgIndex |
- integer |
+ values |
+ []string |
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
-
- Format: int32
- Minimum: 0
+ Value to compare the argument against.
|
- false |
+ true |
- | source |
- string |
+ followChildren |
+ boolean |
- Source of the data, if missing the default if function arguments
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].ignore
-[↩ Parent](#tracingpolicynamespacedspeckprobesindex)
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilities[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+
-Conditions for ignoring this kprobe
@@ -10862,21 +15223,49 @@ Conditions for ignoring this kprobe
- | callNotFound |
+ operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Capabilities to match.
+ |
+ true |
+
+ | isNamespaceCapability |
boolean |
- Ignores calls that are not present in the system
+ Indicates whether these caps are namespace caps.
+
+ Default: false
+ |
+ false |
+
+ | type |
+ enum |
+
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].returnArg
-[↩ Parent](#tracingpolicynamespacedspeckprobesindex)
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilityChanges[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+
-A return argument to include in the trace output.
@@ -10888,103 +15277,101 @@ A return argument to include in the trace output.
- | index |
- integer |
-
- Position of the argument.
-
- Format: int32
- Minimum: 0
- |
- true |
-
- | type |
+ operator |
enum |
- Argument type.
+ Namespace selector operator.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn
|
true |
- | btfType |
- string |
-
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
- |
- false |
-
- | label |
- string |
+ values |
+ []string |
- Label to output in the JSON
+ Capabilities to match.
|
- false |
+ true |
- | maxData |
+ isNamespaceCapability |
boolean |
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
+ Indicates whether these caps are namespace caps.
Default: false
|
false |
- | resolve |
- string |
+ type |
+ enum |
- Resolve the path to a specific attribute
+ Type of capabilities
- Default:
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
|
false |
-
- | returnCopy |
- boolean |
+
+
+
+
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchData[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
+ Filter operation.
- Default: false
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ |
+ true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
|
false |
- | sizeArgIndex |
+ index |
integer |
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
+ Position of the argument (in function prototype) to apply fhe filter to.
Format: int32
Minimum: 0
|
false |
- | source |
- string |
+ values |
+ []string |
- Source of the data, if missing the default if function arguments
+ Value to compare the argument against.
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindex)
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaceChanges[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+
-KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
-results of MatchPIDs and MatchArgs are ANDed.
@@ -10996,103 +15383,168 @@ results of MatchPIDs and MatchArgs are ANDed.
- | macros |
- []string |
-
- A list of macros names, defined in spec.selectorsMacros.
-Filters specified in macros will be appended to corresponding filters of the selector.
- |
- false |
-
- | matchActions |
- []object |
+ operator |
+ enum |
- A list of actions to execute when this selector matches
+ Namespace selector operator.
+
+ Enum: In, NotIn
|
- false |
+ true |
- | matchArgs |
- []object |
+ values |
+ []string |
- A list of argument filters. MatchArgs are ANDed.
+ Namespace types (e.g., Mnt, Pid) to match.
|
- false |
-
- | matchBinaries |
- []object |
+ true |
+
+
+
+
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaces[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | namespace |
+ enum |
- A list of binary exec name filters.
+ Namespace selector name.
+
+ Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
|
- false |
+ true |
- | matchCapabilities |
- []object |
+ operator |
+ enum |
- A list of capabilities and IDs
+ Namespace selector operator.
+
+ Enum: In, NotIn
|
- false |
+ true |
- | matchCapabilityChanges |
- []object |
+ values |
+ []string |
- IDs for capabilities changes
+ Namespace IDs (or host_ns for host namespace) of namespaces to match.
|
- false |
-
- | matchData |
- []object |
+ true |
+
+
+
+
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchPIDs[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
- A list of argument filters. MatchData are ANDed.
+ PID selector operator.
+
+ Enum: In, NotIn
|
- false |
+ true |
- | matchNamespaceChanges |
- []object |
+ values |
+ []integer |
- IDs for namespace changes
+ Process IDs to match.
|
- false |
+ true |
- | matchNamespaces |
- []object |
+ followForks |
+ boolean |
- A list of namespaces and IDs
+ Matches any descendant processes of the matching PIDs.
+
+ Default: false
|
false |
- | matchPIDs |
- []object |
+ isNamespacePID |
+ boolean |
- A list of process ID filters. MatchPIDs are ANDed.
+ Indicates whether PIDs are namespace PIDs.
+
+ Default: false
|
false |
-
- | matchParentBinaries |
- []object |
+
+
+
+
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchParentBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
- A list of process parent exec name filters.
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
|
- false |
+ true |
- | matchReturnActions |
- []object |
+ values |
+ []string |
- A list of actions to execute when MatchReturnArgs selector matches
+ Value to compare the argument against.
|
- false |
+ true |
- | matchReturnArgs |
- []object |
+ followChildren |
+ boolean |
- A list of argument filters. MatchArgs are ANDed.
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchActions[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnActions[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
@@ -11248,8 +15700,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchArgs[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnArgs[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
@@ -11283,28 +15735,196 @@ Only valid with the post action and with a rateLimit specified.
index |
integer |
- Position of the argument (in function prototype) to apply fhe filter to.
-
- Format: int32
- Minimum: 0
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | containerSelector |
+ object |
+
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+ |
+ false |
+
+ | hostSelector |
+ object |
+
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
+ |
+ false |
+
+ | podSelector |
+ object |
+
+ PodSelector selects pods that this policy applies to
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindex)
+
+
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ |
+ false |
+
+ | matchLabels |
+ map[string]string |
+
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindexcontainerselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
+ | operator |
+ enum |
+
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ Enum: In, NotIn, Exists, DoesNotExist
+ |
+ true |
+
+ | values |
+ []string |
+
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindex)
+
+
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | values |
- []string |
+ matchLabels |
+ map[string]string |
- Value to compare the argument against.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindexhostselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -11316,39 +15936,41 @@ Only valid with the post action and with a rateLimit specified.
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
| operator |
enum |
- Filter operation.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Value to compare the argument against.
- |
- true |
-
- | followChildren |
- boolean |
-
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilities[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindex)
+PodSelector selects pods that this policy applies to
@@ -11360,49 +15982,31 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
-
- Capabilities to match.
- |
- true |
-
- | isNamespaceCapability |
- boolean |
+ matchExpressions |
+ []object |
- Indicates whether these caps are namespace caps.
-
- Default: false
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | type |
- enum |
+ matchLabels |
+ map[string]string |
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilityChanges[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindexpodselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -11414,46 +16018,38 @@ Only valid with the post action and with a rateLimit specified.
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
| operator |
enum |
- Namespace selector operator.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Capabilities to match.
- |
- true |
-
- | isNamespaceCapability |
- boolean |
-
- Indicates whether these caps are namespace caps.
-
- Default: false
- |
- false |
-
- | type |
- enum |
-
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchData[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.options[index]
+[↩ Parent](#tracingpolicynamespacedspec)
@@ -11468,47 +16064,28 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ name |
+ string |
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ Name of the option
|
true |
- | args |
- []integer |
-
- Position of the operator arguments (in spec file) to apply fhe filter to.
- |
- false |
-
- | index |
- integer |
-
- Position of the argument (in function prototype) to apply fhe filter to.
-
- Format: int32
- Minimum: 0
- |
- false |
-
- | values |
- []string |
+ value |
+ string |
- Value to compare the argument against.
+ Value of the option
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaceChanges[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.podSelector
+[↩ Parent](#tracingpolicynamespacedspec)
+PodSelector selects pods that this policy applies to
@@ -11520,30 +16097,31 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ matchExpressions |
+ []object |
- Namespace selector operator.
-
- Enum: In, NotIn
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
- true |
+ false |
- | values |
- []string |
+ matchLabels |
+ map[string]string |
- Namespace types (e.g., Mnt, Pid) to match.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
- true |
+ false |
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaces[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecpodselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -11555,39 +16133,42 @@ Only valid with the post action and with a rateLimit specified.
- | namespace |
- enum |
+ key |
+ string |
- Namespace selector name.
-
- Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
+ key is the label key that the selector applies to.
|
true |
| operator |
enum |
- Namespace selector operator.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Namespace IDs (or host_ns for host namespace) of namespaces to match.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
- true |
+ false |
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchPIDs[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.selectorsMacros[key]
+[↩ Parent](#tracingpolicynamespacedspec)
+KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
+results of MatchPIDs and MatchArgs are ANDed.
@@ -11599,89 +16180,110 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ macros |
+ []string |
+
+ A list of macros names, defined in spec.selectorsMacros.
+Filters specified in macros will be appended to corresponding filters of the selector.
+ |
+ false |
+
+ | matchActions |
+ []object |
+
+ A list of actions to execute when this selector matches
+ |
+ false |
+
+ | matchArgs |
+ []object |
+
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchBinaries |
+ []object |
+
+ A list of binary exec name filters.
+ |
+ false |
+
+ | matchCapabilities |
+ []object |
- PID selector operator.
-
- Enum: In, NotIn
+ A list of capabilities and IDs
|
- true |
+ false |
- | values |
- []integer |
+ matchCapabilityChanges |
+ []object |
- Process IDs to match.
+ IDs for capabilities changes
|
- true |
+ false |
- | followForks |
- boolean |
+ matchData |
+ []object |
- Matches any descendant processes of the matching PIDs.
-
- Default: false
+ A list of argument filters. MatchData are ANDed.
|
false |
- | isNamespacePID |
- boolean |
+ matchNamespaceChanges |
+ []object |
- Indicates whether PIDs are namespace PIDs.
-
- Default: false
+ IDs for namespace changes
|
false |
-
-
-
-
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchParentBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
+
+ | matchNamespaces |
+ []object |
- Filter operation.
-
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ A list of namespaces and IDs
|
- true |
+ false |
- | values |
- []string |
+ matchPIDs |
+ []object |
- Value to compare the argument against.
+ A list of process ID filters. MatchPIDs are ANDed.
|
- true |
+ false |
- | followChildren |
- boolean |
+ matchParentBinaries |
+ []object |
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
+ A list of process parent exec name filters.
+ |
+ false |
+
+ | matchReturnActions |
+ []object |
+
+ A list of actions to execute when MatchReturnArgs selector matches
+ |
+ false |
+
+ | matchReturnArgs |
+ []object |
+
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchWorkloads |
+ []object |
+
+ Workloads to match
|
false |
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnActions[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchActions[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
@@ -11837,8 +16439,158 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnArgs[index]
-[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchArgs[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ |
+ true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
+ |
+ false |
+
+ | index |
+ integer |
+
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ |
+ true |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ true |
+
+ | followChildren |
+ boolean |
+
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchCapabilities[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Capabilities to match.
+ |
+ true |
+
+ | isNamespaceCapability |
+ boolean |
+
+ Indicates whether these caps are namespace caps.
+
+ Default: false
+ |
+ false |
+
+ | type |
+ enum |
+
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchCapabilityChanges[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
@@ -11856,41 +16608,43 @@ Only valid with the post action and with a rateLimit specified.
operator |
enum |
- Filter operation.
+ Namespace selector operator.
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ Enum: In, NotIn
|
true |
- | args |
- []integer |
+ values |
+ []string |
- Position of the operator arguments (in spec file) to apply fhe filter to.
+ Capabilities to match.
|
- false |
+ true |
- | index |
- integer |
+ isNamespaceCapability |
+ boolean |
- Position of the argument (in function prototype) to apply fhe filter to.
+ Indicates whether these caps are namespace caps.
- Format: int32
- Minimum: 0
+ Default: false
|
false |
- | values |
- []string |
+ type |
+ enum |
- Value to compare the argument against.
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
|
false |
-### TracingPolicyNamespaced.spec.lists[index]
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchData[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
@@ -11905,48 +16659,44 @@ Only valid with the post action and with a rateLimit specified.
- | name |
- string |
+ operator |
+ enum |
- Name of the list
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
|
true |
- | pattern |
- string |
+ args |
+ []integer |
- Pattern for 'generated' lists.
+ Position of the operator arguments (in spec file) to apply fhe filter to.
|
false |
- | type |
- enum |
+ index |
+ integer |
- Indicates the type of the list values.
+ Position of the argument (in function prototype) to apply fhe filter to.
- Enum: syscalls, generated_syscalls, generated_ftrace
- |
- false |
-
- | validated |
- boolean |
-
- List was validated
+ Format: int32
+ Minimum: 0
|
false |
| values |
[]string |
- Values of the list
+ Value to compare the argument against.
|
false |
-### TracingPolicyNamespaced.spec.lsmhooks[index]
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchNamespaceChanges[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
@@ -11961,48 +16711,27 @@ Only valid with the post action and with a rateLimit specified.
- | hook |
- string |
+ operator |
+ enum |
- Name of the function to apply the kprobe spec to.
+ Namespace selector operator.
+
+ Enum: In, NotIn
|
true |
- | args |
- []object |
-
- A list of function arguments to include in the trace output.
- |
- false |
-
- | message |
- string |
-
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
- |
- false |
-
- | selectors |
- []object |
-
- Selectors to apply before producing trace output. Selectors are ORed.
- |
- false |
-
- | tags |
+ values |
[]string |
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
+ Namespace types (e.g., Mnt, Pid) to match.
|
- false |
+ true |
-### TracingPolicyNamespaced.spec.lsmhooks[index].args[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindex)
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchNamespaces[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
@@ -12017,103 +16746,39 @@ Maximum of 16 Tags are supported.
- | index |
- integer |
+ namespace |
+ enum |
- Position of the argument.
+ Namespace selector name.
- Format: int32
- Minimum: 0
+ Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
|
true |
- | type |
+ operator |
enum |
- Argument type.
+ Namespace selector operator.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn
|
true |
- | btfType |
- string |
-
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
- |
- false |
-
- | label |
- string |
-
- Label to output in the JSON
- |
- false |
-
- | maxData |
- boolean |
-
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
- |
- false |
-
- | resolve |
- string |
-
- Resolve the path to a specific attribute
-
- Default:
- |
- false |
-
- | returnCopy |
- boolean |
-
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
-
- Default: false
- |
- false |
-
- | sizeArgIndex |
- integer |
-
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
-
- Format: int32
- Minimum: 0
- |
- false |
-
- | source |
- string |
+ values |
+ []string |
- Source of the data, if missing the default if function arguments
+ Namespace IDs (or host_ns for host namespace) of namespaces to match.
|
- false |
+ true |
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindex)
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchPIDs[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
+
-KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
-results of MatchPIDs and MatchArgs are ANDed.
@@ -12125,103 +16790,89 @@ results of MatchPIDs and MatchArgs are ANDed.
- | macros |
- []string |
-
- A list of macros names, defined in spec.selectorsMacros.
-Filters specified in macros will be appended to corresponding filters of the selector.
- |
- false |
-
- | matchActions |
- []object |
-
- A list of actions to execute when this selector matches
- |
- false |
-
- | matchArgs |
- []object |
-
- A list of argument filters. MatchArgs are ANDed.
- |
- false |
-
- | matchBinaries |
- []object |
-
- A list of binary exec name filters.
- |
- false |
-
- | matchCapabilities |
- []object |
-
- A list of capabilities and IDs
- |
- false |
-
- | matchCapabilityChanges |
- []object |
-
- IDs for capabilities changes
- |
- false |
-
- | matchData |
- []object |
+ operator |
+ enum |
- A list of argument filters. MatchData are ANDed.
+ PID selector operator.
+
+ Enum: In, NotIn
|
- false |
+ true |
- | matchNamespaceChanges |
- []object |
+ values |
+ []integer |
- IDs for namespace changes
+ Process IDs to match.
|
- false |
+ true |
- | matchNamespaces |
- []object |
+ followForks |
+ boolean |
- A list of namespaces and IDs
+ Matches any descendant processes of the matching PIDs.
+
+ Default: false
|
false |
- | matchPIDs |
- []object |
+ isNamespacePID |
+ boolean |
- A list of process ID filters. MatchPIDs are ANDed.
+ Indicates whether PIDs are namespace PIDs.
+
+ Default: false
|
false |
-
- | matchParentBinaries |
- []object |
+
+
+
+
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchParentBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
- A list of process parent exec name filters.
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
|
- false |
+ true |
- | matchReturnActions |
- []object |
+ values |
+ []string |
- A list of actions to execute when MatchReturnArgs selector matches
+ Value to compare the argument against.
|
- false |
+ true |
- | matchReturnArgs |
- []object |
+ followChildren |
+ boolean |
- A list of argument filters. MatchArgs are ANDed.
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
|
false |
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchActions[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchReturnActions[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
@@ -12377,8 +17028,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchArgs[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchReturnArgs[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
@@ -12429,8 +17080,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
@@ -12445,40 +17096,81 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ containerSelector |
+ object |
- Filter operation.
-
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
- true |
+ false |
- | values |
- []string |
+ hostSelector |
+ object |
- Value to compare the argument against.
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
|
- true |
+ false |
- | followChildren |
- boolean |
+ podSelector |
+ object |
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
+ PodSelector selects pods that this policy applies to
|
false |
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilities[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindex)
+
+
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ |
+ false |
+
+ | matchLabels |
+ map[string]string |
+
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+ |
+ false |
+
+
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindexcontainerselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
@@ -12489,49 +17181,78 @@ Only valid with the post action and with a rateLimit specified.
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
| operator |
enum |
- Namespace selector operator.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Capabilities to match.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
- true |
-
- | isNamespaceCapability |
- boolean |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindex)
+
+
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
- Indicates whether these caps are namespace caps.
-
- Default: false
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | type |
- enum |
+ matchLabels |
+ map[string]string |
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilityChanges[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindexhostselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -12543,49 +17264,77 @@ Only valid with the post action and with a rateLimit specified.
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
| operator |
enum |
- Namespace selector operator.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Capabilities to match.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
- true |
-
- | isNamespaceCapability |
- boolean |
-
- Indicates whether these caps are namespace caps.
-
- Default: false
+ | false |
+
+
+
+
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindex)
+
+
+PodSelector selects pods that this policy applies to
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | type |
- enum |
+ matchLabels |
+ map[string]string |
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchData[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindexpodselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -12597,44 +17346,38 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ key |
+ string |
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ key is the label key that the selector applies to.
|
true |
- | args |
- []integer |
-
- Position of the operator arguments (in spec file) to apply fhe filter to.
- |
- false |
-
- | index |
- integer |
+ operator |
+ enum |
- Position of the argument (in function prototype) to apply fhe filter to.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Format: int32
- Minimum: 0
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
| values |
[]string |
- Value to compare the argument against.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaceChanges[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+### TracingPolicyNamespaced.spec.tracepoints[index]
+[↩ Parent](#tracingpolicynamespacedspec)
@@ -12649,27 +17392,62 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ event |
+ string |
- Namespace selector operator.
-
- Enum: In, NotIn
+ Tracepoint event
|
true |
- | values |
- []string |
+ subsystem |
+ string |
- Namespace types (e.g., Mnt, Pid) to match.
+ Tracepoint subsystem
|
true |
+
+ | args |
+ []object |
+
+ A list of function arguments to include in the trace output.
+ |
+ false |
+
+ | message |
+ string |
+
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
+ |
+ false |
+
+ | raw |
+ boolean |
+
+ Enable raw tracepoint arguments
+ |
+ false |
+
+ | selectors |
+ []object |
+
+ Selectors to apply before producing trace output. Selectors are ORed.
+ |
+ false |
+
+ | tags |
+ []string |
+
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
+ |
+ false |
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaces[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+### TracingPolicyNamespaced.spec.tracepoints[index].args[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindex)
@@ -12684,39 +17462,103 @@ Only valid with the post action and with a rateLimit specified.
- | namespace |
- enum |
+ index |
+ integer |
- Namespace selector name.
+ Position of the argument.
- Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
+ Format: int32
+ Minimum: 0
|
true |
- | operator |
+ type |
enum |
- Namespace selector operator.
+ Argument type.
- Enum: In, NotIn
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
|
true |
- | values |
- []string |
+ btfType |
+ string |
- Namespace IDs (or host_ns for host namespace) of namespaces to match.
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
|
- true |
+ false |
+
+ | label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
+
+ Default: false
+ |
+ false |
+
+ | resolve |
+ string |
+
+ Resolve the path to a specific attribute
+
+ Default:
+ |
+ false |
+
+ | returnCopy |
+ boolean |
+
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
+ |
+ false |
+
+ | sizeArgIndex |
+ integer |
+
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | source |
+ string |
+
+ Source of the data, if missing the default if function arguments
+ |
+ false |
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchPIDs[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindex)
+KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
+results of MatchPIDs and MatchArgs are ANDed.
@@ -12728,89 +17570,110 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ macros |
+ []string |
- PID selector operator.
-
- Enum: In, NotIn
+ A list of macros names, defined in spec.selectorsMacros.
+Filters specified in macros will be appended to corresponding filters of the selector.
+ |
+ false |
+
+ | matchActions |
+ []object |
+
+ A list of actions to execute when this selector matches
+ |
+ false |
+
+ | matchArgs |
+ []object |
+
+ A list of argument filters. MatchArgs are ANDed.
+ |
+ false |
+
+ | matchBinaries |
+ []object |
+
+ A list of binary exec name filters.
+ |
+ false |
+
+ | matchCapabilities |
+ []object |
+
+ A list of capabilities and IDs
+ |
+ false |
+
+ | matchCapabilityChanges |
+ []object |
+
+ IDs for capabilities changes
+ |
+ false |
+
+ | matchData |
+ []object |
+
+ A list of argument filters. MatchData are ANDed.
+ |
+ false |
+
+ | matchNamespaceChanges |
+ []object |
+
+ IDs for namespace changes
|
- true |
+ false |
- | values |
- []integer |
+ matchNamespaces |
+ []object |
- Process IDs to match.
+ A list of namespaces and IDs
|
- true |
+ false |
- | followForks |
- boolean |
+ matchPIDs |
+ []object |
- Matches any descendant processes of the matching PIDs.
-
- Default: false
+ A list of process ID filters. MatchPIDs are ANDed.
|
false |
- | isNamespacePID |
- boolean |
+ matchParentBinaries |
+ []object |
- Indicates whether PIDs are namespace PIDs.
-
- Default: false
+ A list of process parent exec name filters.
|
false |
-
-
-
-
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchParentBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
+
+ | matchReturnActions |
+ []object |
- Filter operation.
-
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ A list of actions to execute when MatchReturnArgs selector matches
|
- true |
+ false |
- | values |
- []string |
+ matchReturnArgs |
+ []object |
- Value to compare the argument against.
+ A list of argument filters. MatchArgs are ANDed.
|
- true |
+ false |
- | followChildren |
- boolean |
+ matchWorkloads |
+ []object |
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
+ Workloads to match
|
false |
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnActions[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchActions[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
@@ -12966,8 +17829,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnArgs[index]
-[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex)
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchArgs[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
@@ -13018,8 +17881,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.options[index]
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
@@ -13034,28 +17897,199 @@ Only valid with the post action and with a rateLimit specified.
- | name |
- string |
+ operator |
+ enum |
+
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ |
+ true |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
+ |
+ true |
+
+ | followChildren |
+ boolean |
+
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilities[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Capabilities to match.
+ |
+ true |
+
+ | isNamespaceCapability |
+ boolean |
+
+ Indicates whether these caps are namespace caps.
+
+ Default: false
+ |
+ false |
+
+ | type |
+ enum |
+
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilityChanges[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Namespace selector operator.
+
+ Enum: In, NotIn
+ |
+ true |
+
+ | values |
+ []string |
+
+ Capabilities to match.
+ |
+ true |
+
+ | isNamespaceCapability |
+ boolean |
+
+ Indicates whether these caps are namespace caps.
+
+ Default: false
+ |
+ false |
+
+ | type |
+ enum |
+
+ Type of capabilities
+
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
+ |
+ false |
+
+
+
+
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchData[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
+
+ Filter operation.
+
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ |
+ true |
+
+ | args |
+ []integer |
+
+ Position of the operator arguments (in spec file) to apply fhe filter to.
+ |
+ false |
+
+ | index |
+ integer |
- Name of the option
+ Position of the argument (in function prototype) to apply fhe filter to.
+
+ Format: int32
+ Minimum: 0
|
- true |
+ false |
- | value |
- string |
+ values |
+ []string |
- Value of the option
+ Value to compare the argument against.
|
false |
-### TracingPolicyNamespaced.spec.podSelector
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaceChanges[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+
-PodSelector selects pods that this policy applies to
@@ -13067,31 +18101,30 @@ PodSelector selects pods that this policy applies to
- | matchExpressions |
- []object |
+ operator |
+ enum |
- matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ Namespace selector operator.
+
+ Enum: In, NotIn
|
- false |
+ true |
- | matchLabels |
- map[string]string |
+ values |
+ []string |
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed.
+ Namespace types (e.g., Mnt, Pid) to match.
|
- false |
+ true |
-### TracingPolicyNamespaced.spec.podSelector.matchExpressions[index]
-[↩ Parent](#tracingpolicynamespacedspecpodselector)
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaces[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+
-A label selector requirement is a selector that contains values, a key, and an operator that
-relates the key and values.
@@ -13103,42 +18136,39 @@ relates the key and values.
- | key |
- string |
+ namespace |
+ enum |
- key is the label key that the selector applies to.
+ Namespace selector name.
+
+ Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
|
true |
| operator |
enum |
- operator represents a key's relationship to a set of values.
-Valid operators are In, NotIn, Exists and DoesNotExist.
+ Namespace selector operator.
- Enum: In, NotIn, Exists, DoesNotExist
+ Enum: In, NotIn
|
true |
| values |
[]string |
- values is an array of string values. If the operator is In or NotIn,
-the values array must be non-empty. If the operator is Exists or DoesNotExist,
-the values array must be empty. This array is replaced during a strategic
-merge patch.
+ Namespace IDs (or host_ns for host namespace) of namespaces to match.
|
- false |
+ true |
-### TracingPolicyNamespaced.spec.selectorsMacros[key]
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchPIDs[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+
-KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
-results of MatchPIDs and MatchArgs are ANDed.
@@ -13150,103 +18180,89 @@ results of MatchPIDs and MatchArgs are ANDed.
- | macros |
- []string |
-
- A list of macros names, defined in spec.selectorsMacros.
-Filters specified in macros will be appended to corresponding filters of the selector.
- |
- false |
-
- | matchActions |
- []object |
-
- A list of actions to execute when this selector matches
- |
- false |
-
- | matchArgs |
- []object |
-
- A list of argument filters. MatchArgs are ANDed.
- |
- false |
-
- | matchBinaries |
- []object |
-
- A list of binary exec name filters.
- |
- false |
-
- | matchCapabilities |
- []object |
-
- A list of capabilities and IDs
- |
- false |
-
- | matchCapabilityChanges |
- []object |
-
- IDs for capabilities changes
- |
- false |
-
- | matchData |
- []object |
+ operator |
+ enum |
- A list of argument filters. MatchData are ANDed.
+ PID selector operator.
+
+ Enum: In, NotIn
|
- false |
+ true |
- | matchNamespaceChanges |
- []object |
+ values |
+ []integer |
- IDs for namespace changes
+ Process IDs to match.
|
- false |
+ true |
- | matchNamespaces |
- []object |
+ followForks |
+ boolean |
- A list of namespaces and IDs
+ Matches any descendant processes of the matching PIDs.
+
+ Default: false
|
false |
- | matchPIDs |
- []object |
+ isNamespacePID |
+ boolean |
- A list of process ID filters. MatchPIDs are ANDed.
+ Indicates whether PIDs are namespace PIDs.
+
+ Default: false
|
false |
-
- | matchParentBinaries |
- []object |
+
+
+
+
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchParentBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
- A list of process parent exec name filters.
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
|
- false |
+ true |
- | matchReturnActions |
- []object |
+ values |
+ []string |
- A list of actions to execute when MatchReturnArgs selector matches
+ Value to compare the argument against.
|
- false |
+ true |
- | matchReturnArgs |
- []object |
+ followChildren |
+ boolean |
- A list of argument filters. MatchArgs are ANDed.
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
|
false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchActions[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnActions[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
@@ -13388,74 +18404,22 @@ or hours ('h' suffix). Only valid with the post action.
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
-Only valid with the post action and with a rateLimit specified.
-
- false |
-
- | userStackTrace |
- boolean |
-
- Enable user stack trace export. Only valid with the post action.
- |
- false |
-
-
-
-
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchArgs[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
- |
- true |
-
- | args |
- []integer |
-
- Position of the operator arguments (in spec file) to apply fhe filter to.
- |
- false |
-
- | index |
- integer |
-
- Position of the argument (in function prototype) to apply fhe filter to.
-
- Format: int32
- Minimum: 0
+Only valid with the post action and with a rateLimit specified.
|
false |
- | values |
- []string |
+ userStackTrace |
+ boolean |
- Value to compare the argument against.
+ Enable user stack trace export. Only valid with the post action.
|
false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnArgs[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
@@ -13475,31 +18439,39 @@ Only valid with the post action and with a rateLimit specified.
Filter operation.
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
|
true |
- | values |
- []string |
+ args |
+ []integer |
- Value to compare the argument against.
+ Position of the operator arguments (in spec file) to apply fhe filter to.
|
- true |
+ false |
- | followChildren |
- boolean |
+ index |
+ integer |
- In addition to binaries, match children processes of specified binaries.
+ Position of the argument (in function prototype) to apply fhe filter to.
- Default: false
+ Format: int32
+ Minimum: 0
+ |
+ false |
+
+ | values |
+ []string |
+
+ Value to compare the argument against.
|
false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchCapabilities[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
@@ -13514,49 +18486,44 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
+ containerSelector |
+ object |
- Capabilities to match.
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
- true |
+ false |
- | isNamespaceCapability |
- boolean |
+ hostSelector |
+ object |
- Indicates whether these caps are namespace caps.
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
- Default: false
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
|
false |
- | type |
- enum |
+ podSelector |
+ object |
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ PodSelector selects pods that this policy applies to
|
false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchCapabilityChanges[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
-
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindex)
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
@@ -13568,49 +18535,31 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
-
- Capabilities to match.
- |
- true |
-
- | isNamespaceCapability |
- boolean |
+ matchExpressions |
+ []object |
- Indicates whether these caps are namespace caps.
-
- Default: false
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | type |
- enum |
+ matchLabels |
+ map[string]string |
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchData[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
-
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindexcontainerselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -13622,47 +18571,42 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ key |
+ string |
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ key is the label key that the selector applies to.
|
true |
- | args |
- []integer |
-
- Position of the operator arguments (in spec file) to apply fhe filter to.
- |
- false |
-
- | index |
- integer |
+ operator |
+ enum |
- Position of the argument (in function prototype) to apply fhe filter to.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Format: int32
- Minimum: 0
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
| values |
[]string |
- Value to compare the argument against.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchNamespaceChanges[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
-
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindex)
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
@@ -13674,30 +18618,31 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ matchExpressions |
+ []object |
- Namespace selector operator.
-
- Enum: In, NotIn
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
- true |
+ false |
- | values |
- []string |
+ matchLabels |
+ map[string]string |
- Namespace types (e.g., Mnt, Pid) to match.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
- true |
+ false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchNamespaces[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
-
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindexhostselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -13709,39 +18654,41 @@ Only valid with the post action and with a rateLimit specified.
- | namespace |
- enum |
+ key |
+ string |
- Namespace selector name.
-
- Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
+ key is the label key that the selector applies to.
|
true |
| operator |
enum |
- Namespace selector operator.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Namespace IDs (or host_ns for host namespace) of namespaces to match.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
- true |
+ false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchPIDs[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
-
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindex)
+PodSelector selects pods that this policy applies to
@@ -13753,48 +18700,31 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- PID selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []integer |
-
- Process IDs to match.
- |
- true |
-
- | followForks |
- boolean |
+ matchExpressions |
+ []object |
- Matches any descendant processes of the matching PIDs.
-
- Default: false
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | isNamespacePID |
- boolean |
+ matchLabels |
+ map[string]string |
- Indicates whether PIDs are namespace PIDs.
-
- Default: false
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchParentBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
-
+### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindexpodselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -13806,36 +18736,38 @@ Only valid with the post action and with a rateLimit specified.
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
| operator |
enum |
- Filter operation.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Value to compare the argument against.
- |
- true |
-
- | followChildren |
- boolean |
-
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchReturnActions[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
+### TracingPolicyNamespaced.spec.uprobes[index]
+[↩ Parent](#tracingpolicynamespacedspec)
@@ -13850,149 +18782,106 @@ Only valid with the post action and with a rateLimit specified.
- | action |
- enum |
+ path |
+ string |
- Action to execute.
-NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
-be removed in version 1.5.
-
- Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
+ Name of the traced binary
|
true |
- | argError |
- integer |
+ addrs |
+ []integer |
- error value for override action
-
- Format: int32
+ List of the traced addresses
|
false |
- | argFd |
- integer |
+ args |
+ []object |
- An arg index for the fd for fdInstall action
-
- Format: int32
+ A list of function arguments to include in the trace output.
|
false |
- | argFqdn |
+ btfPath |
string |
- A FQDN to lookup for the dnsLookup action
- |
- false |
-
- | argIndex |
- integer |
-
- An arg index for the set action
-
- Format: int32
- |
- false |
-
- | argName |
- integer |
-
- An arg index for the filename for fdInstall action
-
- Format: int32
- |
- false |
-
- | argRegs |
- []string |
-
- An arg value for the regs action
+ path for a BTF file for the traced binary
|
false |
- | argSig |
- integer |
+ data |
+ []object |
- A signal number for signal action
-
- Format: int32
+ A list of data to include in the trace output.
|
false |
- | argSock |
- integer |
+ message |
+ string |
- An arg index for the sock for trackSock and untrackSock actions
-
- Format: int32
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
|
false |
- | argUrl |
- string |
+ offsets |
+ []integer |
- A URL for the getUrl action
+ List of the traced offsets
|
false |
- | argValue |
- integer |
+ refCtrOffsets |
+ []integer |
- An arg value for the set action
-
- Format: int32
+ List of the traced ref_ctr_offsets
|
false |
- | imaHash |
+ return |
boolean |
- Enable collection of file hashes from integrity subsystem.
-Only valid with the post action.
+ Indicates whether to collect return value of the traced function.
+
+ Default: false
|
false |
- | kernelStackTrace |
- boolean |
+ returnArg |
+ object |
- Enable kernel stack trace export. Only valid with the post action.
+ A return argument to include in the trace output.
|
false |
- | rateLimit |
- string |
+ selectors |
+ []object |
- A time period within which repeated messages will not be posted. Can be
-specified in seconds (default or with 's' suffix), minutes ('m' suffix)
-or hours ('h' suffix). Only valid with the post action.
+ Selectors to apply before producing trace output. Selectors are ORed.
|
false |
- | rateLimitScope |
- string |
+ symbols |
+ []string |
- The scope of the provided rate limit argument. Can be "thread" (default),
-"process" (all threads for the same process), or "global". If "thread" is
-selected then rate limiting applies per thread; if "process" is selected
-then rate limiting applies per process; if "global" is selected then rate
-limiting applies regardless of which process or thread caused the action.
-Only valid with the post action and with a rateLimit specified.
+ List of the traced symbols
|
false |
- | userStackTrace |
- boolean |
+ tags |
+ []string |
- Enable user stack trace export. Only valid with the post action.
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
|
false |
-### TracingPolicyNamespaced.spec.selectorsMacros[key].matchReturnArgs[index]
-[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey)
+### TracingPolicyNamespaced.spec.uprobes[index].args[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindex)
@@ -14007,44 +18896,99 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
+ index |
+ integer |
+
+ Position of the argument.
+
+ Format: int32
+ Minimum: 0
+ |
+ true |
+
+ | type |
enum |
- Filter operation.
+ Argument type.
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
|
true |
- | args |
- []integer |
+ btfType |
+ string |
- Position of the operator arguments (in spec file) to apply fhe filter to.
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
|
false |
- | index |
+ label |
+ string |
+
+ Label to output in the JSON
+ |
+ false |
+
+ | maxData |
+ boolean |
+
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
+
+ Default: false
+ |
+ false |
+
+ | resolve |
+ string |
+
+ Resolve the path to a specific attribute
+
+ Default:
+ |
+ false |
+
+ | returnCopy |
+ boolean |
+
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
+ |
+ false |
+
+ | sizeArgIndex |
integer |
- Position of the argument (in function prototype) to apply fhe filter to.
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
Format: int32
Minimum: 0
|
false |
- | values |
- []string |
+ source |
+ string |
- Value to compare the argument against.
+ Source of the data, if missing the default if function arguments
|
false |
-### TracingPolicyNamespaced.spec.tracepoints[index]
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.uprobes[index].data[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindex)
@@ -14059,65 +19003,102 @@ Only valid with the post action and with a rateLimit specified.
- | event |
- string |
+ index |
+ integer |
- Tracepoint event
+ Position of the argument.
+
+ Format: int32
+ Minimum: 0
+ |
+ true |
+
+ | type |
+ enum |
+
+ Argument type.
+
+ Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
+ Default: auto
|
true |
- | subsystem |
+ btfType |
+ string |
+
+ Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
+the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
+type.
+ |
+ false |
+
+ | label |
string |
- Tracepoint subsystem
+ Label to output in the JSON
|
- true |
+ false |
- | args |
- []object |
+ maxData |
+ boolean |
- A list of function arguments to include in the trace output.
+ Read maximum possible data (currently 327360). This field is only used
+for char_buff data. When this value is false (default), the bpf program
+will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
+supports fetching up to 327360 bytes if this flag is turned on
+
+ Default: false
|
false |
- | message |
+ resolve |
string |
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
+ Resolve the path to a specific attribute
+
+ Default:
|
false |
- | raw |
+ returnCopy |
boolean |
- Enable raw tracepoint arguments
+ This field is used only for char_buf and char_iovec types. It indicates
+that this argument should be read later (when the kretprobe for the
+symbol is triggered) because it might not be populated when the kprobe
+is triggered at the entrance of the function. For example, a buffer
+supplied to read(2) won't have content until kretprobe is triggered.
+
+ Default: false
|
false |
- | selectors |
- []object |
+ sizeArgIndex |
+ integer |
- Selectors to apply before producing trace output. Selectors are ORed.
+ Specifies the position of the corresponding size argument for this argument.
+This field is used only for char_buf and char_iovec types.
+
+ Format: int32
+ Minimum: 0
|
false |
- | tags |
- []string |
+ source |
+ string |
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
+ Source of the data, if missing the default if function arguments
|
false |
-### TracingPolicyNamespaced.spec.tracepoints[index].args[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindex)
-
+### TracingPolicyNamespaced.spec.uprobes[index].returnArg
+[↩ Parent](#tracingpolicynamespacedspecuprobesindex)
+A return argument to include in the trace output.
@@ -14220,8 +19201,8 @@ This field is used only for char_buf and char_iovec types.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindex)
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
@@ -14245,95 +19226,102 @@ Filters specified in macros will be appended to corresponding filters of the sel
false |
- | matchActions |
+ matchActions |
[]object |
A list of actions to execute when this selector matches
|
false |
- | matchArgs |
+ matchArgs |
[]object |
A list of argument filters. MatchArgs are ANDed.
|
false |
- | matchBinaries |
+ matchBinaries |
[]object |
A list of binary exec name filters.
|
false |
- | matchCapabilities |
+ matchCapabilities |
[]object |
A list of capabilities and IDs
|
false |
- | matchCapabilityChanges |
+ matchCapabilityChanges |
[]object |
IDs for capabilities changes
|
false |
- | matchData |
+ matchData |
[]object |
A list of argument filters. MatchData are ANDed.
|
false |
- | matchNamespaceChanges |
+ matchNamespaceChanges |
[]object |
IDs for namespace changes
|
false |
- | matchNamespaces |
+ matchNamespaces |
[]object |
A list of namespaces and IDs
|
false |
- | matchPIDs |
+ matchPIDs |
[]object |
A list of process ID filters. MatchPIDs are ANDed.
|
false |
- | matchParentBinaries |
+ matchParentBinaries |
[]object |
A list of process parent exec name filters.
|
false |
- | matchReturnActions |
+ matchReturnActions |
[]object |
A list of actions to execute when MatchReturnArgs selector matches
|
false |
- | matchReturnArgs |
+ matchReturnArgs |
[]object |
A list of argument filters. MatchArgs are ANDed.
|
false |
+
+ | matchWorkloads |
+ []object |
+
+ Workloads to match
+ |
+ false |
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchActions[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchActions[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -14489,8 +19477,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchArgs[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchArgs[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -14541,8 +19529,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -14585,8 +19573,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilities[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilities[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -14639,8 +19627,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilityChanges[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilityChanges[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -14693,8 +19681,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchData[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchData[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -14745,8 +19733,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaceChanges[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaceChanges[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -14780,8 +19768,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaces[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaces[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -14824,8 +19812,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchPIDs[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchPIDs[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -14877,8 +19865,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchParentBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchParentBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -14921,8 +19909,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnActions[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnActions[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -15078,8 +20066,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnArgs[index]
-[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnArgs[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -15130,8 +20118,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.uprobes[index]
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
@@ -15146,109 +20134,163 @@ Only valid with the post action and with a rateLimit specified.
- | path |
- string |
-
- Name of the traced binary
- |
- true |
-
- | addrs |
- []integer |
+ containerSelector |
+ object |
- List of the traced addresses
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
false |
- | args |
- []object |
+ hostSelector |
+ object |
- A list of function arguments to include in the trace output.
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
|
false |
- | btfPath |
- string |
+ podSelector |
+ object |
- path for a BTF file for the traced binary
+ PodSelector selects pods that this policy applies to
|
false |
-
- | data |
+
+
+
+
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindex)
+
+
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
[]object |
- A list of data to include in the trace output.
- |
- false |
-
- | message |
- string |
-
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | offsets |
- []integer |
+ matchLabels |
+ map[string]string |
- List of the traced offsets
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | refCtrOffsets |
- []integer |
+
+
+
+
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindexcontainerselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
- List of the traced ref_ctr_offsets
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | return |
- boolean |
+ operator |
+ enum |
- Indicates whether to collect return value of the traced function.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Default: false
- |
- false |
-
- | returnArg |
- object |
-
- A return argument to include in the trace output.
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | selectors |
- []object |
+ values |
+ []string |
- Selectors to apply before producing trace output. Selectors are ORed.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | symbols |
- []string |
+
+
+
+
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindex)
+
+
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
- List of the traced symbols
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | tags |
- []string |
+ matchLabels |
+ map[string]string |
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.uprobes[index].args[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindex)
-
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindexhostselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -15260,99 +20302,120 @@ Maximum of 16 Tags are supported.
- | index |
- integer |
+ key |
+ string |
- Position of the argument.
-
- Format: int32
- Minimum: 0
+ key is the label key that the selector applies to.
|
true |
- | type |
+ operator |
enum |
- Argument type.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
- | btfType |
- string |
+ values |
+ []string |
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-
- | label |
- string |
+
+
+
+
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindex)
+
+
+PodSelector selects pods that this policy applies to
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | matchExpressions |
+ []object |
- Label to output in the JSON
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | maxData |
- boolean |
+ matchLabels |
+ map[string]string |
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-
- | resolve |
+
+
+
+
+### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindexpodselector)
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
string |
- Resolve the path to a specific attribute
-
- Default:
- |
- false |
-
- | returnCopy |
- boolean |
-
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
-
- Default: false
+ key is the label key that the selector applies to.
|
- false |
+ true |
- | sizeArgIndex |
- integer |
+ operator |
+ enum |
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Format: int32
- Minimum: 0
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
- | source |
- string |
+ values |
+ []string |
- Source of the data, if missing the default if function arguments
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicyNamespaced.spec.uprobes[index].data[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindex)
+### TracingPolicyNamespaced.spec.usdts[index]
+[↩ Parent](#tracingpolicynamespacedspec)
@@ -15367,102 +20430,72 @@ This field is used only for char_buf and char_iovec types.
- | index |
- integer |
-
- Position of the argument.
-
- Format: int32
- Minimum: 0
- |
- true |
-
- | type |
- enum |
+ name |
+ string |
- Argument type.
-
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Usdt name
|
true |
- | btfType |
+ path |
string |
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
+ Name of the traced binary
|
- false |
+ true |
- | label |
+ provider |
string |
- Label to output in the JSON
+ Usdt provider name
|
- false |
+ true |
- | maxData |
- boolean |
+ args |
+ []object |
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
+ A list of function arguments to include in the trace output.
|
false |
- | resolve |
+ btfPath |
string |
- Resolve the path to a specific attribute
-
- Default:
+ path for a BTF file for the traced binary
|
false |
- | returnCopy |
- boolean |
+ message |
+ string |
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
-
- Default: false
+ A short message of 256 characters max that will be included
+in the event output to inform users what is going on.
|
false |
- | sizeArgIndex |
- integer |
+ selectors |
+ []object |
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
-
- Format: int32
- Minimum: 0
+ Selectors to apply before producing trace output. Selectors are ORed.
|
false |
-
- | source |
- string |
+
+ | tags |
+ []string |
- Source of the data, if missing the default if function arguments
+ Tags to categorize the event, will be include in the event output.
+Maximum of 16 Tags are supported.
|
false |
-### TracingPolicyNamespaced.spec.uprobes[index].returnArg
-[↩ Parent](#tracingpolicynamespacedspecuprobesindex)
+### TracingPolicyNamespaced.spec.usdts[index].args[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindex)
+
-A return argument to include in the trace output.
@@ -15565,8 +20598,8 @@ This field is used only for char_buf and char_iovec types.
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindex)
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindex)
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
@@ -15590,95 +20623,102 @@ Filters specified in macros will be appended to corresponding filters of the sel
false |
- | matchActions |
+ matchActions |
[]object |
A list of actions to execute when this selector matches
|
false |
- | matchArgs |
+ matchArgs |
[]object |
A list of argument filters. MatchArgs are ANDed.
|
false |
- | matchBinaries |
+ matchBinaries |
[]object |
A list of binary exec name filters.
|
false |
- | matchCapabilities |
+ matchCapabilities |
[]object |
A list of capabilities and IDs
|
false |
- | matchCapabilityChanges |
+ matchCapabilityChanges |
[]object |
IDs for capabilities changes
|
false |
- | matchData |
+ matchData |
[]object |
A list of argument filters. MatchData are ANDed.
|
false |
- | matchNamespaceChanges |
+ matchNamespaceChanges |
[]object |
IDs for namespace changes
|
false |
- | matchNamespaces |
+ matchNamespaces |
[]object |
A list of namespaces and IDs
|
false |
- | matchPIDs |
+ matchPIDs |
[]object |
A list of process ID filters. MatchPIDs are ANDed.
|
false |
- | matchParentBinaries |
+ matchParentBinaries |
[]object |
A list of process parent exec name filters.
|
false |
- | matchReturnActions |
+ matchReturnActions |
[]object |
A list of actions to execute when MatchReturnArgs selector matches
|
false |
- | matchReturnArgs |
+ matchReturnArgs |
[]object |
A list of argument filters. MatchArgs are ANDed.
|
false |
+
+ | matchWorkloads |
+ []object |
+
+ Workloads to match
+ |
+ false |
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchActions[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchActions[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -15825,221 +20865,17 @@ Only valid with the post action and with a rateLimit specified.
false |
| userStackTrace |
- boolean |
-
- Enable user stack trace export. Only valid with the post action.
- |
- false |
-
-
-
-
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchArgs[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
- |
- true |
-
- | args |
- []integer |
-
- Position of the operator arguments (in spec file) to apply fhe filter to.
- |
- false |
-
- | index |
- integer |
-
- Position of the argument (in function prototype) to apply fhe filter to.
-
- Format: int32
- Minimum: 0
- |
- false |
-
- | values |
- []string |
-
- Value to compare the argument against.
- |
- false |
-
-
-
-
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Filter operation.
-
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
- |
- true |
-
- | values |
- []string |
-
- Value to compare the argument against.
- |
- true |
-
- | followChildren |
- boolean |
-
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
- |
- false |
-
-
-
-
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilities[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
-
- Capabilities to match.
- |
- true |
-
- | isNamespaceCapability |
- boolean |
-
- Indicates whether these caps are namespace caps.
-
- Default: false
- |
- false |
-
- | type |
- enum |
-
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
- |
- false |
-
-
-
-
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilityChanges[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
-
- Capabilities to match.
- |
- true |
-
- | isNamespaceCapability |
- boolean |
-
- Indicates whether these caps are namespace caps.
-
- Default: false
- |
- false |
-
- | type |
- enum |
-
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ | boolean |
+
+ Enable user stack trace export. Only valid with the post action.
|
false |
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchData[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchArgs[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -16090,8 +20926,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaceChanges[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -16109,68 +20945,33 @@ Only valid with the post action and with a rateLimit specified.
operator |
enum |
- Namespace selector operator.
+ Filter operation.
- Enum: In, NotIn
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
|
true |
| values |
[]string |
- Namespace types (e.g., Mnt, Pid) to match.
- |
- true |
-
-
-
-
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaces[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | namespace |
- enum |
-
- Namespace selector name.
-
- Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
+ Value to compare the argument against.
|
true |
- | operator |
- enum |
+ followChildren |
+ boolean |
- Namespace selector operator.
+ In addition to binaries, match children processes of specified binaries.
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
-
- Namespace IDs (or host_ns for host namespace) of namespaces to match.
+ Default: false
|
- true |
+ false |
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchPIDs[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilities[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -16188,42 +20989,43 @@ Only valid with the post action and with a rateLimit specified.
operator |
enum |
- PID selector operator.
+ Namespace selector operator.
Enum: In, NotIn
|
true |
| values |
- []integer |
+ []string |
- Process IDs to match.
+ Capabilities to match.
|
true |
- | followForks |
+ isNamespaceCapability |
boolean |
- Matches any descendant processes of the matching PIDs.
+ Indicates whether these caps are namespace caps.
Default: false
|
false |
- | isNamespacePID |
- boolean |
+ type |
+ enum |
- Indicates whether PIDs are namespace PIDs.
+ Type of capabilities
- Default: false
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
|
false |
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchParentBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilityChanges[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -16241,190 +21043,43 @@ Only valid with the post action and with a rateLimit specified.
operator |
enum |
- Filter operation.
+ Namespace selector operator.
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ Enum: In, NotIn
|
true |
| values |
[]string |
- Value to compare the argument against.
+ Capabilities to match.
|
true |
- | followChildren |
+ isNamespaceCapability |
boolean |
- In addition to binaries, match children processes of specified binaries.
+ Indicates whether these caps are namespace caps.
Default: false
|
false |
-
-
-
-
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnActions[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | action |
- enum |
-
- Action to execute.
-NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
-be removed in version 1.5.
-
- Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
- |
- true |
-
- | argError |
- integer |
-
- error value for override action
-
- Format: int32
- |
- false |
-
- | argFd |
- integer |
-
- An arg index for the fd for fdInstall action
-
- Format: int32
- |
- false |
-
- | argFqdn |
- string |
-
- A FQDN to lookup for the dnsLookup action
- |
- false |
-
- | argIndex |
- integer |
-
- An arg index for the set action
-
- Format: int32
- |
- false |
-
- | argName |
- integer |
-
- An arg index for the filename for fdInstall action
-
- Format: int32
- |
- false |
-
- | argRegs |
- []string |
-
- An arg value for the regs action
- |
- false |
-
- | argSig |
- integer |
-
- A signal number for signal action
-
- Format: int32
- |
- false |
-
- | argSock |
- integer |
-
- An arg index for the sock for trackSock and untrackSock actions
-
- Format: int32
- |
- false |
-
- | argUrl |
- string |
-
- A URL for the getUrl action
- |
- false |
- | argValue |
- integer |
+ type |
+ enum |
- An arg value for the set action
+ Type of capabilities
- Format: int32
- |
- false |
-
- | imaHash |
- boolean |
-
- Enable collection of file hashes from integrity subsystem.
-Only valid with the post action.
- |
- false |
-
- | kernelStackTrace |
- boolean |
-
- Enable kernel stack trace export. Only valid with the post action.
- |
- false |
-
- | rateLimit |
- string |
-
- A time period within which repeated messages will not be posted. Can be
-specified in seconds (default or with 's' suffix), minutes ('m' suffix)
-or hours ('h' suffix). Only valid with the post action.
- |
- false |
-
- | rateLimitScope |
- string |
-
- The scope of the provided rate limit argument. Can be "thread" (default),
-"process" (all threads for the same process), or "global". If "thread" is
-selected then rate limiting applies per thread; if "process" is selected
-then rate limiting applies per process; if "global" is selected then rate
-limiting applies regardless of which process or thread caused the action.
-Only valid with the post action and with a rateLimit specified.
- |
- false |
-
- | userStackTrace |
- boolean |
-
- Enable user stack trace export. Only valid with the post action.
+ Enum: Effective, Inheritable, Permitted
+ Default: Effective
|
false |
-### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnArgs[index]
-[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex)
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchData[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -16475,8 +21130,8 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.usdts[index]
-[↩ Parent](#tracingpolicynamespacedspec)
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaceChanges[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -16491,69 +21146,27 @@ Only valid with the post action and with a rateLimit specified.
- | name |
- string |
-
- Usdt name
- |
- true |
-
- | path |
- string |
-
- Name of the traced binary
- |
- true |
-
- | provider |
- string |
+ operator |
+ enum |
- Usdt provider name
+ Namespace selector operator.
+
+ Enum: In, NotIn
|
true |
- | args |
- []object |
-
- A list of function arguments to include in the trace output.
- |
- false |
-
- | btfPath |
- string |
-
- path for a BTF file for the traced binary
- |
- false |
-
- | message |
- string |
-
- A short message of 256 characters max that will be included
-in the event output to inform users what is going on.
- |
- false |
-
- | selectors |
- []object |
-
- Selectors to apply before producing trace output. Selectors are ORed.
- |
- false |
-
- | tags |
+ values |
[]string |
- Tags to categorize the event, will be include in the event output.
-Maximum of 16 Tags are supported.
+ Namespace types (e.g., Mnt, Pid) to match.
|
- false |
+ true |
-### TracingPolicyNamespaced.spec.usdts[index].args[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindex)
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaces[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -16568,103 +21181,39 @@ Maximum of 16 Tags are supported.
- | index |
- integer |
+ namespace |
+ enum |
- Position of the argument.
+ Namespace selector name.
- Format: int32
- Minimum: 0
+ Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
|
true |
- | type |
+ operator |
enum |
- Argument type.
+ Namespace selector operator.
- Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
- Default: auto
+ Enum: In, NotIn
|
true |
- | btfType |
- string |
-
- Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
-the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
-type.
- |
- false |
-
- | label |
- string |
-
- Label to output in the JSON
- |
- false |
-
- | maxData |
- boolean |
-
- Read maximum possible data (currently 327360). This field is only used
-for char_buff data. When this value is false (default), the bpf program
-will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
-supports fetching up to 327360 bytes if this flag is turned on
-
- Default: false
- |
- false |
-
- | resolve |
- string |
-
- Resolve the path to a specific attribute
-
- Default:
- |
- false |
-
- | returnCopy |
- boolean |
-
- This field is used only for char_buf and char_iovec types. It indicates
-that this argument should be read later (when the kretprobe for the
-symbol is triggered) because it might not be populated when the kprobe
-is triggered at the entrance of the function. For example, a buffer
-supplied to read(2) won't have content until kretprobe is triggered.
-
- Default: false
- |
- false |
-
- | sizeArgIndex |
- integer |
-
- Specifies the position of the corresponding size argument for this argument.
-This field is used only for char_buf and char_iovec types.
-
- Format: int32
- Minimum: 0
- |
- false |
-
- | source |
- string |
+ values |
+ []string |
- Source of the data, if missing the default if function arguments
+ Namespace IDs (or host_ns for host namespace) of namespaces to match.
|
- false |
+ true |
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindex)
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchPIDs[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
+
-KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The
-results of MatchPIDs and MatchArgs are ANDed.
@@ -16676,102 +21225,88 @@ results of MatchPIDs and MatchArgs are ANDed.
- | macros |
- []string |
-
- A list of macros names, defined in spec.selectorsMacros.
-Filters specified in macros will be appended to corresponding filters of the selector.
- |
- false |
-
- | matchActions |
- []object |
-
- A list of actions to execute when this selector matches
- |
- false |
-
- | matchArgs |
- []object |
-
- A list of argument filters. MatchArgs are ANDed.
- |
- false |
-
- | matchBinaries |
- []object |
-
- A list of binary exec name filters.
- |
- false |
-
- | matchCapabilities |
- []object |
-
- A list of capabilities and IDs
- |
- false |
-
- | matchCapabilityChanges |
- []object |
-
- IDs for capabilities changes
- |
- false |
-
- | matchData |
- []object |
+ operator |
+ enum |
- A list of argument filters. MatchData are ANDed.
+ PID selector operator.
+
+ Enum: In, NotIn
|
- false |
+ true |
- | matchNamespaceChanges |
- []object |
+ values |
+ []integer |
- IDs for namespace changes
+ Process IDs to match.
|
- false |
+ true |
- | matchNamespaces |
- []object |
+ followForks |
+ boolean |
- A list of namespaces and IDs
+ Matches any descendant processes of the matching PIDs.
+
+ Default: false
|
false |
- | matchPIDs |
- []object |
+ isNamespacePID |
+ boolean |
- A list of process ID filters. MatchPIDs are ANDed.
+ Indicates whether PIDs are namespace PIDs.
+
+ Default: false
|
false |
-
- | matchParentBinaries |
- []object |
+
+
+
+
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchParentBinaries[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
+
+
+
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | operator |
+ enum |
- A list of process parent exec name filters.
+ Filter operation.
+
+ Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
|
- false |
+ true |
- | matchReturnActions |
- []object |
+ values |
+ []string |
- A list of actions to execute when MatchReturnArgs selector matches
+ Value to compare the argument against.
|
- false |
+ true |
- | matchReturnArgs |
- []object |
+ followChildren |
+ boolean |
- A list of argument filters. MatchArgs are ANDed.
+ In addition to binaries, match children processes of specified binaries.
+
+ Default: false
|
false |
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchActions[index]
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnActions[index]
[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -16928,7 +21463,7 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchArgs[index]
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnArgs[index]
[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -16980,51 +21515,7 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Filter operation.
-
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
- |
- true |
-
- | values |
- []string |
-
- Value to compare the argument against.
- |
- true |
-
- | followChildren |
- boolean |
-
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
- |
- false |
-
-
-
-
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilities[index]
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index]
[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
@@ -17040,103 +21531,44 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
-
- Capabilities to match.
- |
- true |
-
- | isNamespaceCapability |
- boolean |
-
- Indicates whether these caps are namespace caps.
-
- Default: false
- |
- false |
-
- | type |
- enum |
+ containerSelector |
+ object |
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
|
false |
-
-
-
-
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilityChanges[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
-
- Capabilities to match.
- |
- true |
- | isNamespaceCapability |
- boolean |
+ hostSelector |
+ object |
- Indicates whether these caps are namespace caps.
+ HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
- Default: false
+ Validations:!has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
|
false |
- | type |
- enum |
+ podSelector |
+ object |
- Type of capabilities
-
- Enum: Effective, Inheritable, Permitted
- Default: Effective
+ PodSelector selects pods that this policy applies to
|
false |
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchData[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].containerSelector
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindex)
+ContainerSelector selects containers that this policy applies to.
+A map of container fields will be constructed in the same way as a map of labels.
+The name of the field represents the label "key", and the value of the field - label "value".
+Currently, only the "name" field is supported.
@@ -17148,82 +21580,31 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
- |
- true |
-
- | args |
- []integer |
-
- Position of the operator arguments (in spec file) to apply fhe filter to.
- |
- false |
-
- | index |
- integer |
+ matchExpressions |
+ []object |
- Position of the argument (in function prototype) to apply fhe filter to.
-
- Format: int32
- Minimum: 0
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | values |
- []string |
+ matchLabels |
+ map[string]string |
- Value to compare the argument against.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaceChanges[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
-
-
-
-
-
-
-
- | Name |
- Type |
- Description |
- Required |
-
-
-
- | operator |
- enum |
-
- Namespace selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []string |
-
- Namespace types (e.g., Mnt, Pid) to match.
- |
- true |
-
-
-
-
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaces[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindexcontainerselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -17235,39 +21616,42 @@ Only valid with the post action and with a rateLimit specified.
- | namespace |
- enum |
+ key |
+ string |
- Namespace selector name.
-
- Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
+ key is the label key that the selector applies to.
|
true |
| operator |
enum |
- Namespace selector operator.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Namespace IDs (or host_ns for host namespace) of namespaces to match.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
- true |
+ false |
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchPIDs[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].hostSelector
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindex)
+HostSelector selects hosts that this policy applies to.
+For now only ~ (none) and {} (all) is supported.
@@ -17279,48 +21663,31 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
-
- PID selector operator.
-
- Enum: In, NotIn
- |
- true |
-
- | values |
- []integer |
-
- Process IDs to match.
- |
- true |
-
- | followForks |
- boolean |
+ matchExpressions |
+ []object |
- Matches any descendant processes of the matching PIDs.
-
- Default: false
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | isNamespacePID |
- boolean |
+ matchLabels |
+ map[string]string |
- Indicates whether PIDs are namespace PIDs.
-
- Default: false
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchParentBinaries[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindexhostselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -17332,39 +21699,41 @@ Only valid with the post action and with a rateLimit specified.
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+ |
+ true |
+
| operator |
enum |
- Filter operation.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
+ Enum: In, NotIn, Exists, DoesNotExist
|
true |
| values |
[]string |
- Value to compare the argument against.
- |
- true |
-
- | followChildren |
- boolean |
-
- In addition to binaries, match children processes of specified binaries.
-
- Default: false
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnActions[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].podSelector
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindex)
+PodSelector selects pods that this policy applies to
@@ -17376,152 +21745,31 @@ Only valid with the post action and with a rateLimit specified.
- | action |
- enum |
-
- Action to execute.
-NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
-be removed in version 1.5.
-
- Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
- |
- true |
-
- | argError |
- integer |
-
- error value for override action
-
- Format: int32
- |
- false |
-
- | argFd |
- integer |
-
- An arg index for the fd for fdInstall action
-
- Format: int32
- |
- false |
-
- | argFqdn |
- string |
-
- A FQDN to lookup for the dnsLookup action
- |
- false |
-
- | argIndex |
- integer |
-
- An arg index for the set action
-
- Format: int32
- |
- false |
-
- | argName |
- integer |
-
- An arg index for the filename for fdInstall action
-
- Format: int32
- |
- false |
-
- | argRegs |
- []string |
-
- An arg value for the regs action
- |
- false |
-
- | argSig |
- integer |
-
- A signal number for signal action
-
- Format: int32
- |
- false |
-
- | argSock |
- integer |
-
- An arg index for the sock for trackSock and untrackSock actions
-
- Format: int32
- |
- false |
-
- | argUrl |
- string |
-
- A URL for the getUrl action
- |
- false |
-
- | argValue |
- integer |
-
- An arg value for the set action
-
- Format: int32
- |
- false |
-
- | imaHash |
- boolean |
-
- Enable collection of file hashes from integrity subsystem.
-Only valid with the post action.
- |
- false |
-
- | kernelStackTrace |
- boolean |
-
- Enable kernel stack trace export. Only valid with the post action.
- |
- false |
-
- | rateLimit |
- string |
-
- A time period within which repeated messages will not be posted. Can be
-specified in seconds (default or with 's' suffix), minutes ('m' suffix)
-or hours ('h' suffix). Only valid with the post action.
- |
- false |
-
- | rateLimitScope |
- string |
+ matchExpressions |
+ []object |
- The scope of the provided rate limit argument. Can be "thread" (default),
-"process" (all threads for the same process), or "global". If "thread" is
-selected then rate limiting applies per thread; if "process" is selected
-then rate limiting applies per process; if "global" is selected then rate
-limiting applies regardless of which process or thread caused the action.
-Only valid with the post action and with a rateLimit specified.
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
false |
- | userStackTrace |
- boolean |
+ matchLabels |
+ map[string]string |
- Enable user stack trace export. Only valid with the post action.
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
|
false |
-### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnArgs[index]
-[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex)
-
+### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index]
+[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindexpodselector)
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
@@ -17533,36 +21781,30 @@ Only valid with the post action and with a rateLimit specified.
- | operator |
- enum |
+ key |
+ string |
- Filter operation.
-
- Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
+ key is the label key that the selector applies to.
|
true |
- | args |
- []integer |
-
- Position of the operator arguments (in spec file) to apply fhe filter to.
- |
- false |
-
- | index |
- integer |
+ operator |
+ enum |
- Position of the argument (in function prototype) to apply fhe filter to.
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
- Format: int32
- Minimum: 0
+ Enum: In, NotIn, Exists, DoesNotExist
|
- false |
+ true |
| values |
[]string |
- Value to compare the argument against.
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml
index 18cc571e525..2a02c408cbc 100644
--- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml
+++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml
@@ -1117,6 +1117,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -2198,6 +2383,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -3011,6 +3381,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
@@ -3720,6 +4275,187 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this policy
+ applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
description: |-
SelectorsMacros is used to define selectors macros, which can be used
@@ -4491,6 +5227,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
subsystem:
@@ -5520,6 +6441,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
symbols:
@@ -6311,6 +7417,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml
index fb3884d06ef..1ccb02fb92e 100644
--- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml
+++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml
@@ -1117,6 +1117,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -2198,6 +2383,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -3011,6 +3381,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
@@ -3720,6 +4275,187 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this policy
+ applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
description: |-
SelectorsMacros is used to define selectors macros, which can be used
@@ -4491,6 +5227,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
subsystem:
@@ -5520,6 +6441,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
symbols:
@@ -6311,6 +7417,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
index 18cc571e525..2a02c408cbc 100644
--- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
+++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
@@ -1117,6 +1117,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -2198,6 +2383,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -3011,6 +3381,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
@@ -3720,6 +4275,187 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this policy
+ applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
description: |-
SelectorsMacros is used to define selectors macros, which can be used
@@ -4491,6 +5227,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
subsystem:
@@ -5520,6 +6441,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
symbols:
@@ -6311,6 +7417,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
index fb3884d06ef..1ccb02fb92e 100644
--- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
+++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
@@ -1117,6 +1117,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -2198,6 +2383,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -3011,6 +3381,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
@@ -3720,6 +4275,187 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this policy
+ applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
description: |-
SelectorsMacros is used to define selectors macros, which can be used
@@ -4491,6 +5227,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
subsystem:
@@ -5520,6 +6441,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
symbols:
@@ -6311,6 +7417,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go
index 31b8866dbc7..fa68162d573 100644
--- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go
+++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go
@@ -7,6 +7,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
ciliumio "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io"
+ slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1"
)
const (
@@ -169,6 +170,9 @@ type KProbeSelector struct {
// IDs for capabilities changes
MatchCapabilityChanges []CapabilitiesSelector `json:"matchCapabilityChanges,omitempty"`
// +kubebuilder:validation:Optional
+ // Workloads to match
+ MatchWorkloads []WorkloadsSelector `json:"matchWorkloads,omitempty"`
+ // +kubebuilder:validation:Optional
// A list of macros names, defined in spec.selectorsMacros.
// Filters specified in macros will be appended to corresponding filters of the selector.
Macros []string `json:"macros,omitempty"`
@@ -210,6 +214,23 @@ type CapabilitiesSelector struct {
Values []string `json:"values"`
}
+type WorkloadsSelector struct {
+ // +kubebuilder:validation:Optional
+ // PodSelector selects pods that this policy applies to
+ PodSelector *slimv1.LabelSelector `json:"podSelector"`
+ // +kubebuilder:validation:Optional
+ // ContainerSelector selects containers that this policy applies to.
+ // A map of container fields will be constructed in the same way as a map of labels.
+ // The name of the field represents the label "key", and the value of the field - label "value".
+ // Currently, only the "name" field is supported.
+ ContainerSelector *slimv1.LabelSelector `json:"containerSelector"`
+ // +kubebuilder:validation:Optional
+ // +kubebuilder:validation:XValidation:rule="!has(self.matchLabels) && !has(self.matchExpressions)",message="The hostSelector should be either null or {}."
+ // HostSelector selects hosts that this policy applies to.
+ // For now only ~ (none) and {} (all) is supported.
+ HostSelector *slimv1.LabelSelector `json:"hostSelector"`
+}
+
type PIDSelector struct {
// +kubebuilder:validation:Enum=In;NotIn
// PID selector operator.
diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/pkg/k8s/apis/cilium.io/v1alpha1/version.go
index c0bdaf4bb35..60f5715bd46 100644
--- a/pkg/k8s/apis/cilium.io/v1alpha1/version.go
+++ b/pkg/k8s/apis/cilium.io/v1alpha1/version.go
@@ -7,4 +7,4 @@ package v1alpha1
// Used to determine if CRD needs to be updated in cluster
//
// Developers: Bump patch for each change in the CRD schema.
-const CustomResourceDefinitionSchemaVersion = "1.8.1"
+const CustomResourceDefinitionSchemaVersion = "1.8.2"
diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
index 6ce246ee1b2..35bf6abe9bc 100644
--- a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
@@ -224,6 +224,13 @@ func (in *KProbeSelector) DeepCopyInto(out *KProbeSelector) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
+ if in.MatchWorkloads != nil {
+ in, out := &in.MatchWorkloads, &out.MatchWorkloads
+ *out = make([]WorkloadsSelector, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
if in.Macros != nil {
in, out := &in.Macros, &out.Macros
*out = make([]string, len(*in))
@@ -900,3 +907,33 @@ func (in *WorkloadObjectMeta) DeepCopy() *WorkloadObjectMeta {
in.DeepCopyInto(out)
return out
}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadsSelector) DeepCopyInto(out *WorkloadsSelector) {
+ *out = *in
+ if in.PodSelector != nil {
+ in, out := &in.PodSelector, &out.PodSelector
+ *out = new(v1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.ContainerSelector != nil {
+ in, out := &in.ContainerSelector, &out.ContainerSelector
+ *out = new(v1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.HostSelector != nil {
+ in, out := &in.HostSelector, &out.HostSelector
+ *out = new(v1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadsSelector.
+func (in *WorkloadsSelector) DeepCopy() *WorkloadsSelector {
+ if in == nil {
+ return nil
+ }
+ out := new(WorkloadsSelector)
+ in.DeepCopyInto(out)
+ return out
+}
diff --git a/pkg/policyfilter/nok8s.go b/pkg/policyfilter/nok8s.go
index 61635f8582b..592c958957d 100644
--- a/pkg/policyfilter/nok8s.go
+++ b/pkg/policyfilter/nok8s.go
@@ -10,6 +10,7 @@ import (
"fmt"
"sync"
+ slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1"
"github.com/cilium/tetragon/pkg/labels"
"github.com/cilium/tetragon/pkg/option"
"github.com/cilium/tetragon/pkg/podhelpers"
@@ -53,3 +54,13 @@ func (s *State) AddPodContainer(podID PodID, namespace, workload, kind string, p
containerID string, cgID CgroupID, containerInfo podhelpers.ContainerInfo) error {
return nil
}
+
+func (s *State) AddPolicy(polID PolicyID, namespace string, podSelector *slimv1.LabelSelector,
+ containerSelector *slimv1.LabelSelector, hostSelector *slimv1.LabelSelector) error {
+ return nil
+}
+
+// for matchWorkloads
+func GetSelectorPolicyID() PolicyID {
+ return PolicyID(0)
+}
diff --git a/pkg/policyfilter/selectors.go b/pkg/policyfilter/selectors.go
new file mode 100644
index 00000000000..1f43e8b4cd1
--- /dev/null
+++ b/pkg/policyfilter/selectors.go
@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+//go:build !nok8s
+
+package policyfilter
+
+import "sync/atomic"
+
+var ops atomic.Uint32
+
+func GetSelectorPolicyID() PolicyID {
+ return PolicyID(ops.Add(1) + polMaxPolicies)
+}
diff --git a/pkg/selectors/helpers.go b/pkg/selectors/helpers.go
new file mode 100644
index 00000000000..3ea03a79f92
--- /dev/null
+++ b/pkg/selectors/helpers.go
@@ -0,0 +1,15 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package selectors
+
+import slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1"
+
+func MatchAllLabelSelector(s *slimv1.LabelSelector) bool {
+ all := &slimv1.LabelSelector{}
+ return all.DeepEqual(s)
+}
+
+func MatchNothingLabelSelector(s *slimv1.LabelSelector) bool {
+ return s == nil
+}
diff --git a/pkg/selectors/helpers_test.go b/pkg/selectors/helpers_test.go
new file mode 100644
index 00000000000..be710ec24d0
--- /dev/null
+++ b/pkg/selectors/helpers_test.go
@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package selectors
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+
+ slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1"
+)
+
+func TestMatchAll(t *testing.T) {
+ assert.True(t, MatchAllLabelSelector(&slimv1.LabelSelector{}))
+ assert.True(t, MatchAllLabelSelector(&slimv1.LabelSelector{
+ MatchLabels: map[string]slimv1.MatchLabelsValue{},
+ }))
+ assert.True(t, MatchAllLabelSelector(&slimv1.LabelSelector{
+ MatchExpressions: []slimv1.LabelSelectorRequirement{},
+ }))
+ assert.True(t, MatchAllLabelSelector(&slimv1.LabelSelector{
+ MatchLabels: map[string]slimv1.MatchLabelsValue{},
+ MatchExpressions: []slimv1.LabelSelectorRequirement{},
+ }))
+ assert.False(t, MatchAllLabelSelector(nil))
+ assert.False(t, MatchAllLabelSelector(&slimv1.LabelSelector{
+ MatchLabels: map[string]slimv1.MatchLabelsValue{
+ "a": "b",
+ },
+ }))
+ assert.False(t, MatchAllLabelSelector(&slimv1.LabelSelector{
+ MatchExpressions: []slimv1.LabelSelectorRequirement{
+ {
+ Key: "a",
+ Operator: "In",
+ Values: []string{
+ "b",
+ },
+ },
+ },
+ }))
+ assert.False(t, MatchAllLabelSelector(&slimv1.LabelSelector{
+ MatchLabels: map[string]slimv1.MatchLabelsValue{
+ "a": "b",
+ },
+ MatchExpressions: []slimv1.LabelSelectorRequirement{
+ {
+ Key: "a",
+ Operator: "In",
+ Values: []string{
+ "b",
+ },
+ },
+ },
+ }))
+
+}
diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go
index e91f6a10359..0989fbf00b5 100644
--- a/pkg/selectors/kernel.go
+++ b/pkg/selectors/kernel.go
@@ -24,9 +24,11 @@ import (
"github.com/cilium/tetragon/pkg/config"
gt "github.com/cilium/tetragon/pkg/generictypes"
"github.com/cilium/tetragon/pkg/idtable"
+ slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1"
"github.com/cilium/tetragon/pkg/kernels"
"github.com/cilium/tetragon/pkg/mbset"
"github.com/cilium/tetragon/pkg/option"
+ "github.com/cilium/tetragon/pkg/policyfilter"
"github.com/cilium/tetragon/pkg/reader/namespace"
"github.com/cilium/tetragon/pkg/reader/network"
)
@@ -1263,6 +1265,59 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a
return nil
}
+func ParseMatchWorkloads(k *KernelSelectorState, workloads []v1alpha1.WorkloadsSelector, selIdx int) error {
+ if len(workloads) > 1 {
+ return errors.New("only a single selector under matchWorkloads is supported")
+ }
+ if len(workloads) == 0 {
+ return nil
+ }
+
+ state, err := policyfilter.GetState()
+ if err != nil {
+ return fmt.Errorf("parseMatchWorkloads: failed to get policyfilter state: %w", err)
+ }
+
+ podSelector := workloads[0].PodSelector
+ containerSelector := workloads[0].ContainerSelector
+ hostSelector := workloads[0].HostSelector
+
+ // If the user specifies a podSelector but doesn't specify a containerSelector,
+ // we assume that the user cares for all containers inside the pods that match.
+ if podSelector != nil && MatchNothingLabelSelector(containerSelector) {
+ containerSelector = &slimv1.LabelSelector{}
+ }
+
+ // If the user specifies a containerSelector but doesn't specify a podSelector,
+ // we assume that the user cares for containers that match inside all pods.
+ if containerSelector != nil && MatchNothingLabelSelector(podSelector) {
+ podSelector = &slimv1.LabelSelector{}
+ }
+
+ // The user explicitly defined all podSelector, containerSelector, and hostSelector
+ // to be {}. This will match everything and for this reason we should not use
+ // a policyfilter at all.
+ if MatchAllLabelSelector(podSelector) && MatchAllLabelSelector(containerSelector) && MatchAllLabelSelector(hostSelector) {
+ return nil
+ }
+
+ // This covers the "special" case where all of podSelector, containerSelector, hostSelector
+ // are nil (default). In that case we match everything so no need to apply a policyfilter.
+ if MatchNothingLabelSelector(podSelector) && MatchNothingLabelSelector(containerSelector) && MatchNothingLabelSelector(hostSelector) {
+ return nil
+ }
+
+ selPolId := policyfilter.GetSelectorPolicyID()
+ err = state.AddPolicy(selPolId, "", podSelector, containerSelector, hostSelector)
+ if err != nil {
+ return fmt.Errorf("parseMatchWorkloads: failed to add policy: %w", err)
+ }
+
+ k.matchWorkloadIDs[selIdx] = selPolId
+
+ return nil
+}
+
func ParseMatchActions(k *KernelSelectorState, actions []v1alpha1.ActionSelector, actionArgTable *idtable.Table) error {
if len(actions) > 3 {
return fmt.Errorf("only %d actions are support for selector (current number of values is %d)", 3, len(actions))
@@ -1695,6 +1750,9 @@ func InitKernelSelectorState(args *KernelSelectorArgs) (*KernelSelectorState, er
if err := ParseMatchArgs(k, selector.MatchArgs, selector.MatchData, args.Args, args.Data); err != nil {
return fmt.Errorf("parseMatchArgs error: %w", err)
}
+ if err := ParseMatchWorkloads(k, selector.MatchWorkloads, selIdx); err != nil {
+ return fmt.Errorf("parseMatchWorkloads error: %w", err)
+ }
if err := ParseMatchActions(k, selector.MatchActions, args.ActionArgTable); err != nil {
return fmt.Errorf("parseMatchActions error: %w", err)
}
@@ -1732,6 +1790,19 @@ func CleanupKernelSelectorState(state *KernelSelectorState) error {
errs = errors.Join(errs, err)
}
}
+
+ s, err := policyfilter.GetState()
+ if err != nil {
+ errs = errors.Join(errs, err)
+ return errs
+ }
+
+ for _, polID := range state.MatchWorkloadIDs() {
+ if err := s.DelPolicy(polID); err != nil {
+ errs = errors.Join(errs, err)
+ }
+ }
+
return errs
}
diff --git a/pkg/selectors/selectors.go b/pkg/selectors/selectors.go
index b25751360ee..1b8e42e7d4c 100644
--- a/pkg/selectors/selectors.go
+++ b/pkg/selectors/selectors.go
@@ -11,6 +11,7 @@ import (
"github.com/cilium/tetragon/pkg/api/processapi"
"github.com/cilium/tetragon/pkg/kernels"
+ "github.com/cilium/tetragon/pkg/policyfilter"
)
type KernelLPMTrie4 struct {
@@ -138,6 +139,8 @@ type KernelSelectorState struct {
subStrs []string
celExprFunctions *CelExprFunctions
+
+ matchWorkloadIDs map[int]policyfilter.PolicyID
}
func NewKernelSelectorState(
@@ -159,6 +162,7 @@ func NewKernelSelectorState(
maps: maps,
isUprobe: isUprobe,
celExprFunctions: celExprs,
+ matchWorkloadIDs: make(map[int]policyfilter.PolicyID),
}
}
@@ -174,6 +178,10 @@ func (k KernelSelectorState) MatchBinariesPaths() map[int][][processapi.BINARY_P
return k.matchBinariesPaths
}
+func (k KernelSelectorState) MatchWorkloadIDs() map[int]policyfilter.PolicyID {
+ return k.matchWorkloadIDs
+}
+
func (k *KernelSelectorState) WriteMatchBinariesPath(selectorID int, path string) {
var bytePath [processapi.BINARY_PATH_MAX_LEN]byte
copy(bytePath[:], path)
diff --git a/pkg/sensors/k8s.go b/pkg/sensors/k8s.go
index 52473605c8a..a71620c7c1b 100644
--- a/pkg/sensors/k8s.go
+++ b/pkg/sensors/k8s.go
@@ -10,6 +10,7 @@ import (
slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1"
"github.com/cilium/tetragon/pkg/policyfilter"
+ "github.com/cilium/tetragon/pkg/selectors"
"github.com/cilium/tetragon/pkg/tracingpolicy"
)
@@ -38,29 +39,23 @@ func (h *handler) updatePolicyFilter(tp tracingpolicy.TracingPolicy, tpID uint64
// If the user specifies a podSelector but don't specify a containerSelector,
// we assume that the user cares for all containers inside the pods that match.
- if podSelector != nil && containerSelector == nil {
+ if podSelector != nil && selectors.MatchNothingLabelSelector(containerSelector) {
containerSelector = &slimv1.LabelSelector{}
}
// If the user specifies a containerSelector but don't specify a podSelector,
// we assume that the user cares for containers that match inside all pods.
- if containerSelector != nil && podSelector == nil {
+ if containerSelector != nil && selectors.MatchNothingLabelSelector(podSelector) {
podSelector = &slimv1.LabelSelector{}
}
// This is the case where all of podSelector, containerSelector, hostSelector are excplicitly defined to be {}.
// In that case we match everything so no need to apply a policyfilter.
- matchAll := func(s *slimv1.LabelSelector) bool {
- return (s != nil && (len(s.MatchLabels)+len(s.MatchExpressions) == 0))
- }
- globalSelectorsMatchAll := matchAll(podSelector) && matchAll(containerSelector) && matchAll(hostSelector)
+ globalSelectorsMatchAll := selectors.MatchAllLabelSelector(podSelector) && selectors.MatchAllLabelSelector(containerSelector) && selectors.MatchAllLabelSelector(hostSelector)
// This covers the "special" case where all of podSelector, containerSelector, hostSelector are nil (default).
// In that case we match everything so no need to apply a policyfilter.
- matchNothing := func(s *slimv1.LabelSelector) bool {
- return s == nil
- }
- globalSelectorsMatchNothing := matchNothing(podSelector) && matchNothing(containerSelector) && matchNothing(hostSelector)
+ globalSelectorsMatchNothing := selectors.MatchNothingLabelSelector(podSelector) && selectors.MatchNothingLabelSelector(containerSelector) && selectors.MatchNothingLabelSelector(hostSelector)
// we do not call AddPolicy unless filtering is actually needed. This
// means that if policyfilter is disabled
diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go
index d30f0c5c9e9..760140898d8 100644
--- a/pkg/sensors/tracing/generickprobe.go
+++ b/pkg/sensors/tracing/generickprobe.go
@@ -1040,6 +1040,9 @@ func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe
filterMap := program.MapBuilderProgram("filter_map", load)
maps = append(maps, filterMap)
+ workloadsMap := program.MapBuilderProgram("workloads_map", load)
+ maps = append(maps, workloadsMap)
+
if has.selector {
maps = append(maps, createSelectorMaps(load, getProgramSelector(load, kprobeEntry))...)
diff --git a/pkg/sensors/tracing/genericlsm.go b/pkg/sensors/tracing/genericlsm.go
index 41733236678..0ac170fb519 100644
--- a/pkg/sensors/tracing/genericlsm.go
+++ b/pkg/sensors/tracing/genericlsm.go
@@ -593,6 +593,9 @@ func createLsmSensorFromEntry(polInfo *policyInfo, lsmEntry *genericLsm,
filterMap := program.MapBuilderProgram("filter_map", load)
maps = append(maps, filterMap)
+ workloadsMap := program.MapBuilderProgram("workloads_map", load)
+ maps = append(maps, workloadsMap)
+
maps = append(maps, createSelectorMaps(load, lsmEntry.selectors)...)
callHeap := program.MapBuilderProgram("process_call_heap", load)
diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go
index c28cf675199..7df3209a2bf 100644
--- a/pkg/sensors/tracing/generictracepoint.go
+++ b/pkg/sensors/tracing/generictracepoint.go
@@ -649,6 +649,9 @@ func createGenericTracepointSensor(
filterMap := program.MapBuilderProgram("filter_map", prog0)
maps = append(maps, filterMap)
+ workloadsMap := program.MapBuilderProgram("workloads_map", prog0)
+ maps = append(maps, workloadsMap)
+
maps = append(maps, createSelectorMaps(prog0, tp.selectors)...)
if has.enforcer {
diff --git a/pkg/sensors/tracing/genericuprobe.go b/pkg/sensors/tracing/genericuprobe.go
index 880c1249fcb..eb5af9aa16d 100644
--- a/pkg/sensors/tracing/genericuprobe.go
+++ b/pkg/sensors/tracing/genericuprobe.go
@@ -1029,8 +1029,9 @@ func createUprobeSensorFromEntry(polInfo *policyInfo, uprobeEntry *genericUprobe
filterMap := program.MapBuilderProgram("filter_map", load)
retProbe := program.MapBuilderSensor("retprobe_map", load)
selMatchBinariesMap := program.MapBuilderProgram("tg_mb_sel_opts", load)
+ workloadsMap := program.MapBuilderProgram("workloads_map", load)
- maps = append(maps, configMap, tailCalls, filterMap, selMatchBinariesMap, retProbe)
+ maps = append(maps, configMap, tailCalls, filterMap, selMatchBinariesMap, retProbe, workloadsMap)
maps = append(maps, createSelectorMaps(load, getUprobeProgramSelector(load, uprobeEntry))...)
if has.substring {
diff --git a/pkg/sensors/tracing/genericusdt.go b/pkg/sensors/tracing/genericusdt.go
index 564a9094a79..37efccb167a 100644
--- a/pkg/sensors/tracing/genericusdt.go
+++ b/pkg/sensors/tracing/genericusdt.go
@@ -194,8 +194,9 @@ func createMultiUsdtSensor(
configMap := program.MapBuilderProgram("config_map", load)
tailCalls := program.MapBuilderProgram("usdt_calls", load)
filterMap := program.MapBuilderProgram("filter_map", load)
+ workloadsMap := program.MapBuilderProgram("workloads_map", load)
- maps = append(maps, configMap, tailCalls, filterMap)
+ maps = append(maps, configMap, tailCalls, filterMap, workloadsMap)
filterMap.SetMaxEntries(len(multiIDs))
configMap.SetMaxEntries(len(multiIDs))
diff --git a/pkg/sensors/tracing/kprobe_test.go b/pkg/sensors/tracing/kprobe_test.go
index 7febe7cfff0..dacd30cdd62 100644
--- a/pkg/sensors/tracing/kprobe_test.go
+++ b/pkg/sensors/tracing/kprobe_test.go
@@ -5022,7 +5022,7 @@ func TestLoadKprobeSensor(t *testing.T) {
{Name: "config_map", Progs: []uint{0, 1, 2, 5}},
// generic_kprobe_event
- {Name: "tg_conf_map", Progs: []uint{0, 2, 6, 10}},
+ {Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6, 10}},
// shared with base sensor
{Name: "execve_map", Progs: []uint{4, 5, 6, 7, 9}},
@@ -5091,10 +5091,10 @@ func TestLoadKprobeSensor(t *testing.T) {
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_rb_events", Progs: []uint{2, 6, 11}})
// generic_kprobe_event
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 6, 11}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6, 11}})
} else {
// generic_kprobe_event
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}})
}
} else {
sensorProgs = append(sensorProgs, tus.SensorProg{Name: "generic_kprobe_process_event_2", Type: ebpf.Kprobe})
@@ -5117,7 +5117,7 @@ func TestLoadKprobeSensor(t *testing.T) {
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tcpmon_map", Progs: []uint{6, 11}})
// generic_kprobe_event
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}})
// generic_retkprobe_event
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "retkprobe_calls", Progs: []uint{8, 9, 10, 14}})
diff --git a/pkg/sensors/tracing/lsm_test.go b/pkg/sensors/tracing/lsm_test.go
index 2b4b43eb926..b2bfe0f1602 100644
--- a/pkg/sensors/tracing/lsm_test.go
+++ b/pkg/sensors/tracing/lsm_test.go
@@ -72,7 +72,7 @@ func TestLSMObjectLoad(t *testing.T) {
{Name: "config_map", Progs: []uint{0, 1, 2, 5}},
// generic_lsm_event
- {Name: "tg_conf_map", Progs: []uint{0, 2, 6}},
+ {Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6}},
// shared with base sensor
{Name: "execve_map", Progs: []uint{4, 5, 6}},
@@ -118,10 +118,10 @@ func TestLSMObjectLoad(t *testing.T) {
}
// generic_lsm_event
if config.EnableV511Progs() {
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 6}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6}})
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_rb_events", Progs: []uint{2, 6}})
} else {
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}})
}
}
diff --git a/pkg/sensors/tracing/selectors.go b/pkg/sensors/tracing/selectors.go
index 55585a6de65..120b1a3a965 100644
--- a/pkg/sensors/tracing/selectors.go
+++ b/pkg/sensors/tracing/selectors.go
@@ -109,6 +109,19 @@ func selectorsMaploads(ks *selectors.KernelSelectorState, index uint32) []*progr
},
},
}
+ if len(ks.MatchWorkloadIDs()) > 0 {
+ maps = append(maps, &program.MapLoad{
+ Name: "workloads_map",
+ Load: func(m *ebpf.Map, _ string) error {
+ for selID, polID := range ks.MatchWorkloadIDs() {
+ if err := m.Update(uint32(selID), polID, ebpf.UpdateAny); err != nil {
+ return err
+ }
+ }
+ return nil
+ },
+ })
+ }
if kernels.MinKernelVersion("5.11") {
maps = append(maps, []*program.MapLoad{
{
diff --git a/pkg/sensors/tracing/tracepoint_test.go b/pkg/sensors/tracing/tracepoint_test.go
index 6febaa76685..f4171d581d1 100644
--- a/pkg/sensors/tracing/tracepoint_test.go
+++ b/pkg/sensors/tracing/tracepoint_test.go
@@ -463,10 +463,10 @@ func TestLoadTracepointSensor(t *testing.T) {
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "buffer_heap_map", Progs: []uint{2, 3}})
if config.EnableV511Progs() {
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 5}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 3, 5}})
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_rb_events", Progs: []uint{5}})
} else {
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 3}})
}
} else {
sensorProgs = append(sensorProgs, tus.SensorProg{Name: "generic_tracepoint_process_event_2", Type: ebpf.TracePoint})
@@ -490,7 +490,7 @@ func TestLoadTracepointSensor(t *testing.T) {
// only generic_tracepoint_event*
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "buffer_heap_map", Progs: []uint{2, 6}})
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 3}})
}
readHook := `
diff --git a/pkg/sensors/tracing/uprobe_test.go b/pkg/sensors/tracing/uprobe_test.go
index cc150e98a00..4385ee396a9 100644
--- a/pkg/sensors/tracing/uprobe_test.go
+++ b/pkg/sensors/tracing/uprobe_test.go
@@ -76,7 +76,7 @@ func TestLoadUprobeSensor(t *testing.T) {
{Name: "tg_rb_events", Progs: []uint{6}},
// generic_uprobe_event
- {Name: "tg_conf_map", Progs: []uint{0, 6}},
+ {Name: "tg_conf_map", Progs: []uint{0, 4, 6}},
// shared with base sensor
{Name: "execve_map", Progs: []uint{4, 5, 6}},
@@ -113,10 +113,10 @@ func TestLoadUprobeSensor(t *testing.T) {
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "filter_map", Progs: []uint{3, 4, 5}})
if config.EnableV511Progs() {
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 6}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4, 6}})
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_rb_events", Progs: []uint{6}})
} else {
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}})
}
} else {
sensorProgs = append(sensorProgs, tus.SensorProg{Name: "generic_uprobe_process_event_2", Type: ebpf.Kprobe})
@@ -130,7 +130,7 @@ func TestLoadUprobeSensor(t *testing.T) {
// shared with base sensor
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "execve_map", Progs: []uint{4}})
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}})
// generic_uprobe_process_filter,generic_uprobe_filter_arg*,generic_uprobe_actions
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "filter_map", Progs: []uint{3, 4, 5, 9}})
diff --git a/pkg/sensors/tracing/usdt_test.go b/pkg/sensors/tracing/usdt_test.go
index 440c375c04d..eaa7d7fc468 100644
--- a/pkg/sensors/tracing/usdt_test.go
+++ b/pkg/sensors/tracing/usdt_test.go
@@ -69,7 +69,7 @@ func TestUsdtLoadSensor(t *testing.T) {
{Name: "tg_rb_events", Progs: []uint{2, 6}},
// generic_usdt_event
- {Name: "tg_conf_map", Progs: []uint{0, 2, 6}},
+ {Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6}},
// shared with base sensor
{Name: "execve_map", Progs: []uint{4, 5, 6}},
@@ -107,10 +107,10 @@ func TestUsdtLoadSensor(t *testing.T) {
// shared with base sensor
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "execve_map", Progs: []uint{4, 5, 6}})
if config.EnableV511Progs() {
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 6}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6}})
sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_rb_events", Progs: []uint{2, 6}})
} else {
- sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}})
+ sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}})
}
} else {
// shared with base sensor
diff --git a/tests/e2e/tests/policyfilter/policyfilter_test.go b/tests/e2e/tests/policyfilter/policyfilter_test.go
index a593bfec3e8..59c770966aa 100644
--- a/tests/e2e/tests/policyfilter/policyfilter_test.go
+++ b/tests/e2e/tests/policyfilter/policyfilter_test.go
@@ -25,6 +25,7 @@ import (
"github.com/cilium/tetragon/tests/e2e/checker"
"github.com/cilium/tetragon/tests/e2e/helpers"
"github.com/cilium/tetragon/tests/e2e/helpers/grpc"
+ e2e "github.com/cilium/tetragon/tests/e2e/install/tetragon"
"github.com/cilium/tetragon/tests/e2e/runners"
)
@@ -62,11 +63,23 @@ var (
// - check that we only receive events from the matching container
containerSelectorNamespace = "nsfield"
- testNamespaces = []string{otherNamespace, policyNamespace, podlblNamespace, containerSelectorNamespace}
+ // for the matchWorkloads test, we:
+ // - create a namespaces
+ // - start a pod with 2 containers: one is named passwd and reads /etc/passwd and one is named shadow and reads /etc/shadow
+ // - install a policy for monitoring file operations with two selectors, one for each of the containers
+ // - check that we get events from both containers on different files
+ fileNamespace = "file-ns"
+
+ testNamespaces = []string{otherNamespace, policyNamespace, podlblNamespace, containerSelectorNamespace, fileNamespace}
)
func TestMain(m *testing.M) {
- runner = runners.NewRunner().Init()
+ runner = runners.NewRunner().WithInstallTetragon(e2e.WithHelmOptions(map[string]string{
+ "tetragon.exportAllowList": "",
+ "tetragon.enablePolicyFilter": "true",
+ "tetragon.rthooks.enabled": "true",
+ "tetragon.rthooks.interface": "nri-hook",
+ })).Init()
// Here we ensure our test namespace doesn't already exist then create it.
runner.Setup(func(ctx context.Context, c *envconf.Config) (context.Context, error) {
@@ -632,3 +645,212 @@ func TestContainerFieldRepoFilters(t *testing.T) {
checker := containerSelectorRepoChecker().WithTimeLimit(30 * time.Second).WithEventLimit(20)
testContainerFieldFilters(t, checker, containerSelectorRepoPolicy, "debian-container-syscalls", ubuntuPodL4)
}
+
+const matchWorkloadsPolicy = `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+ name: "file-match-workloads"
+spec:
+ kprobes:
+ - call: "security_file_permission"
+ syscall: false
+ return: true
+ args:
+ - index: 0
+ type: "file" # (struct file *) used for getting the path
+ - index: 1
+ type: "int" # 0x04 is MAY_READ, 0x02 is MAY_WRITE
+ returnArg:
+ index: 0
+ type: "int"
+ selectors:
+ - matchArgs:
+ - index: 0
+ operator: "Prefix"
+ values:
+ - "/etc/passwd"
+ - index: 1
+ operator: "Equal"
+ values:
+ - "4" # MAY_READ
+ matchWorkloads:
+ - containerSelector:
+ matchExpressions:
+ - key: "name"
+ operator: In
+ values:
+ - "passwd"
+ - matchArgs:
+ - index: 0
+ operator: "Prefix"
+ values:
+ - "/etc/shadow"
+ - index: 1
+ operator: "Equal"
+ values:
+ - "4" # MAY_READ
+ matchWorkloads:
+ - containerSelector:
+ matchExpressions:
+ - key: "name"
+ operator: In
+ values:
+ - "shadow"
+`
+
+const ubuntuFilePod = `
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+ name: ubuntu-file
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: "ubuntu-file"
+ template:
+ metadata:
+ labels:
+ app: "ubuntu-file"
+ spec:
+ containers:
+ - name: passwd
+ image: ubuntu:20.04
+ imagePullPolicy: IfNotPresent
+ command: ["bash"]
+ args: ["-c", "while sleep 1; do cat /etc/passwd; done"]
+ - name: shadow
+ image: ubuntu:20.04
+ imagePullPolicy: IfNotPresent
+ command: ["bash"]
+ args: ["-c", "while sleep 1; do cat /etc/shadow; done"]
+`
+
+func matchWorkloadsChecker() *checker.RPCChecker {
+ return checker.NewRPCChecker(&matchWorkloadsFileChecker{}, "policyfilter-match-workloads-checker")
+}
+
+type matchWorkloadsFileChecker struct {
+ matchesShadow int
+ matchesPasswd int
+}
+
+func (cfc *matchWorkloadsFileChecker) Done() bool {
+ return cfc.matchesPasswd > 0 && cfc.matchesShadow > 0
+}
+
+func (cfc *matchWorkloadsFileChecker) NextEventCheck(event ec.Event, _ *slog.Logger) (bool, error) {
+ // ignore non-trace point events
+ ev, ok := event.(*tetragon.ProcessKprobe)
+ if !ok {
+ return false, errors.New("not a kprobe")
+ }
+
+ // ignore other kprobes
+ if ev.GetFunctionName() != "security_file_permission" {
+ return false, fmt.Errorf("not security_file_permission kprobe (%s instead)", ev.GetFunctionName())
+ }
+
+ // ignore other tracing policies
+ if ev.GetPolicyName() != "file-match-workloads" {
+ return false, fmt.Errorf("not file-match-workloads (%s instead)", ev.GetPolicyName())
+ }
+
+ // check that we have the correct number of args
+ args := ev.GetArgs()
+ if len(args) == 0 {
+ return true, fmt.Errorf("unexpected event %+v withn not arguments", ev)
+ }
+
+ arg := args[0].GetFileArg()
+ container := ev.GetProcess().GetPod().GetContainer()
+
+ switch arg.Path {
+ case "/etc/passwd":
+ if container.Name == "passwd" {
+ cfc.matchesPasswd++
+ return cfc.Done(), nil
+ }
+ return true, fmt.Errorf("unexpected event %+v for /etc/passwd from a container with a different name than passwd", ev)
+ case "/etc/shadow":
+ if container.Name == "shadow" {
+ cfc.matchesShadow++
+ return cfc.Done(), nil
+ }
+ return true, fmt.Errorf("unexpected event %+v for /etc/shadow from a container with a different name than shadow", ev)
+ default:
+ return false, nil
+ }
+}
+
+func (cfc *matchWorkloadsFileChecker) FinalCheck(_ *slog.Logger) error {
+ if cfc.Done() {
+ return nil
+ }
+ return fmt.Errorf("match-workloads checker failed, had %d matches for /etc/passwd and %d matches for /etc/shadow", cfc.matchesPasswd, cfc.matchesShadow)
+}
+
+func TestMatchWorkloadsSelector(t *testing.T) {
+ checker := matchWorkloadsChecker().WithTimeLimit(30 * time.Second).WithEventLimit(20)
+ testMatchWorkloadsSelector(t, checker)
+}
+
+func testMatchWorkloadsSelector(t *testing.T, checker *checker.RPCChecker) {
+ runEventChecker := features.New("Run Event Checks").
+ Assess("Run Event Checks", checker.CheckWithFilters(
+ 30*time.Second,
+ // allow list
+ []*tetragon.Filter{{
+ EventSet: []tetragon.EventType{tetragon.EventType_PROCESS_KPROBE},
+ Namespace: []string{fileNamespace},
+ }},
+ // deny list
+ []*tetragon.Filter{},
+ )).Feature()
+
+ runWorkload := features.New("Match workloads test").
+ Assess("Install policy", func(ctx context.Context, _ *testing.T, c *envconf.Config) context.Context {
+ ctx, err := helpers.LoadCRDString("", matchWorkloadsPolicy, false)(ctx, c)
+ if err != nil {
+ klog.ErrorS(err, "failed to install policy")
+ t.Fail()
+ }
+ return ctx
+ }).
+ Assess("Wait for policy", func(ctx context.Context, _ *testing.T, _ *envconf.Config) context.Context {
+ if err := grpc.WaitForTracingPolicy(ctx, "file-match-workloads"); err != nil {
+ klog.ErrorS(err, "failed to wait for policy")
+ t.Fail()
+ }
+ return ctx
+ }).
+ Assess("Wait for Checker", checker.Wait(30*time.Second)).
+ Assess("Start pods", func(ctx context.Context, _ *testing.T, c *envconf.Config) context.Context {
+ ctx, err := helpers.LoadCRDString(fileNamespace, ubuntuFilePod, true)(ctx, c)
+ if err != nil {
+ klog.ErrorS(err, "failed to load pod")
+ t.Fail()
+ }
+ return ctx
+ }).
+ Assess("Uninstall policy", func(ctx context.Context, _ *testing.T, c *envconf.Config) context.Context {
+ ctx, err := helpers.UnloadCRDString("", matchWorkloadsPolicy, false)(ctx, c)
+ if err != nil {
+ klog.ErrorS(err, "failed to uninstall policy")
+ t.Fail()
+ }
+ return ctx
+ }).
+ Assess("Stop pods", func(ctx context.Context, _ *testing.T, c *envconf.Config) context.Context {
+ ctx, err := helpers.UnloadCRDString(fileNamespace, ubuntuFilePod, true)(ctx, c)
+ if err != nil {
+ klog.ErrorS(err, "failed to uninstall pod")
+ t.Fail()
+ }
+ return ctx
+ }).
+ Feature()
+
+ runner.TestInParallel(t, runWorkload, runEventChecker)
+}
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
index 18cc571e525..2a02c408cbc 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
@@ -1117,6 +1117,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -2198,6 +2383,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -3011,6 +3381,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
@@ -3720,6 +4275,187 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this policy
+ applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
description: |-
SelectorsMacros is used to define selectors macros, which can be used
@@ -4491,6 +5227,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
subsystem:
@@ -5520,6 +6441,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
symbols:
@@ -6311,6 +7417,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
index fb3884d06ef..1ccb02fb92e 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
@@ -1117,6 +1117,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -2198,6 +2383,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
syscall:
@@ -3011,6 +3381,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
@@ -3720,6 +4275,187 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this policy
+ applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the value
+ from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
description: |-
SelectorsMacros is used to define selectors macros, which can be used
@@ -4491,6 +5227,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
subsystem:
@@ -5520,6 +6441,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
symbols:
@@ -6311,6 +7417,191 @@ spec:
- operator
type: object
type: array
+ matchWorkloads:
+ description: Workloads to match
+ items:
+ properties:
+ containerSelector:
+ description: |-
+ ContainerSelector selects containers that this policy applies to.
+ A map of container fields will be constructed in the same way as a map of labels.
+ The name of the field represents the label "key", and the value of the field - label "value".
+ Currently, only the "name" field is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ hostSelector:
+ description: |-
+ HostSelector selects hosts that this policy applies to.
+ For now only ~ (none) and {} (all) is supported.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ x-kubernetes-validations:
+ - message: The hostSelector should be either null
+ or {}.
+ rule: '!has(self.matchLabels) && !has(self.matchExpressions)'
+ podSelector:
+ description: PodSelector selects pods that this
+ policy applies to
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ enum:
+ - In
+ - NotIn
+ - Exists
+ - DoesNotExist
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ description: MatchLabelsValue represents the
+ value from the MatchLabels {key,value} pair.
+ maxLength: 63
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
type: object
type: array
tags:
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go
index 31b8866dbc7..fa68162d573 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go
@@ -7,6 +7,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
ciliumio "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io"
+ slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1"
)
const (
@@ -169,6 +170,9 @@ type KProbeSelector struct {
// IDs for capabilities changes
MatchCapabilityChanges []CapabilitiesSelector `json:"matchCapabilityChanges,omitempty"`
// +kubebuilder:validation:Optional
+ // Workloads to match
+ MatchWorkloads []WorkloadsSelector `json:"matchWorkloads,omitempty"`
+ // +kubebuilder:validation:Optional
// A list of macros names, defined in spec.selectorsMacros.
// Filters specified in macros will be appended to corresponding filters of the selector.
Macros []string `json:"macros,omitempty"`
@@ -210,6 +214,23 @@ type CapabilitiesSelector struct {
Values []string `json:"values"`
}
+type WorkloadsSelector struct {
+ // +kubebuilder:validation:Optional
+ // PodSelector selects pods that this policy applies to
+ PodSelector *slimv1.LabelSelector `json:"podSelector"`
+ // +kubebuilder:validation:Optional
+ // ContainerSelector selects containers that this policy applies to.
+ // A map of container fields will be constructed in the same way as a map of labels.
+ // The name of the field represents the label "key", and the value of the field - label "value".
+ // Currently, only the "name" field is supported.
+ ContainerSelector *slimv1.LabelSelector `json:"containerSelector"`
+ // +kubebuilder:validation:Optional
+ // +kubebuilder:validation:XValidation:rule="!has(self.matchLabels) && !has(self.matchExpressions)",message="The hostSelector should be either null or {}."
+ // HostSelector selects hosts that this policy applies to.
+ // For now only ~ (none) and {} (all) is supported.
+ HostSelector *slimv1.LabelSelector `json:"hostSelector"`
+}
+
type PIDSelector struct {
// +kubebuilder:validation:Enum=In;NotIn
// PID selector operator.
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go
index c0bdaf4bb35..60f5715bd46 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go
@@ -7,4 +7,4 @@ package v1alpha1
// Used to determine if CRD needs to be updated in cluster
//
// Developers: Bump patch for each change in the CRD schema.
-const CustomResourceDefinitionSchemaVersion = "1.8.1"
+const CustomResourceDefinitionSchemaVersion = "1.8.2"
diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
index 6ce246ee1b2..35bf6abe9bc 100644
--- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
+++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go
@@ -224,6 +224,13 @@ func (in *KProbeSelector) DeepCopyInto(out *KProbeSelector) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
+ if in.MatchWorkloads != nil {
+ in, out := &in.MatchWorkloads, &out.MatchWorkloads
+ *out = make([]WorkloadsSelector, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
if in.Macros != nil {
in, out := &in.Macros, &out.Macros
*out = make([]string, len(*in))
@@ -900,3 +907,33 @@ func (in *WorkloadObjectMeta) DeepCopy() *WorkloadObjectMeta {
in.DeepCopyInto(out)
return out
}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WorkloadsSelector) DeepCopyInto(out *WorkloadsSelector) {
+ *out = *in
+ if in.PodSelector != nil {
+ in, out := &in.PodSelector, &out.PodSelector
+ *out = new(v1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.ContainerSelector != nil {
+ in, out := &in.ContainerSelector, &out.ContainerSelector
+ *out = new(v1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.HostSelector != nil {
+ in, out := &in.HostSelector, &out.HostSelector
+ *out = new(v1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadsSelector.
+func (in *WorkloadsSelector) DeepCopy() *WorkloadsSelector {
+ if in == nil {
+ return nil
+ }
+ out := new(WorkloadsSelector)
+ in.DeepCopyInto(out)
+ return out
+}