From ecb106c38524b294afa76d7d8d936f536f6f3d75 Mon Sep 17 00:00:00 2001 From: Anastasios Papagiannis Date: Wed, 22 Apr 2026 09:30:38 +0300 Subject: [PATCH 1/7] Add CRD for matchWorkloads selector Example: apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "file-monitoring-filtered" spec: kprobes: - call: "security_file_permission" syscall: false return: true args: - index: 0 type: "file" # (struct file *) used for getting the path - index: 1 type: "int" # 0x04 is MAY_READ, 0x02 is MAY_WRITE returnArg: index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Prefix" values: - "/etc/shadow" - index: 1 operator: "Equal" values: - "2" # MAY_WRITE matchWorkloads: # match only host workloads - hostSelector: {} - matchArgs: - index: 0 operator: "Prefix" values: - "/etc/shadow" - index: 1 operator: "Equal" values: - "4" # MAY_READ matchWorkloads: # match host workloads and pods inside "kube-system" namespace - hostSelector: {} podSelector: matchExpressions: - key: "k8s:io.kubernetes.pod.namespace" operator: In values: - "kube-system" This will allow us to do fine-grain workload selection inside a single tracing polity. Signed-off-by: Anastasios Papagiannis --- .../crds-yaml/cilium.io_tracingpolicies.yaml | 1291 +++++++++++++++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 1291 +++++++++++++++++ .../v1alpha1/cilium.io_tracingpolicies.yaml | 1291 +++++++++++++++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 1291 +++++++++++++++++ pkg/k8s/apis/cilium.io/v1alpha1/types.go | 21 + pkg/k8s/apis/cilium.io/v1alpha1/version.go | 2 +- .../v1alpha1/zz_generated.deepcopy.go | 37 + .../v1alpha1/cilium.io_tracingpolicies.yaml | 1291 +++++++++++++++++ .../cilium.io_tracingpoliciesnamespaced.yaml | 1291 +++++++++++++++++ .../pkg/k8s/apis/cilium.io/v1alpha1/types.go | 21 + .../k8s/apis/cilium.io/v1alpha1/version.go | 2 +- .../v1alpha1/zz_generated.deepcopy.go | 37 + 12 files changed, 7864 insertions(+), 2 deletions(-) diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml index 18cc571e525..2a02c408cbc 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml @@ -1117,6 +1117,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -2198,6 +2383,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -3011,6 +3381,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: @@ -3720,6 +4275,187 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this policy + applies to + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object description: |- SelectorsMacros is used to define selectors macros, which can be used @@ -4491,6 +5227,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array subsystem: @@ -5520,6 +6441,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array symbols: @@ -6311,6 +7417,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml index fb3884d06ef..1ccb02fb92e 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml @@ -1117,6 +1117,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -2198,6 +2383,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -3011,6 +3381,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: @@ -3720,6 +4275,187 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this policy + applies to + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object description: |- SelectorsMacros is used to define selectors macros, which can be used @@ -4491,6 +5227,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array subsystem: @@ -5520,6 +6441,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array symbols: @@ -6311,6 +7417,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 18cc571e525..2a02c408cbc 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -1117,6 +1117,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -2198,6 +2383,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -3011,6 +3381,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: @@ -3720,6 +4275,187 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this policy + applies to + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object description: |- SelectorsMacros is used to define selectors macros, which can be used @@ -4491,6 +5227,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array subsystem: @@ -5520,6 +6441,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array symbols: @@ -6311,6 +7417,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index fb3884d06ef..1ccb02fb92e 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -1117,6 +1117,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -2198,6 +2383,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -3011,6 +3381,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: @@ -3720,6 +4275,187 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this policy + applies to + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object description: |- SelectorsMacros is used to define selectors macros, which can be used @@ -4491,6 +5227,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array subsystem: @@ -5520,6 +6441,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array symbols: @@ -6311,6 +7417,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 31b8866dbc7..fa68162d573 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -7,6 +7,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ciliumio "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io" + slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1" ) const ( @@ -169,6 +170,9 @@ type KProbeSelector struct { // IDs for capabilities changes MatchCapabilityChanges []CapabilitiesSelector `json:"matchCapabilityChanges,omitempty"` // +kubebuilder:validation:Optional + // Workloads to match + MatchWorkloads []WorkloadsSelector `json:"matchWorkloads,omitempty"` + // +kubebuilder:validation:Optional // A list of macros names, defined in spec.selectorsMacros. // Filters specified in macros will be appended to corresponding filters of the selector. Macros []string `json:"macros,omitempty"` @@ -210,6 +214,23 @@ type CapabilitiesSelector struct { Values []string `json:"values"` } +type WorkloadsSelector struct { + // +kubebuilder:validation:Optional + // PodSelector selects pods that this policy applies to + PodSelector *slimv1.LabelSelector `json:"podSelector"` + // +kubebuilder:validation:Optional + // ContainerSelector selects containers that this policy applies to. + // A map of container fields will be constructed in the same way as a map of labels. + // The name of the field represents the label "key", and the value of the field - label "value". + // Currently, only the "name" field is supported. + ContainerSelector *slimv1.LabelSelector `json:"containerSelector"` + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="!has(self.matchLabels) && !has(self.matchExpressions)",message="The hostSelector should be either null or {}." + // HostSelector selects hosts that this policy applies to. + // For now only ~ (none) and {} (all) is supported. + HostSelector *slimv1.LabelSelector `json:"hostSelector"` +} + type PIDSelector struct { // +kubebuilder:validation:Enum=In;NotIn // PID selector operator. diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/pkg/k8s/apis/cilium.io/v1alpha1/version.go index c0bdaf4bb35..60f5715bd46 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.8.1" +const CustomResourceDefinitionSchemaVersion = "1.8.2" diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go index 6ce246ee1b2..35bf6abe9bc 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go @@ -224,6 +224,13 @@ func (in *KProbeSelector) DeepCopyInto(out *KProbeSelector) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.MatchWorkloads != nil { + in, out := &in.MatchWorkloads, &out.MatchWorkloads + *out = make([]WorkloadsSelector, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.Macros != nil { in, out := &in.Macros, &out.Macros *out = make([]string, len(*in)) @@ -900,3 +907,33 @@ func (in *WorkloadObjectMeta) DeepCopy() *WorkloadObjectMeta { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WorkloadsSelector) DeepCopyInto(out *WorkloadsSelector) { + *out = *in + if in.PodSelector != nil { + in, out := &in.PodSelector, &out.PodSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.ContainerSelector != nil { + in, out := &in.ContainerSelector, &out.ContainerSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.HostSelector != nil { + in, out := &in.HostSelector, &out.HostSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadsSelector. +func (in *WorkloadsSelector) DeepCopy() *WorkloadsSelector { + if in == nil { + return nil + } + out := new(WorkloadsSelector) + in.DeepCopyInto(out) + return out +} diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index 18cc571e525..2a02c408cbc 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -1117,6 +1117,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -2198,6 +2383,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -3011,6 +3381,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: @@ -3720,6 +4275,187 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this policy + applies to + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object description: |- SelectorsMacros is used to define selectors macros, which can be used @@ -4491,6 +5227,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array subsystem: @@ -5520,6 +6441,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array symbols: @@ -6311,6 +7417,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index fb3884d06ef..1ccb02fb92e 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -1117,6 +1117,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -2198,6 +2383,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array syscall: @@ -3011,6 +3381,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: @@ -3720,6 +4275,187 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this policy + applies to + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object description: |- SelectorsMacros is used to define selectors macros, which can be used @@ -4491,6 +5227,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array subsystem: @@ -5520,6 +6441,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array symbols: @@ -6311,6 +7417,191 @@ spec: - operator type: object type: array + matchWorkloads: + description: Workloads to match + items: + properties: + containerSelector: + description: |- + ContainerSelector selects containers that this policy applies to. + A map of container fields will be constructed in the same way as a map of labels. + The name of the field represents the label "key", and the value of the field - label "value". + Currently, only the "name" field is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + hostSelector: + description: |- + HostSelector selects hosts that this policy applies to. + For now only ~ (none) and {} (all) is supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: The hostSelector should be either null + or {}. + rule: '!has(self.matchLabels) && !has(self.matchExpressions)' + podSelector: + description: PodSelector selects pods that this + policy applies to + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object type: array tags: diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 31b8866dbc7..fa68162d573 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -7,6 +7,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ciliumio "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io" + slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1" ) const ( @@ -169,6 +170,9 @@ type KProbeSelector struct { // IDs for capabilities changes MatchCapabilityChanges []CapabilitiesSelector `json:"matchCapabilityChanges,omitempty"` // +kubebuilder:validation:Optional + // Workloads to match + MatchWorkloads []WorkloadsSelector `json:"matchWorkloads,omitempty"` + // +kubebuilder:validation:Optional // A list of macros names, defined in spec.selectorsMacros. // Filters specified in macros will be appended to corresponding filters of the selector. Macros []string `json:"macros,omitempty"` @@ -210,6 +214,23 @@ type CapabilitiesSelector struct { Values []string `json:"values"` } +type WorkloadsSelector struct { + // +kubebuilder:validation:Optional + // PodSelector selects pods that this policy applies to + PodSelector *slimv1.LabelSelector `json:"podSelector"` + // +kubebuilder:validation:Optional + // ContainerSelector selects containers that this policy applies to. + // A map of container fields will be constructed in the same way as a map of labels. + // The name of the field represents the label "key", and the value of the field - label "value". + // Currently, only the "name" field is supported. + ContainerSelector *slimv1.LabelSelector `json:"containerSelector"` + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="!has(self.matchLabels) && !has(self.matchExpressions)",message="The hostSelector should be either null or {}." + // HostSelector selects hosts that this policy applies to. + // For now only ~ (none) and {} (all) is supported. + HostSelector *slimv1.LabelSelector `json:"hostSelector"` +} + type PIDSelector struct { // +kubebuilder:validation:Enum=In;NotIn // PID selector operator. diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go index c0bdaf4bb35..60f5715bd46 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/version.go @@ -7,4 +7,4 @@ package v1alpha1 // Used to determine if CRD needs to be updated in cluster // // Developers: Bump patch for each change in the CRD schema. -const CustomResourceDefinitionSchemaVersion = "1.8.1" +const CustomResourceDefinitionSchemaVersion = "1.8.2" diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go index 6ce246ee1b2..35bf6abe9bc 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/zz_generated.deepcopy.go @@ -224,6 +224,13 @@ func (in *KProbeSelector) DeepCopyInto(out *KProbeSelector) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.MatchWorkloads != nil { + in, out := &in.MatchWorkloads, &out.MatchWorkloads + *out = make([]WorkloadsSelector, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.Macros != nil { in, out := &in.Macros, &out.Macros *out = make([]string, len(*in)) @@ -900,3 +907,33 @@ func (in *WorkloadObjectMeta) DeepCopy() *WorkloadObjectMeta { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *WorkloadsSelector) DeepCopyInto(out *WorkloadsSelector) { + *out = *in + if in.PodSelector != nil { + in, out := &in.PodSelector, &out.PodSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.ContainerSelector != nil { + in, out := &in.ContainerSelector, &out.ContainerSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.HostSelector != nil { + in, out := &in.HostSelector, &out.HostSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadsSelector. +func (in *WorkloadsSelector) DeepCopy() *WorkloadsSelector { + if in == nil { + return nil + } + out := new(WorkloadsSelector) + in.DeepCopyInto(out) + return out +} From fd182881245f08e86e1fbb89bbd3d3e4ebef4e7b Mon Sep 17 00:00:00 2001 From: Anastasios Papagiannis Date: Wed, 22 Apr 2026 09:34:30 +0300 Subject: [PATCH 2/7] Populate new tracing policy refs Signed-off-by: Anastasios Papagiannis --- .../en/docs/reference/tracing-policy.md | 13932 ++++++++++------ 1 file changed, 9087 insertions(+), 4845 deletions(-) diff --git a/docs/content/en/docs/reference/tracing-policy.md b/docs/content/en/docs/reference/tracing-policy.md index c2d247dbd07..6f516b10fde 100644 --- a/docs/content/en/docs/reference/tracing-policy.md +++ b/docs/content/en/docs/reference/tracing-policy.md @@ -878,6 +878,13 @@ Filters specified in macros will be appended to corresponding filters of the sel A list of argument filters. MatchArgs are ANDed.
false + + matchWorkloads + []object + + Workloads to match
+ + false @@ -1680,12 +1687,11 @@ Only valid with the post action and with a rateLimit specified.
-### TracingPolicy.spec.hostSelector -[↩ Parent](#tracingpolicyspec) +### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicyspecfentriesindexselectorsindex) + -HostSelector selects hosts that this policy applies to. -For now only ~ (none) and {} (all) is supported. @@ -1697,7 +1703,56 @@ For now only ~ (none) and {} (all) is supported. - + + + + + + + + + + + + + + + +
matchExpressionscontainerSelectorobject + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
+ 		false
hostSelectorobject + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
+
+ Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • +     		false
    podSelectorobject + PodSelector selects pods that this policy applies to
    +     		false
    + + +### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindex) + + +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. + + + + + + + + + + + +
    NameTypeDescriptionRequired
    matchExpressions []object matchExpressions is a list of label selector requirements. The requirements are ANDed.
    @@ -1716,8 +1771,8 @@ operator is "In", and the values array contains only "value". The requirements a
    -### TracingPolicy.spec.hostSelector.matchExpressions[index] -[↩ Parent](#tracingpolicyspechostselector) +### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindexcontainerselector) A label selector requirement is a selector that contains values, a key, and an operator that @@ -1763,11 +1818,12 @@ merge patch.
    -### TracingPolicy.spec.kprobes[index] -[↩ Parent](#tracingpolicyspec) - +### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindex) +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. @@ -1779,99 +1835,113 @@ merge patch.
    - - - - - - - - - - - + - - + + - - + +
    callstring - Name of the function to apply the kprobe spec to.
    -     		true
    args[]object - A list of function arguments to include in the trace output.
    -     		false
    datamatchExpressions []object - A list of data to include in the trace output.
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    ignoreobjectmatchLabelsmap[string]string - Conditions for ignoring this kprobe
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    message
    + + +### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindexhostselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + - + - - + + - - - - - - + - - + + - - + +
    NameTypeDescriptionRequired
    key string - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    + key is the label key that the selector applies to.
    		falsetrue
    returnbooleanoperatorenum - Indicates whether to collect return value of the traced function.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Default: false
    -     		false
    returnArgobject - A return argument to include in the trace output.
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    returnArgActionstringvalues[]string - An action to perform on the return value. -Use returnArg to include the return value in the event output. -Supported actions are: TrackSock;UntrackSock
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    selectors
    + + +### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindex) + + +PodSelector selects pods that this policy applies to + + + + + + + + + + + + - - - - - - - + +
    NameTypeDescriptionRequired
    matchExpressions []object - Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
    -     		false
    syscallboolean - Indicates whether the traced function is a syscall.
    -
    - Default: true
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    tags[]stringmatchLabelsmap[string]string - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicy.spec.kprobes[index].args[index] -[↩ Parent](#tracingpolicyspeckprobesindex) - +### TracingPolicy.spec.fentries[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecfentriesindexselectorsindexmatchworkloadsindexpodselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -1883,52 +1953,285 @@ Maximum of 16 Tags are supported.
    - - + + - + - - + + - - - + +
    indexintegerkeystring - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    + key is the label key that the selector applies to.
    		 true
    typeoperator enum - Argument type.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    btfTypestringvalues[]string - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    labelstring
    + + +### TracingPolicy.spec.hostSelector +[↩ Parent](#tracingpolicyspec) + + +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. + + + + + + + + + + + + + - - + + + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    + + + +
    NameTypeDescriptionRequired
    matchExpressions[]object - Label to output in the JSON
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    maxDatabooleanmatchLabelsmap[string]string - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    -     		false
    + + +### TracingPolicy.spec.hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspechostselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    keystring + key is the label key that the selector applies to.
    +     		true
    operatorenum + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    +     		true
    values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    +     		false
    + + +### TracingPolicy.spec.kprobes[index] +[↩ Parent](#tracingpolicyspec) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    callstring + Name of the function to apply the kprobe spec to.
    +     		true
    args[]object + A list of function arguments to include in the trace output.
    +     		false
    data[]object + A list of data to include in the trace output.
    +     		false
    ignoreobject + Conditions for ignoring this kprobe
    +     		false
    messagestring + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    +     		false
    returnboolean + Indicates whether to collect return value of the traced function.
    +
    + Default: false
    +     		false
    returnArgobject + A return argument to include in the trace output.
    +     		false
    returnArgActionstring + An action to perform on the return value. +Use returnArg to include the return value in the event output. +Supported actions are: TrackSock;UntrackSock
    +     		false
    selectors[]object + Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
    +     		false
    syscallboolean + Indicates whether the traced function is a syscall.
    +
    + Default: true
    +     		false
    tags[]string + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    +     		false
    + + +### TracingPolicy.spec.kprobes[index].args[index] +[↩ Parent](#tracingpolicyspeckprobesindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2322,6 +2625,13 @@ Filters specified in macros will be appended to corresponding filters of the sel A list of argument filters. MatchArgs are ANDed.
    + + + + +
    NameTypeDescriptionRequired
    indexinteger + Position of the argument.
    +
    + Format: int32
    + Minimum: 0
    +     		true
    typeenum + Argument type.
    +
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    +     		true
    btfTypestring + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    +     		false
    labelstring + Label to output in the JSON
    +     		false
    maxDataboolean + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on
    +
    + Default: false
    +     		false
    resolve false
    matchWorkloads[]object + Workloads to match
    +     		false
    @@ -3124,8 +3434,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicy.spec.lists[index] -[↩ Parent](#tracingpolicyspec) +### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicyspeckprobesindexselectorsindex) @@ -3140,51 +3450,80 @@ Only valid with the post action and with a rateLimit specified.
    - name - string - - Name of the list
    - - true - - pattern - string + containerSelector + object - Pattern for 'generated' lists.
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    false - type - enum + hostSelector + object - Indicates the type of the list values.
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.

    - Enum: syscalls, generated_syscalls, generated_ftrace
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • false - validated - boolean + podSelector + object - List was validated
    + PodSelector selects pods that this policy applies to
    + + false + + + + +### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindex) + + +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. + + + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    values[]stringmatchLabelsmap[string]string - Values of the list
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicy.spec.lsmhooks[index] -[↩ Parent](#tracingpolicyspec) - +### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindexcontainerselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -3196,51 +3535,78 @@ Only valid with the post action and with a rateLimit specified.
    - + - - + + - + - - + + - - + +
    hookkey string - Name of the function to apply the kprobe spec to.
    + key is the label key that the selector applies to.
    		 true
    args[]objectoperatorenum - A list of function arguments to include in the trace output.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    messagestringvalues[]string - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    selectors
    + + +### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindex) + + +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions []object - Selectors to apply before producing trace output. Selectors are ORed.
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    tags[]stringmatchLabelsmap[string]string - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicy.spec.lsmhooks[index].args[index] -[↩ Parent](#tracingpolicyspeclsmhooksindex) - +### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindexhostselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -3252,103 +3618,123 @@ Maximum of 16 Tags are supported.
    - - + + - + - - + + - - - + +
    indexintegerkeystring - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    + key is the label key that the selector applies to.
    		 true
    typeoperator enum - Argument type.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    btfTypestringvalues[]string - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    labelstring
    + + +### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindex) + + +PodSelector selects pods that this policy applies to + + + + + + + + + + + + + - - + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object - Label to output in the JSON
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    maxDatabooleanmatchLabelsmap[string]string - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    resolve
    + + +### TracingPolicy.spec.kprobes[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspeckprobesindexselectorsindexmatchworkloadsindexpodselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + - - - - - - + - - + + - + - - + +
    NameTypeDescriptionRequired
    key string - Resolve the path to a specific attribute
    -
    - Default:
    -     		false
    returnCopyboolean - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    -
    - Default: false
    + key is the label key that the selector applies to.
    		falsetrue
    sizeArgIndexintegeroperatorenum - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Format: int32
    - Minimum: 0
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    sourcestringvalues[]string - Source of the data, if missing the default if function arguments
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicy.spec.lsmhooks[index].selectors[index] -[↩ Parent](#tracingpolicyspeclsmhooksindex) +### TracingPolicy.spec.lists[index] +[↩ Parent](#tracingpolicyspec) + -KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The -results of MatchPIDs and MatchArgs are ANDed. @@ -3360,24 +3746,244 @@ results of MatchPIDs and MatchArgs are ANDed. - - + + - + - - + + - - - + + + + + + + + + + + + + + +
    macros[]stringnamestring - A list of macros names, defined in spec.selectorsMacros. -Filters specified in macros will be appended to corresponding filters of the selector.
    + Name of the list
    		falsetrue
    matchActions[]objectpatternstring - A list of actions to execute when this selector matches
    + Pattern for 'generated' lists.
    		 false
    matchArgs[]object + typeenum + Indicates the type of the list values.
    +
    + Enum: syscalls, generated_syscalls, generated_ftrace
    +     		false
    validatedboolean + List was validated
    +     		false
    values[]string + Values of the list
    +     		false
    + + +### TracingPolicy.spec.lsmhooks[index] +[↩ Parent](#tracingpolicyspec) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    hookstring + Name of the function to apply the kprobe spec to.
    +     		true
    args[]object + A list of function arguments to include in the trace output.
    +     		false
    messagestring + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    +     		false
    selectors[]object + Selectors to apply before producing trace output. Selectors are ORed.
    +     		false
    tags[]string + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    +     		false
    + + +### TracingPolicy.spec.lsmhooks[index].args[index] +[↩ Parent](#tracingpolicyspeclsmhooksindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    indexinteger + Position of the argument.
    +
    + Format: int32
    + Minimum: 0
    +     		true
    typeenum + Argument type.
    +
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    +     		true
    btfTypestring + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    +     		false
    labelstring + Label to output in the JSON
    +     		false
    maxDataboolean + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on
    +
    + Default: false
    +     		false
    resolvestring + Resolve the path to a specific attribute
    +
    + Default:
    +     		false
    returnCopyboolean + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    +     		false
    sizeArgIndexinteger + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    sourcestring + Source of the data, if missing the default if function arguments
    +     		false
    + + +### TracingPolicy.spec.lsmhooks[index].selectors[index] +[↩ Parent](#tracingpolicyspeclsmhooksindex) + + +KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The +results of MatchPIDs and MatchArgs are ANDed. + + + + + + + + + + + + + + + + + + + + + + + + @@ -3451,6 +4057,13 @@ Filters specified in macros will be appended to corresponding filters of the sel A list of argument filters. MatchArgs are ANDed.
    + + + + +
    NameTypeDescriptionRequired
    macros[]string + A list of macros names, defined in spec.selectorsMacros. +Filters specified in macros will be appended to corresponding filters of the selector.
    +     		false
    matchActions[]object + A list of actions to execute when this selector matches
    +     		false
    matchArgs[]object A list of argument filters. MatchArgs are ANDed.
    		 false false
    matchWorkloads[]object + Workloads to match
    +     		false
    @@ -4253,8 +4866,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicy.spec.options[index] -[↩ Parent](#tracingpolicyspec) +### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindex) @@ -4269,28 +4882,44 @@ Only valid with the post action and with a rateLimit specified.
    - name - string + containerSelector + object - Name of the option
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    - true + false - value - string + hostSelector + object - Value of the option
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
    +
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • + + false + + podSelector + object + + PodSelector selects pods that this policy applies to
    false -### TracingPolicy.spec.podSelector -[↩ Parent](#tracingpolicyspec) +### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindex) -PodSelector selects pods that this policy applies to +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. @@ -4302,7 +4931,7 @@ PodSelector selects pods that this policy applies to - +
    matchExpressionsmatchExpressions []object matchExpressions is a list of label selector requirements. The requirements are ANDed.
    @@ -4321,8 +4950,8 @@ operator is "In", and the values array contains only "value". The requirements a
    -### TracingPolicy.spec.podSelector.matchExpressions[index] -[↩ Parent](#tracingpolicyspecpodselector) +### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindexcontainerselector) A label selector requirement is a selector that contains values, a key, and an operator that @@ -4368,12 +4997,12 @@ merge patch.
    -### TracingPolicy.spec.selectorsMacros[key] -[↩ Parent](#tracingpolicyspec) +### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindex) -KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The -results of MatchPIDs and MatchArgs are ANDed. +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. @@ -4385,106 +5014,228 @@ results of MatchPIDs and MatchArgs are ANDed. - - + + - - + + - - - + +
    macros[]stringmatchExpressions[]object - A list of macros names, defined in spec.selectorsMacros. -Filters specified in macros will be appended to corresponding filters of the selector.
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    matchActions[]objectmatchLabelsmap[string]string - A list of actions to execute when this selector matches
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    matchArgs[]object
    + + +### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindexhostselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + - + - - + + - + - - + + - - + +
    NameTypeDescriptionRequired
    keystring - A list of argument filters. MatchArgs are ANDed.
    + key is the label key that the selector applies to.
    		falsetrue
    matchBinaries[]objectoperatorenum - A list of binary exec name filters.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    matchCapabilities[]objectvalues[]string - A list of capabilities and IDs
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    matchCapabilityChanges
    + + +### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindex) + + +PodSelector selects pods that this policy applies to + + + + + + + + + + + + - - + + - - - + +
    NameTypeDescriptionRequired
    matchExpressions []object - IDs for capabilities changes
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    matchData[]objectmatchLabelsmap[string]string - A list of argument filters. MatchData are ANDed.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    matchNamespaceChanges[]object
    + + +### TracingPolicy.spec.lsmhooks[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspeclsmhooksindexselectorsindexmatchworkloadsindexpodselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + - + - - + + - + - - + + + +
    NameTypeDescriptionRequired
    keystring - IDs for namespace changes
    + key is the label key that the selector applies to.
    		falsetrue
    matchNamespaces[]objectoperatorenum - A list of namespaces and IDs
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    matchPIDs[]objectvalues[]string - A list of process ID filters. MatchPIDs are ANDed.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    + + +### TracingPolicy.spec.options[index] +[↩ Parent](#tracingpolicyspec) + + + + + + + + + + + + + + + + + + - - + + - - + +
    NameTypeDescriptionRequired
    namestring + Name of the option
    +     		true
    matchParentBinaries[]objectvaluestring - A list of process parent exec name filters.
    + Value of the option
    		 false
    matchReturnActions
    + + +### TracingPolicy.spec.podSelector +[↩ Parent](#tracingpolicyspec) + + +PodSelector selects pods that this policy applies to + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions []object - A list of actions to execute when MatchReturnArgs selector matches
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    matchReturnArgs[]objectmatchLabelsmap[string]string - A list of argument filters. MatchArgs are ANDed.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicy.spec.selectorsMacros[key].matchActions[index] -[↩ Parent](#tracingpolicyspecselectorsmacroskey) - +### TracingPolicy.spec.podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecpodselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -4496,32 +5247,197 @@ Filters specified in macros will be appended to corresponding filters of the sel - - + + - - + + - + - - + + + + +
    actionenumkeystring - Action to execute. -NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to -be removed in version 1.5.
    -
    - Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    + key is the label key that the selector applies to.
    		 true
    argErrorintegeroperatorenum - error value for override action
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Format: int32
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    argFdintegervalues[]string - An arg index for the fd for fdInstall action
    -
    - Format: int32
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    +     		false
    + + +### TracingPolicy.spec.selectorsMacros[key] +[↩ Parent](#tracingpolicyspec) + + +KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The +results of MatchPIDs and MatchArgs are ANDed. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    macros[]string + A list of macros names, defined in spec.selectorsMacros. +Filters specified in macros will be appended to corresponding filters of the selector.
    +     		false
    matchActions[]object + A list of actions to execute when this selector matches
    +     		false
    matchArgs[]object + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchBinaries[]object + A list of binary exec name filters.
    +     		false
    matchCapabilities[]object + A list of capabilities and IDs
    +     		false
    matchCapabilityChanges[]object + IDs for capabilities changes
    +     		false
    matchData[]object + A list of argument filters. MatchData are ANDed.
    +     		false
    matchNamespaceChanges[]object + IDs for namespace changes
    +     		false
    matchNamespaces[]object + A list of namespaces and IDs
    +     		false
    matchPIDs[]object + A list of process ID filters. MatchPIDs are ANDed.
    +     		false
    matchParentBinaries[]object + A list of process parent exec name filters.
    +     		false
    matchReturnActions[]object + A list of actions to execute when MatchReturnArgs selector matches
    +     		false
    matchReturnArgs[]object + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchWorkloads[]object + Workloads to match
    +     		false
    + + +### TracingPolicy.spec.selectorsMacros[key].matchActions[index] +[↩ Parent](#tracingpolicyspecselectorsmacroskey) + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -5278,8 +6194,8 @@ Only valid with the post action and with a rateLimit specified.
    NameTypeDescriptionRequired
    actionenum + Action to execute. +NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to +be removed in version 1.5.
    +
    + Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    +     		true
    argErrorinteger + error value for override action
    +
    + Format: int32
    +     		false
    argFdinteger + An arg index for the fd for fdInstall action
    +
    + Format: int32
    		 false
    -### TracingPolicy.spec.tracepoints[index] -[↩ Parent](#tracingpolicyspec) +### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index] +[↩ Parent](#tracingpolicyspecselectorsmacroskey) @@ -5294,65 +6210,80 @@ Only valid with the post action and with a rateLimit specified.
    - event - string - - Tracepoint event
    - - true - - subsystem - string - - Tracepoint subsystem
    - - true - - args - []object + containerSelector + object - A list of function arguments to include in the trace output.
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    false - message - string + hostSelector + object - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
    +
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • false - raw - boolean + podSelector + object - Enable raw tracepoint arguments
    + PodSelector selects pods that this policy applies to
    false - - selectors + + + + +### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindex) + + +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions []object - Selectors to apply before producing trace output. Selectors are ORed.
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    tags[]stringmatchLabelsmap[string]string - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicy.spec.tracepoints[index].args[index] -[↩ Parent](#tracingpolicyspectracepointsindex) - +### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindexcontainerselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -5364,103 +6295,124 @@ Maximum of 16 Tags are supported.
    - - + + - + - - + + - - - + +
    indexintegerkeystring - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    + key is the label key that the selector applies to.
    		 true
    typeoperator enum - Argument type.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    btfTypestringvalues[]string - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    labelstring
    + + +### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindex) + + +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. + + + + + + + + + + + + + - - + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object - Label to output in the JSON
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    maxDatabooleanmatchLabelsmap[string]string - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    resolve
    + + +### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindexhostselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + - - - - - - + - - + + - + - - + +
    NameTypeDescriptionRequired
    key string - Resolve the path to a specific attribute
    -
    - Default:
    -     		false
    returnCopyboolean - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    -
    - Default: false
    + key is the label key that the selector applies to.
    		falsetrue
    sizeArgIndexintegeroperatorenum - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Format: int32
    - Minimum: 0
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    sourcestringvalues[]string - Source of the data, if missing the default if function arguments
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicy.spec.tracepoints[index].selectors[index] -[↩ Parent](#tracingpolicyspectracepointsindex) +### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindex) -KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The -results of MatchPIDs and MatchArgs are ANDed. +PodSelector selects pods that this policy applies to @@ -5472,97 +6424,364 @@ results of MatchPIDs and MatchArgs are ANDed. - - + + - - + + - - - + +
    macros[]stringmatchExpressions[]object - A list of macros names, defined in spec.selectorsMacros. -Filters specified in macros will be appended to corresponding filters of the selector.
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    matchActions[]objectmatchLabelsmap[string]string - A list of actions to execute when this selector matches
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    matchArgs[]object
    + + +### TracingPolicy.spec.selectorsMacros[key].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecselectorsmacroskeymatchworkloadsindexpodselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + - + - - + + - + - - + + - - - + +
    NameTypeDescriptionRequired
    keystring - A list of argument filters. MatchArgs are ANDed.
    + key is the label key that the selector applies to.
    		falsetrue
    matchBinaries[]objectoperatorenum - A list of binary exec name filters.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    matchCapabilities[]objectvalues[]string - A list of capabilities and IDs
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    matchCapabilityChanges[]object
    + + +### TracingPolicy.spec.tracepoints[index] +[↩ Parent](#tracingpolicyspec) + + + + + + + + + + + + + + + + - + - - + + - + - + - - + + - - + + - + - - + + - - - - +
    NameTypeDescriptionRequired
    eventstring - IDs for capabilities changes
    + Tracepoint event
    		falsetrue
    matchData[]objectsubsystemstring - A list of argument filters. MatchData are ANDed.
    + Tracepoint subsystem
    		falsetrue
    matchNamespaceChangesargs []object - IDs for namespace changes
    + A list of function arguments to include in the trace output.
    		 false
    matchNamespaces[]objectmessagestring - A list of namespaces and IDs
    + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    		 false
    matchPIDs[]objectrawboolean - A list of process ID filters. MatchPIDs are ANDed.
    + Enable raw tracepoint arguments
    		 false
    matchParentBinariesselectors []object - A list of process parent exec name filters.
    + Selectors to apply before producing trace output. Selectors are ORed.
    		 false
    matchReturnActions[]objecttags[]string - A list of actions to execute when MatchReturnArgs selector matches
    + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    		 false
    matchReturnArgs[]object +
    + + +### TracingPolicy.spec.tracepoints[index].args[index] +[↩ Parent](#tracingpolicyspectracepointsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    indexinteger + Position of the argument.
    +
    + Format: int32
    + Minimum: 0
    +     		true
    typeenum + Argument type.
    +
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    +     		true
    btfTypestring + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    +     		false
    labelstring + Label to output in the JSON
    +     		false
    maxDataboolean + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on
    +
    + Default: false
    +     		false
    resolvestring + Resolve the path to a specific attribute
    +
    + Default:
    +     		false
    returnCopyboolean + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    +     		false
    sizeArgIndexinteger + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    sourcestring + Source of the data, if missing the default if function arguments
    +     		false
    + + +### TracingPolicy.spec.tracepoints[index].selectors[index] +[↩ Parent](#tracingpolicyspectracepointsindex) + + +KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The +results of MatchPIDs and MatchArgs are ANDed. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    macros[]string + A list of macros names, defined in spec.selectorsMacros. +Filters specified in macros will be appended to corresponding filters of the selector.
    +     		false
    matchActions[]object + A list of actions to execute when this selector matches
    +     		false
    matchArgs[]object + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchBinaries[]object + A list of binary exec name filters.
    +     		false
    matchCapabilities[]object + A list of capabilities and IDs
    +     		false
    matchCapabilityChanges[]object + IDs for capabilities changes
    +     		false
    matchData[]object + A list of argument filters. MatchData are ANDed.
    +     		false
    matchNamespaceChanges[]object + IDs for namespace changes
    +     		false
    matchNamespaces[]object + A list of namespaces and IDs
    +     		false
    matchPIDs[]object + A list of process ID filters. MatchPIDs are ANDed.
    +     		false
    matchParentBinaries[]object + A list of process parent exec name filters.
    +     		false
    matchReturnActions[]object + A list of actions to execute when MatchReturnArgs selector matches
    +     		false
    matchReturnArgs[]object A list of argument filters. MatchArgs are ANDed.
    		 false
    matchWorkloads[]object + Workloads to match
    +     		false
    @@ -6365,8 +7584,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicy.spec.uprobes[index] -[↩ Parent](#tracingpolicyspec) +### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicyspectracepointsindexselectorsindex) @@ -6381,109 +7600,163 @@ Only valid with the post action and with a rateLimit specified.
    - path - string - - Name of the traced binary
    - - true - - addrs - []integer + containerSelector + object - List of the traced addresses
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    false - args - []object + hostSelector + object - A list of function arguments to include in the trace output.
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
    +
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • false - btfPath - string + podSelector + object - path for a BTF file for the traced binary
    + PodSelector selects pods that this policy applies to
    false - - data - []object - - A list of data to include in the trace output.
    - - false - - message - string + + + + +### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindex) + + +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. + + + + + + + + + + + + + - - + + - - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    offsets[]integermatchLabelsmap[string]string - List of the traced offsets
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    refCtrOffsets[]integer
    + + +### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindexcontainerselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + - + - - + + - + - - + + - - + +
    NameTypeDescriptionRequired
    keystring - List of the traced ref_ctr_offsets
    + key is the label key that the selector applies to.
    		falsetrue
    returnbooleanoperatorenum - Indicates whether to collect return value of the traced function.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Default: false
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    returnArgobjectvalues[]string - A return argument to include in the trace output.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    selectors
    + + +### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindex) + + +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. + + + + + + + + + + + + - - - - - - - + +
    NameTypeDescriptionRequired
    matchExpressions []object - Selectors to apply before producing trace output. Selectors are ORed.
    -     		false
    symbols[]string - List of the traced symbols
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    tags[]stringmatchLabelsmap[string]string - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicy.spec.uprobes[index].args[index] -[↩ Parent](#tracingpolicyspecuprobesindex) - +### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindexhostselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -6495,102 +7768,77 @@ Maximum of 16 Tags are supported.
    - - + + - + - - - - - - - - - - - - - - - - - - - - - - + + - - - + +
    indexintegerkeystring - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    + key is the label key that the selector applies to.
    		 true
    typeoperator enum - Argument type.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    btfTypestring - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    -     		false
    labelstring - Label to output in the JSON
    -     		false
    maxDataboolean - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    -     		false
    resolvestring - Resolve the path to a specific attribute
    -
    - Default:
    -     		false
    returnCopybooleanvalues[]string - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    -
    - Default: false
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    sizeArgIndexinteger
    + + +### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindex) + + +PodSelector selects pods that this policy applies to + + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    -
    - Format: int32
    - Minimum: 0
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    sourcestringmatchLabelsmap[string]string - Source of the data, if missing the default if function arguments
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicy.spec.uprobes[index].data[index] -[↩ Parent](#tracingpolicyspecuprobesindex) - +### TracingPolicy.spec.tracepoints[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspectracepointsindexselectorsindexmatchworkloadsindexpodselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -6602,22 +7850,182 @@ This field is used only for char_buf and char_iovec types.
    - - + + - + + + + + + + + +
    indexintegerkeystring - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    + key is the label key that the selector applies to.
    		 true
    typeoperator enum - Argument type.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Enum: In, NotIn, Exists, DoesNotExist
    +     		true
    values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index] +[↩ Parent](#tracingpolicyspec) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    pathstring + Name of the traced binary
    +     		true
    addrs[]integer + List of the traced addresses
    +     		false
    args[]object + A list of function arguments to include in the trace output.
    +     		false
    btfPathstring + path for a BTF file for the traced binary
    +     		false
    data[]object + A list of data to include in the trace output.
    +     		false
    messagestring + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    +     		false
    offsets[]integer + List of the traced offsets
    +     		false
    refCtrOffsets[]integer + List of the traced ref_ctr_offsets
    +     		false
    returnboolean + Indicates whether to collect return value of the traced function.
    +
    + Default: false
    +     		false
    returnArgobject + A return argument to include in the trace output.
    +     		false
    selectors[]object + Selectors to apply before producing trace output. Selectors are ORed.
    +     		false
    symbols[]string + List of the traced symbols
    +     		false
    tags[]string + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].args[index] +[↩ Parent](#tracingpolicyspecuprobesindex) + + + + + + + + + + + + + + + + + + + + + + @@ -6693,11 +8101,11 @@ This field is used only for char_buf and char_iovec types.
    NameTypeDescriptionRequired
    indexinteger + Position of the argument.
    +
    + Format: int32
    + Minimum: 0
    +     		true
    typeenum + Argument type.
    +
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		 true
    -### TracingPolicy.spec.uprobes[index].returnArg +### TracingPolicy.spec.uprobes[index].data[index] [↩ Parent](#tracingpolicyspecuprobesindex) -A return argument to include in the trace output. + @@ -6790,22 +8198,2783 @@ This field is used only for char_buf and char_iovec types.
    - - + + + + + +
    false
    sourcestringsourcestring + Source of the data, if missing the default if function arguments
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].returnArg +[↩ Parent](#tracingpolicyspecuprobesindex) + + +A return argument to include in the trace output. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    indexinteger + Position of the argument.
    +
    + Format: int32
    + Minimum: 0
    +     		true
    typeenum + Argument type.
    +
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    +     		true
    btfTypestring + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    +     		false
    labelstring + Label to output in the JSON
    +     		false
    maxDataboolean + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on
    +
    + Default: false
    +     		false
    resolvestring + Resolve the path to a specific attribute
    +
    + Default:
    +     		false
    returnCopyboolean + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    +     		false
    sizeArgIndexinteger + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    sourcestring + Source of the data, if missing the default if function arguments
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index] +[↩ Parent](#tracingpolicyspecuprobesindex) + + +KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The +results of MatchPIDs and MatchArgs are ANDed. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    macros[]string + A list of macros names, defined in spec.selectorsMacros. +Filters specified in macros will be appended to corresponding filters of the selector.
    +     		false
    matchActions[]object + A list of actions to execute when this selector matches
    +     		false
    matchArgs[]object + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchBinaries[]object + A list of binary exec name filters.
    +     		false
    matchCapabilities[]object + A list of capabilities and IDs
    +     		false
    matchCapabilityChanges[]object + IDs for capabilities changes
    +     		false
    matchData[]object + A list of argument filters. MatchData are ANDed.
    +     		false
    matchNamespaceChanges[]object + IDs for namespace changes
    +     		false
    matchNamespaces[]object + A list of namespaces and IDs
    +     		false
    matchPIDs[]object + A list of process ID filters. MatchPIDs are ANDed.
    +     		false
    matchParentBinaries[]object + A list of process parent exec name filters.
    +     		false
    matchReturnActions[]object + A list of actions to execute when MatchReturnArgs selector matches
    +     		false
    matchReturnArgs[]object + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchWorkloads[]object + Workloads to match
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchActions[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    actionenum + Action to execute. +NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to +be removed in version 1.5.
    +
    + Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    +     		true
    argErrorinteger + error value for override action
    +
    + Format: int32
    +     		false
    argFdinteger + An arg index for the fd for fdInstall action
    +
    + Format: int32
    +     		false
    argFqdnstring + A FQDN to lookup for the dnsLookup action
    +     		false
    argIndexinteger + An arg index for the set action
    +
    + Format: int32
    +     		false
    argNameinteger + An arg index for the filename for fdInstall action
    +
    + Format: int32
    +     		false
    argRegs[]string + An arg value for the regs action
    +     		false
    argSiginteger + A signal number for signal action
    +
    + Format: int32
    +     		false
    argSockinteger + An arg index for the sock for trackSock and untrackSock actions
    +
    + Format: int32
    +     		false
    argUrlstring + A URL for the getUrl action
    +     		false
    argValueinteger + An arg value for the set action
    +
    + Format: int32
    +     		false
    imaHashboolean + Enable collection of file hashes from integrity subsystem. +Only valid with the post action.
    +     		false
    kernelStackTraceboolean + Enable kernel stack trace export. Only valid with the post action.
    +     		false
    rateLimitstring + A time period within which repeated messages will not be posted. Can be +specified in seconds (default or with 's' suffix), minutes ('m' suffix) +or hours ('h' suffix). Only valid with the post action.
    +     		false
    rateLimitScopestring + The scope of the provided rate limit argument. Can be "thread" (default), +"process" (all threads for the same process), or "global". If "thread" is +selected then rate limiting applies per thread; if "process" is selected +then rate limiting applies per process; if "global" is selected then rate +limiting applies regardless of which process or thread caused the action. +Only valid with the post action and with a rateLimit specified.
    +     		false
    userStackTraceboolean + Enable user stack trace export. Only valid with the post action.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchArgs[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    +     		true
    args[]integer + Position of the operator arguments (in spec file) to apply fhe filter to.
    +     		false
    indexinteger + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    values[]string + Value to compare the argument against.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchBinaries[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    +     		true
    values[]string + Value to compare the argument against.
    +     		true
    followChildrenboolean + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilities[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Capabilities to match.
    +     		true
    isNamespaceCapabilityboolean + Indicates whether these caps are namespace caps.
    +
    + Default: false
    +     		false
    typeenum + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilityChanges[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Capabilities to match.
    +     		true
    isNamespaceCapabilityboolean + Indicates whether these caps are namespace caps.
    +
    + Default: false
    +     		false
    typeenum + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchData[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    +     		true
    args[]integer + Position of the operator arguments (in spec file) to apply fhe filter to.
    +     		false
    indexinteger + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    values[]string + Value to compare the argument against.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaceChanges[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Namespace types (e.g., Mnt, Pid) to match.
    +     		true
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaces[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namespaceenum + Namespace selector name.
    +
    + Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    +     		true
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Namespace IDs (or host_ns for host namespace) of namespaces to match.
    +     		true
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchPIDs[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + PID selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]integer + Process IDs to match.
    +     		true
    followForksboolean + Matches any descendant processes of the matching PIDs.
    +
    + Default: false
    +     		false
    isNamespacePIDboolean + Indicates whether PIDs are namespace PIDs.
    +
    + Default: false
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchParentBinaries[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    +     		true
    values[]string + Value to compare the argument against.
    +     		true
    followChildrenboolean + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchReturnActions[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    actionenum + Action to execute. +NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to +be removed in version 1.5.
    +
    + Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    +     		true
    argErrorinteger + error value for override action
    +
    + Format: int32
    +     		false
    argFdinteger + An arg index for the fd for fdInstall action
    +
    + Format: int32
    +     		false
    argFqdnstring + A FQDN to lookup for the dnsLookup action
    +     		false
    argIndexinteger + An arg index for the set action
    +
    + Format: int32
    +     		false
    argNameinteger + An arg index for the filename for fdInstall action
    +
    + Format: int32
    +     		false
    argRegs[]string + An arg value for the regs action
    +     		false
    argSiginteger + A signal number for signal action
    +
    + Format: int32
    +     		false
    argSockinteger + An arg index for the sock for trackSock and untrackSock actions
    +
    + Format: int32
    +     		false
    argUrlstring + A URL for the getUrl action
    +     		false
    argValueinteger + An arg value for the set action
    +
    + Format: int32
    +     		false
    imaHashboolean + Enable collection of file hashes from integrity subsystem. +Only valid with the post action.
    +     		false
    kernelStackTraceboolean + Enable kernel stack trace export. Only valid with the post action.
    +     		false
    rateLimitstring + A time period within which repeated messages will not be posted. Can be +specified in seconds (default or with 's' suffix), minutes ('m' suffix) +or hours ('h' suffix). Only valid with the post action.
    +     		false
    rateLimitScopestring + The scope of the provided rate limit argument. Can be "thread" (default), +"process" (all threads for the same process), or "global". If "thread" is +selected then rate limiting applies per thread; if "process" is selected +then rate limiting applies per process; if "global" is selected then rate +limiting applies regardless of which process or thread caused the action. +Only valid with the post action and with a rateLimit specified.
    +     		false
    userStackTraceboolean + Enable user stack trace export. Only valid with the post action.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchReturnArgs[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    +     		true
    args[]integer + Position of the operator arguments (in spec file) to apply fhe filter to.
    +     		false
    indexinteger + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    values[]string + Value to compare the argument against.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    containerSelectorobject + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    +     		false
    hostSelectorobject + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
    +
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • +     		false
    podSelectorobject + PodSelector selects pods that this policy applies to
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindex) + + +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    +     		false
    matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindexcontainerselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    keystring + key is the label key that the selector applies to.
    +     		true
    operatorenum + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    +     		true
    values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindex) + + +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    +     		false
    matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindexhostselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    keystring + key is the label key that the selector applies to.
    +     		true
    operatorenum + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    +     		true
    values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindex) + + +PodSelector selects pods that this policy applies to + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    +     		false
    matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    +     		false
    + + +### TracingPolicy.spec.uprobes[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecuprobesindexselectorsindexmatchworkloadsindexpodselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    keystring + key is the label key that the selector applies to.
    +     		true
    operatorenum + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    +     		true
    values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    +     		false
    + + +### TracingPolicy.spec.usdts[index] +[↩ Parent](#tracingpolicyspec) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namestring + Usdt name
    +     		true
    pathstring + Name of the traced binary
    +     		true
    providerstring + Usdt provider name
    +     		true
    args[]object + A list of function arguments to include in the trace output.
    +     		false
    btfPathstring + path for a BTF file for the traced binary
    +     		false
    messagestring + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    +     		false
    selectors[]object + Selectors to apply before producing trace output. Selectors are ORed.
    +     		false
    tags[]string + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].args[index] +[↩ Parent](#tracingpolicyspecusdtsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    indexinteger + Position of the argument.
    +
    + Format: int32
    + Minimum: 0
    +     		true
    typeenum + Argument type.
    +
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    +     		true
    btfTypestring + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    +     		false
    labelstring + Label to output in the JSON
    +     		false
    maxDataboolean + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on
    +
    + Default: false
    +     		false
    resolvestring + Resolve the path to a specific attribute
    +
    + Default:
    +     		false
    returnCopyboolean + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    +     		false
    sizeArgIndexinteger + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    sourcestring + Source of the data, if missing the default if function arguments
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index] +[↩ Parent](#tracingpolicyspecusdtsindex) + + +KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The +results of MatchPIDs and MatchArgs are ANDed. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    macros[]string + A list of macros names, defined in spec.selectorsMacros. +Filters specified in macros will be appended to corresponding filters of the selector.
    +     		false
    matchActions[]object + A list of actions to execute when this selector matches
    +     		false
    matchArgs[]object + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchBinaries[]object + A list of binary exec name filters.
    +     		false
    matchCapabilities[]object + A list of capabilities and IDs
    +     		false
    matchCapabilityChanges[]object + IDs for capabilities changes
    +     		false
    matchData[]object + A list of argument filters. MatchData are ANDed.
    +     		false
    matchNamespaceChanges[]object + IDs for namespace changes
    +     		false
    matchNamespaces[]object + A list of namespaces and IDs
    +     		false
    matchPIDs[]object + A list of process ID filters. MatchPIDs are ANDed.
    +     		false
    matchParentBinaries[]object + A list of process parent exec name filters.
    +     		false
    matchReturnActions[]object + A list of actions to execute when MatchReturnArgs selector matches
    +     		false
    matchReturnArgs[]object + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchWorkloads[]object + Workloads to match
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchActions[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    actionenum + Action to execute. +NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to +be removed in version 1.5.
    +
    + Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    +     		true
    argErrorinteger + error value for override action
    +
    + Format: int32
    +     		false
    argFdinteger + An arg index for the fd for fdInstall action
    +
    + Format: int32
    +     		false
    argFqdnstring + A FQDN to lookup for the dnsLookup action
    +     		false
    argIndexinteger + An arg index for the set action
    +
    + Format: int32
    +     		false
    argNameinteger + An arg index for the filename for fdInstall action
    +
    + Format: int32
    +     		false
    argRegs[]string + An arg value for the regs action
    +     		false
    argSiginteger + A signal number for signal action
    +
    + Format: int32
    +     		false
    argSockinteger + An arg index for the sock for trackSock and untrackSock actions
    +
    + Format: int32
    +     		false
    argUrlstring + A URL for the getUrl action
    +     		false
    argValueinteger + An arg value for the set action
    +
    + Format: int32
    +     		false
    imaHashboolean + Enable collection of file hashes from integrity subsystem. +Only valid with the post action.
    +     		false
    kernelStackTraceboolean + Enable kernel stack trace export. Only valid with the post action.
    +     		false
    rateLimitstring + A time period within which repeated messages will not be posted. Can be +specified in seconds (default or with 's' suffix), minutes ('m' suffix) +or hours ('h' suffix). Only valid with the post action.
    +     		false
    rateLimitScopestring + The scope of the provided rate limit argument. Can be "thread" (default), +"process" (all threads for the same process), or "global". If "thread" is +selected then rate limiting applies per thread; if "process" is selected +then rate limiting applies per process; if "global" is selected then rate +limiting applies regardless of which process or thread caused the action. +Only valid with the post action and with a rateLimit specified.
    +     		false
    userStackTraceboolean + Enable user stack trace export. Only valid with the post action.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchArgs[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    +     		true
    args[]integer + Position of the operator arguments (in spec file) to apply fhe filter to.
    +     		false
    indexinteger + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    values[]string + Value to compare the argument against.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchBinaries[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    +     		true
    values[]string + Value to compare the argument against.
    +     		true
    followChildrenboolean + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchCapabilities[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Capabilities to match.
    +     		true
    isNamespaceCapabilityboolean + Indicates whether these caps are namespace caps.
    +
    + Default: false
    +     		false
    typeenum + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchCapabilityChanges[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Capabilities to match.
    +     		true
    isNamespaceCapabilityboolean + Indicates whether these caps are namespace caps.
    +
    + Default: false
    +     		false
    typeenum + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchData[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    +     		true
    args[]integer + Position of the operator arguments (in spec file) to apply fhe filter to.
    +     		false
    indexinteger + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    values[]string + Value to compare the argument against.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchNamespaceChanges[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Namespace types (e.g., Mnt, Pid) to match.
    +     		true
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchNamespaces[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namespaceenum + Namespace selector name.
    +
    + Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    +     		true
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Namespace IDs (or host_ns for host namespace) of namespaces to match.
    +     		true
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchPIDs[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + PID selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]integer + Process IDs to match.
    +     		true
    followForksboolean + Matches any descendant processes of the matching PIDs.
    +
    + Default: false
    +     		false
    isNamespacePIDboolean + Indicates whether PIDs are namespace PIDs.
    +
    + Default: false
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchParentBinaries[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    +     		true
    values[]string + Value to compare the argument against.
    +     		true
    followChildrenboolean + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchReturnActions[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    actionenum + Action to execute. +NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to +be removed in version 1.5.
    +
    + Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    +     		true
    argErrorinteger + error value for override action
    +
    + Format: int32
    +     		false
    argFdinteger + An arg index for the fd for fdInstall action
    +
    + Format: int32
    +     		false
    argFqdnstring + A FQDN to lookup for the dnsLookup action
    +     		false
    argIndexinteger + An arg index for the set action
    +
    + Format: int32
    +     		false
    argNameinteger + An arg index for the filename for fdInstall action
    +
    + Format: int32
    +     		false
    argRegs[]string + An arg value for the regs action
    +     		false
    argSiginteger + A signal number for signal action
    +
    + Format: int32
    +     		false
    argSockinteger + An arg index for the sock for trackSock and untrackSock actions
    +
    + Format: int32
    +     		false
    argUrlstring + A URL for the getUrl action
    +     		false
    argValueinteger + An arg value for the set action
    +
    + Format: int32
    +     		false
    imaHashboolean + Enable collection of file hashes from integrity subsystem. +Only valid with the post action.
    +     		false
    kernelStackTraceboolean + Enable kernel stack trace export. Only valid with the post action.
    +     		false
    rateLimitstring + A time period within which repeated messages will not be posted. Can be +specified in seconds (default or with 's' suffix), minutes ('m' suffix) +or hours ('h' suffix). Only valid with the post action.
    +     		false
    rateLimitScopestring + The scope of the provided rate limit argument. Can be "thread" (default), +"process" (all threads for the same process), or "global". If "thread" is +selected then rate limiting applies per thread; if "process" is selected +then rate limiting applies per process; if "global" is selected then rate +limiting applies regardless of which process or thread caused the action. +Only valid with the post action and with a rateLimit specified.
    +     		false
    userStackTraceboolean + Enable user stack trace export. Only valid with the post action.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchReturnArgs[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    +     		true
    args[]integer + Position of the operator arguments (in spec file) to apply fhe filter to.
    +     		false
    indexinteger + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    values[]string + Value to compare the argument against.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    containerSelectorobject + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    +     		false
    hostSelectorobject + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
    +
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • +     		false
    podSelectorobject + PodSelector selects pods that this policy applies to
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindex) + + +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    +     		false
    matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindexcontainerselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    keystring + key is the label key that the selector applies to.
    +     		true
    operatorenum + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    +     		true
    values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindex) + + +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    +     		false
    matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindexhostselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    keystring + key is the label key that the selector applies to.
    +     		true
    operatorenum + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    +     		true
    values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindex) + + +PodSelector selects pods that this policy applies to + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    +     		false
    matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    +     		false
    + + +### TracingPolicy.spec.usdts[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicyspecusdtsindexselectorsindexmatchworkloadsindexpodselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    keystring + key is the label key that the selector applies to.
    +     		true
    operatorenum + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    +     		true
    values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    +     		false
    + +## TracingPolicyNamespaced +[↩ Parent](#ciliumiov1alpha1 ) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - +
    NameTypeDescriptionRequired
    apiVersionstringcilium.io/v1alpha1true
    kindstringTracingPolicyNamespacedtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - Source of the data, if missing the default if function arguments
    + Tracing policy specification.
    		falsetrue
    -### TracingPolicy.spec.uprobes[index].selectors[index] -[↩ Parent](#tracingpolicyspecuprobesindex) +### TracingPolicyNamespaced.spec +[↩ Parent](#tracingpolicynamespaced) -KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The -results of MatchPIDs and MatchArgs are ANDed. +Tracing policy specification. @@ -6817,106 +10986,122 @@ results of MatchPIDs and MatchArgs are ANDed. - - + + - + - + - - + + - + - + - - + + - + - + - - + + - + + + + + + - + - +
    macros[]stringcontainerSelectorobject - A list of macros names, defined in spec.selectorsMacros. -Filters specified in macros will be appended to corresponding filters of the selector.
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    		 false
    matchActionsenforcers []object - A list of actions to execute when this selector matches
    + A enforcer spec.
    		 false
    matchArgsfentries []object - A list of argument filters. MatchArgs are ANDed.
    + A list of fentry specs.
    		 false
    matchBinaries[]objecthostSelectorobject - A list of binary exec name filters.
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
    +
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    		•  false
    matchCapabilitieskprobes []object - A list of capabilities and IDs
    + A list of kprobe specs.
    		 false
    matchCapabilityChangeslists []object - IDs for capabilities changes
    + A list of list specs.
    		 false
    matchData[]objectloaderboolean - A list of argument filters. MatchData are ANDed.
    + Enable loader events
    		 false
    matchNamespaceChangeslsmhooks []object - IDs for namespace changes
    + A list of uprobe specs.
    		 false
    matchNamespacesoptions []object - A list of namespaces and IDs
    + A list of overloaded options
    		 false
    matchPIDs[]objectpodSelectorobject - A list of process ID filters. MatchPIDs are ANDed.
    + PodSelector selects pods that this policy applies to
    		 false
    matchParentBinariesselectorsMacrosmap[string]object + SelectorsMacros is used to define selectors macros, which can be used +in probes/hooks selectors by their names.
    +     		false
    tracepoints []object - A list of process parent exec name filters.
    + A list of tracepoint specs.
    		 false
    matchReturnActionsuprobes []object - A list of actions to execute when MatchReturnArgs selector matches
    + A list of uprobe specs.
    		 false
    matchReturnArgsusdts []object - A list of argument filters. MatchArgs are ANDed.
    + A list of usdt specs.
    		 false
    -### TracingPolicy.spec.uprobes[index].selectors[index].matchActions[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) - +### TracingPolicyNamespaced.spec.containerSelector +[↩ Parent](#tracingpolicynamespacedspec) +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. @@ -6928,149 +11113,74 @@ Filters specified in macros will be appended to corresponding filters of the sel - - - - - - - + + - - + + - - + +
    actionenum - Action to execute. -NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to -be removed in version 1.5.
    -
    - Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    -     		true
    argErrorintegermatchExpressions[]object - error value for override action
    -
    - Format: int32
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    argFdintegermatchLabelsmap[string]string - An arg index for the fd for fdInstall action
    -
    - Format: int32
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    argFqdn
    + + +### TracingPolicyNamespaced.spec.containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspeccontainerselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + - - - - - - + - - + + - + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    key string - A FQDN to lookup for the dnsLookup action
    -     		false
    argIndexinteger - An arg index for the set action
    -
    - Format: int32
    + key is the label key that the selector applies to.
    		falsetrue
    argNameintegeroperatorenum - An arg index for the filename for fdInstall action
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Format: int32
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    argRegsvalues []string - An arg value for the regs action
    -     		false
    argSiginteger - A signal number for signal action
    -
    - Format: int32
    -     		false
    argSockinteger - An arg index for the sock for trackSock and untrackSock actions
    -
    - Format: int32
    -     		false
    argUrlstring - A URL for the getUrl action
    -     		false
    argValueinteger - An arg value for the set action
    -
    - Format: int32
    -     		false
    imaHashboolean - Enable collection of file hashes from integrity subsystem. -Only valid with the post action.
    -     		false
    kernelStackTraceboolean - Enable kernel stack trace export. Only valid with the post action.
    -     		false
    rateLimitstring - A time period within which repeated messages will not be posted. Can be -specified in seconds (default or with 's' suffix), minutes ('m' suffix) -or hours ('h' suffix). Only valid with the post action.
    -     		false
    rateLimitScopestring - The scope of the provided rate limit argument. Can be "thread" (default), -"process" (all threads for the same process), or "global". If "thread" is -selected then rate limiting applies per thread; if "process" is selected -then rate limiting applies per process; if "global" is selected then rate -limiting applies regardless of which process or thread caused the action. -Only valid with the post action and with a rateLimit specified.
    -     		false
    userStackTraceboolean - Enable user stack trace export. Only valid with the post action.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicy.spec.uprobes[index].selectors[index].matchArgs[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.enforcers[index] +[↩ Parent](#tracingpolicynamespacedspec) @@ -7085,44 +11195,18 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum - - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    - - true - - args - []integer - - Position of the operator arguments (in spec file) to apply fhe filter to.
    - - false - - index - integer - - Position of the argument (in function prototype) to apply fhe filter to.
    -
    - Format: int32
    - Minimum: 0
    - - false - - values + calls []string - Value to compare the argument against.
    + Calls where enforcer is executed in
    - false + true -### TracingPolicy.spec.uprobes[index].selectors[index].matchBinaries[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.fentries[index] +[↩ Parent](#tracingpolicynamespacedspec) @@ -7137,36 +11221,96 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum + call + string - Filter operation.
    -
    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + Name of the function to apply the kprobe spec to.
    true - values - []string + args + []object - Value to compare the argument against.
    + A list of function arguments to include in the trace output.
    - true + false - followChildren + data + []object + + A list of data to include in the trace output.
    + + false + + ignore + object + + Conditions for ignoring this kprobe
    + + false + + message + string + + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    + + false + + return boolean - In addition to binaries, match children processes of specified binaries.
    + Indicates whether to collect return value of the traced function.

    Default: false
    false + + returnArg + object + + A return argument to include in the trace output.
    + + false + + returnArgAction + string + + An action to perform on the return value. +Use returnArg to include the return value in the event output. +Supported actions are: TrackSock;UntrackSock
    + + false + + selectors + []object + + Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
    + + false + + syscall + boolean + + Indicates whether the traced function is a syscall.
    +
    + Default: true
    + + false + + tags + []string + + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    + + false -### TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilities[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.fentries[index].args[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindex) @@ -7181,46 +11325,99 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum + index + integer - Namespace selector operator.
    + Position of the argument.

    - Enum: In, NotIn
    + Format: int32
    + Minimum: 0
    true - values - []string + type + enum - Capabilities to match.
    + Argument type.
    +
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    true - isNamespaceCapability + btfType + string + + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    + + false + + label + string + + Label to output in the JSON
    + + false + + maxData boolean - Indicates whether these caps are namespace caps.
    + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    false - type - enum + resolve + string - Type of capabilities
    + Resolve the path to a specific attribute

    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + Default:
    + + false + + returnCopy + boolean + + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    + + false + + sizeArgIndex + integer + + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    + + false + + source + string + + Source of the data, if missing the default if function arguments
    false -### TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilityChanges[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.fentries[index].data[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindex) @@ -7235,101 +11432,102 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum + index + integer - Namespace selector operator.
    + Position of the argument.

    - Enum: In, NotIn
    + Format: int32
    + Minimum: 0
    true - values - []string + type + enum - Capabilities to match.
    + Argument type.
    +
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    true - isNamespaceCapability + btfType + string + + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    + + false + + label + string + + Label to output in the JSON
    + + false + + maxData boolean - Indicates whether these caps are namespace caps.
    + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    false - type - enum + resolve + string - Type of capabilities
    + Resolve the path to a specific attribute

    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + Default:
    false - - - - -### TracingPolicy.spec.uprobes[index].selectors[index].matchData[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) - - - - - - - - - - - - - - - - - - - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    -     		true
    args[]integerreturnCopyboolean - Position of the operator arguments (in spec file) to apply fhe filter to.
    + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    		 false
    indexsizeArgIndex integer - Position of the argument (in function prototype) to apply fhe filter to.
    + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		 false
    values[]stringsourcestring - Value to compare the argument against.
    + Source of the data, if missing the default if function arguments
    		 false
    -### TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaceChanges[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) - +### TracingPolicyNamespaced.spec.fentries[index].ignore +[↩ Parent](#tracingpolicynamespacedspecfentriesindex) +Conditions for ignoring this kprobe @@ -7341,30 +11539,21 @@ Only valid with the post action and with a rateLimit specified.
    - - - - - - - + + - +
    operatorenum - Namespace selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]stringcallNotFoundboolean - Namespace types (e.g., Mnt, Pid) to match.
    + Ignores calls that are not present in the system
    		truefalse
    -### TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaces[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) - +### TracingPolicyNamespaced.spec.fentries[index].returnArg +[↩ Parent](#tracingpolicynamespacedspecfentriesindex) +A return argument to include in the trace output. @@ -7376,39 +11565,103 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - + - - + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    namespaceenumindexinteger - Namespace selector name.
    + Position of the argument.

    - Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    + Format: int32
    + Minimum: 0
    		 true
    operatortype enum - Namespace selector operator.
    + Argument type.

    - Enum: In, NotIn
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    		 true
    values[]stringbtfTypestring - Namespace IDs (or host_ns for host namespace) of namespaces to match.
    + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    		truefalse
    labelstring + Label to output in the JSON
    +     		false
    maxDataboolean + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on
    +
    + Default: false
    +     		false
    resolvestring + Resolve the path to a specific attribute
    +
    + Default:
    +     		false
    returnCopyboolean + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    +     		false
    sizeArgIndexinteger + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    sourcestring + Source of the data, if missing the default if function arguments
    +     		false
    -### TracingPolicy.spec.uprobes[index].selectors[index].matchPIDs[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) - +### TracingPolicyNamespaced.spec.fentries[index].selectors[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindex) +KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The +results of MatchPIDs and MatchArgs are ANDed. @@ -7420,89 +11673,110 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - + - - + + - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - -
    operatorenummacros[]string - PID selector operator.
    -
    - Enum: In, NotIn
    + A list of macros names, defined in spec.selectorsMacros. +Filters specified in macros will be appended to corresponding filters of the selector.
    		truefalse
    values[]integermatchActions[]object - Process IDs to match.
    + A list of actions to execute when this selector matches
    		truefalse
    followForksbooleanmatchArgs[]object - Matches any descendant processes of the matching PIDs.
    -
    - Default: false
    + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchBinaries[]object + A list of binary exec name filters.
    +     		false
    matchCapabilities[]object + A list of capabilities and IDs
    +     		false
    matchCapabilityChanges[]object + IDs for capabilities changes
    +     		false
    matchData[]object + A list of argument filters. MatchData are ANDed.
    +     		false
    matchNamespaceChanges[]object + IDs for namespace changes
    +     		false
    matchNamespaces[]object + A list of namespaces and IDs
    +     		false
    matchPIDs[]object + A list of process ID filters. MatchPIDs are ANDed.
    		 false
    isNamespacePIDbooleanmatchParentBinaries[]object - Indicates whether PIDs are namespace PIDs.
    -
    - Default: false
    + A list of process parent exec name filters.
    		 false
    - - -### TracingPolicy.spec.uprobes[index].selectors[index].matchParentBinaries[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) - - - - - - - - - - - - - - - - + + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum
    matchReturnActions[]object - Filter operation.
    -
    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + A list of actions to execute when MatchReturnArgs selector matches
    		truefalse
    values[]stringmatchReturnArgs[]object - Value to compare the argument against.
    + A list of argument filters. MatchArgs are ANDed.
    		truefalse
    followChildrenbooleanmatchWorkloads[]object - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    + Workloads to match
    		 false
    -### TracingPolicy.spec.uprobes[index].selectors[index].matchReturnActions[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchActions[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) @@ -7648,18 +11922,222 @@ Only valid with the post action and with a rateLimit specified.
    false - userStackTrace - boolean + userStackTrace + boolean + + Enable user stack trace export. Only valid with the post action.
    + + false + + + + +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchArgs[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    +     		true
    args[]integer + Position of the operator arguments (in spec file) to apply fhe filter to.
    +     		false
    indexinteger + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    values[]string + Value to compare the argument against.
    +     		false
    + + +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchBinaries[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    +     		true
    values[]string + Value to compare the argument against.
    +     		true
    followChildrenboolean + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    +     		false
    + + +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchCapabilities[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Capabilities to match.
    +     		true
    isNamespaceCapabilityboolean + Indicates whether these caps are namespace caps.
    +
    + Default: false
    +     		false
    typeenum + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    +     		false
    + + +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchCapabilityChanges[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Capabilities to match.
    +     		true
    isNamespaceCapabilityboolean + Indicates whether these caps are namespace caps.
    +
    + Default: false
    +     		false
    typeenum - Enable user stack trace export. Only valid with the post action.
    + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    		 false
    -### TracingPolicy.spec.uprobes[index].selectors[index].matchReturnArgs[index] -[↩ Parent](#tracingpolicyspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchData[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) @@ -7710,8 +12188,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicy.spec.usdts[index] -[↩ Parent](#tracingpolicyspec) +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchNamespaceChanges[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) @@ -7726,69 +12204,27 @@ Only valid with the post action and with a rateLimit specified.
    - name - string - - Usdt name
    - - true - - path - string - - Name of the traced binary
    - - true - - provider - string + operator + enum - Usdt provider name
    + Namespace selector operator.
    +
    + Enum: In, NotIn
    true - args - []object - - A list of function arguments to include in the trace output.
    - - false - - btfPath - string - - path for a BTF file for the traced binary
    - - false - - message - string - - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    - - false - - selectors - []object - - Selectors to apply before producing trace output. Selectors are ORed.
    - - false - - tags + values []string - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    + Namespace types (e.g., Mnt, Pid) to match.
    - false + true -### TracingPolicy.spec.usdts[index].args[index] -[↩ Parent](#tracingpolicyspecusdtsindex) +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchNamespaces[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) @@ -7803,103 +12239,39 @@ Maximum of 16 Tags are supported.
    - index - integer + namespace + enum - Position of the argument.
    + Namespace selector name.

    - Format: int32
    - Minimum: 0
    + Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    true - type + operator enum - Argument type.
    + Namespace selector operator.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn
    true - btfType - string - - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    - - false - - label - string - - Label to output in the JSON
    - - false - - maxData - boolean - - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    - - false - - resolve - string - - Resolve the path to a specific attribute
    -
    - Default:
    - - false - - returnCopy - boolean - - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    -
    - Default: false
    - - false - - sizeArgIndex - integer - - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    -
    - Format: int32
    - Minimum: 0
    - - false - - source - string + values + []string - Source of the data, if missing the default if function arguments
    + Namespace IDs (or host_ns for host namespace) of namespaces to match.
    - false + true -### TracingPolicy.spec.usdts[index].selectors[index] -[↩ Parent](#tracingpolicyspecusdtsindex) +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchPIDs[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) + -KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The -results of MatchPIDs and MatchArgs are ANDed. @@ -7911,103 +12283,89 @@ results of MatchPIDs and MatchArgs are ANDed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - + - - + + - + - - + + - - + + - - - + +
    macros[]string - A list of macros names, defined in spec.selectorsMacros. -Filters specified in macros will be appended to corresponding filters of the selector.
    -     		false
    matchActions[]object - A list of actions to execute when this selector matches
    -     		false
    matchArgs[]object - A list of argument filters. MatchArgs are ANDed.
    -     		false
    matchBinaries[]object - A list of binary exec name filters.
    -     		false
    matchCapabilities[]object - A list of capabilities and IDs
    -     		false
    matchCapabilityChanges[]object - IDs for capabilities changes
    -     		false
    matchData[]objectoperatorenum - A list of argument filters. MatchData are ANDed.
    + PID selector operator.
    +
    + Enum: In, NotIn
    		falsetrue
    matchNamespaceChanges[]objectvalues[]integer - IDs for namespace changes
    + Process IDs to match.
    		falsetrue
    matchNamespaces[]objectfollowForksboolean - A list of namespaces and IDs
    + Matches any descendant processes of the matching PIDs.
    +
    + Default: false
    		 false
    matchPIDs[]objectisNamespacePIDboolean - A list of process ID filters. MatchPIDs are ANDed.
    + Indicates whether PIDs are namespace PIDs.
    +
    + Default: false
    		 false
    matchParentBinaries[]object
    + + +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchParentBinaries[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) + + + + + + + + + + + + + + + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum - A list of process parent exec name filters.
    + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		falsetrue
    matchReturnActions[]objectvalues[]string - A list of actions to execute when MatchReturnArgs selector matches
    + Value to compare the argument against.
    		falsetrue
    matchReturnArgs[]objectfollowChildrenboolean - A list of argument filters. MatchArgs are ANDed.
    + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    		 false
    -### TracingPolicy.spec.usdts[index].selectors[index].matchActions[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchReturnActions[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) @@ -8163,8 +12521,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicy.spec.usdts[index].selectors[index].matchArgs[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchReturnArgs[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) @@ -8215,8 +12573,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicy.spec.usdts[index].selectors[index].matchBinaries[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) @@ -8231,40 +12589,81 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum + containerSelector + object - Filter operation.
    -
    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    - true + false - values - []string + hostSelector + object - Value to compare the argument against.
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
    +
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • - true + false - followChildren - boolean + podSelector + object - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    + PodSelector selects pods that this policy applies to
    false -### TracingPolicy.spec.usdts[index].selectors[index].matchCapabilities[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindex) + + +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    +     		false
    matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    +     		false
    +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindexcontainerselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + @@ -8275,49 +12674,78 @@ Only valid with the post action and with a rateLimit specified.
    + + + + + - - - - + + +
    keystring + key is the label key that the selector applies to.
    +     		true
    operator enum - Namespace selector operator.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Capabilities to match.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		true
    isNamespaceCapabilitybooleanfalse
    + + +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindex) + + +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. + + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object - Indicates whether these caps are namespace caps.
    -
    - Default: false
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    typeenummatchLabelsmap[string]string - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicy.spec.usdts[index].selectors[index].matchCapabilityChanges[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindexhostselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -8329,49 +12757,77 @@ Only valid with the post action and with a rateLimit specified.
    + + + + + - - - - + + +
    keystring + key is the label key that the selector applies to.
    +     		true
    operator enum - Namespace selector operator.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Capabilities to match.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		true
    isNamespaceCapabilitybooleanfalse
    + + +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindex) + + +PodSelector selects pods that this policy applies to + + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object - Indicates whether these caps are namespace caps.
    -
    - Default: false
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    typeenummatchLabelsmap[string]string - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicy.spec.usdts[index].selectors[index].matchData[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindexmatchworkloadsindexpodselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -8383,47 +12839,42 @@ Only valid with the post action and with a rateLimit specified.
    - - - - - - - + + - + - - + + - +
    operatorenum - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    -     		true
    args[]integerkeystring - Position of the operator arguments (in spec file) to apply fhe filter to.
    + key is the label key that the selector applies to.
    		falsetrue
    indexintegeroperatorenum - Position of the argument (in function prototype) to apply fhe filter to.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Format: int32
    - Minimum: 0
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    values []string - Value to compare the argument against.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicy.spec.usdts[index].selectors[index].matchNamespaceChanges[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.hostSelector +[↩ Parent](#tracingpolicynamespacedspec) +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. @@ -8435,30 +12886,31 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - + - - + + - +
    operatorenummatchExpressions[]object - Namespace selector operator.
    -
    - Enum: In, NotIn
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		truefalse
    values[]stringmatchLabelsmap[string]string - Namespace types (e.g., Mnt, Pid) to match.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		truefalse
    -### TracingPolicy.spec.usdts[index].selectors[index].matchNamespaces[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspechostselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -8470,36 +12922,38 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - +
    namespaceenumkeystring - Namespace selector name.
    -
    - Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    + key is the label key that the selector applies to.
    		 true
    operator enum - Namespace selector operator.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Namespace IDs (or host_ns for host namespace) of namespaces to match.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		truefalse
    -### TracingPolicy.spec.usdts[index].selectors[index].matchPIDs[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) +### TracingPolicyNamespaced.spec.kprobes[index] +[↩ Parent](#tracingpolicynamespacedspec) @@ -8514,89 +12968,96 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum + call + string - PID selector operator.
    -
    - Enum: In, NotIn
    + Name of the function to apply the kprobe spec to.
    true - values - []integer + args + []object - Process IDs to match.
    + A list of function arguments to include in the trace output.
    - true + false - followForks - boolean + data + []object - Matches any descendant processes of the matching PIDs.
    -
    - Default: false
    + A list of data to include in the trace output.
    false - isNamespacePID + ignore + object + + Conditions for ignoring this kprobe
    + + false + + message + string + + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    + + false + + return boolean - Indicates whether PIDs are namespace PIDs.
    + Indicates whether to collect return value of the traced function.

    Default: false
    false - - - - -### TracingPolicy.spec.usdts[index].selectors[index].matchParentBinaries[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) - - - - - - - - - - - - - - - - + + + - + - - + + - + - + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum
    returnArgobject - Filter operation.
    -
    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + A return argument to include in the trace output.
    		truefalse
    values[]stringreturnArgActionstring - Value to compare the argument against.
    + An action to perform on the return value. +Use returnArg to include the return value in the event output. +Supported actions are: TrackSock;UntrackSock
    		truefalse
    followChildrenselectors[]object + Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
    +     		false
    syscall boolean - In addition to binaries, match children processes of specified binaries.
    + Indicates whether the traced function is a syscall.

    - Default: false
    + Default: true
    +     		false
    tags[]string + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    		 false
    -### TracingPolicy.spec.usdts[index].selectors[index].matchReturnActions[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) +### TracingPolicyNamespaced.spec.kprobes[index].args[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindex) @@ -8611,152 +13072,235 @@ Only valid with the post action and with a rateLimit specified.
    - action - enum + index + integer - Action to execute. -NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to -be removed in version 1.5.
    + Position of the argument.

    - Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    + Format: int32
    + Minimum: 0
    true - argError - integer + type + enum - error value for override action
    + Argument type.

    - Format: int32
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    + + true + + btfType + string + + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    false - argFd - integer + label + string - An arg index for the fd for fdInstall action
    + Label to output in the JSON
    + + false + + maxData + boolean + + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on

    - Format: int32
    + Default: false
    false - argFqdn + resolve string - A FQDN to lookup for the dnsLookup action
    + Resolve the path to a specific attribute
    +
    + Default:
    false - argIndex - integer + returnCopy + boolean - An arg index for the set action
    + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.

    - Format: int32
    + Default: false
    false - argName + sizeArgIndex integer - An arg index for the filename for fdInstall action
    + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.

    Format: int32
    + Minimum: 0
    false - argRegs - []string + source + string - An arg value for the regs action
    + Source of the data, if missing the default if function arguments
    false - - argSig + + + + +### TracingPolicyNamespaced.spec.kprobes[index].data[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindex) + + + + + + + + + + + + + + + - + - - + + + + + + + - + - - + + - - + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    index integer - A signal number for signal action
    + Position of the argument.

    Format: int32
    + Minimum: 0
    		falsetrue
    argSockintegertypeenum - An arg index for the sock for trackSock and untrackSock actions
    + Argument type.

    - Format: int32
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    +     		true
    btfTypestring + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    		 false
    argUrllabel string - A URL for the getUrl action
    + Label to output in the JSON
    		 false
    argValueintegermaxDataboolean - An arg value for the set action
    + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on

    - Format: int32
    + Default: false
    		 false
    imaHashbooleanresolvestring - Enable collection of file hashes from integrity subsystem. -Only valid with the post action.
    + Resolve the path to a specific attribute
    +
    + Default:
    		false
    kernelStackTracereturnCopy boolean - Enable kernel stack trace export. Only valid with the post action.
    + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    		 false
    rateLimitstringsizeArgIndexinteger - A time period within which repeated messages will not be posted. Can be -specified in seconds (default or with 's' suffix), minutes ('m' suffix) -or hours ('h' suffix). Only valid with the post action.
    + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    		 false
    rateLimitScopesource string - The scope of the provided rate limit argument. Can be "thread" (default), -"process" (all threads for the same process), or "global". If "thread" is -selected then rate limiting applies per thread; if "process" is selected -then rate limiting applies per process; if "global" is selected then rate -limiting applies regardless of which process or thread caused the action. -Only valid with the post action and with a rateLimit specified.
    + Source of the data, if missing the default if function arguments
    		 false
    userStackTrace
    + + +### TracingPolicyNamespaced.spec.kprobes[index].ignore +[↩ Parent](#tracingpolicynamespacedspeckprobesindex) + + +Conditions for ignoring this kprobe + + + + + + + + + + + +
    NameTypeDescriptionRequired
    callNotFound boolean - Enable user stack trace export. Only valid with the post action.
    + Ignores calls that are not present in the system
    		 false
    -### TracingPolicy.spec.usdts[index].selectors[index].matchReturnArgs[index] -[↩ Parent](#tracingpolicyspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.kprobes[index].returnArg +[↩ Parent](#tracingpolicynamespacedspeckprobesindex) +A return argument to include in the trace output. @@ -8768,92 +13312,103 @@ Only valid with the post action and with a rateLimit specified.
    - + + + + + + - - + + - - + + + + + + + - - + + + + + + + + + + + + - -
    operatorindexinteger + Position of the argument.
    +
    + Format: int32
    + Minimum: 0
    +     		true
    type enum - Filter operation.
    + Argument type.

    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    		 true
    args[]integerbtfTypestring - Position of the operator arguments (in spec file) to apply fhe filter to.
    + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    		 false
    indexintegerlabelstring - Position of the argument (in function prototype) to apply fhe filter to.
    + Label to output in the JSON
    +     		false
    maxDataboolean + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on

    - Format: int32
    - Minimum: 0
    + Default: false
    		 false
    values[]stringresolvestring - Value to compare the argument against.
    + Resolve the path to a specific attribute
    +
    + Default:
    +     		false
    returnCopyboolean + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    +     		false
    sizeArgIndexinteger + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    		 false
    - -## TracingPolicyNamespaced -[↩ Parent](#ciliumiov1alpha1 ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - +
    NameTypeDescriptionRequired
    apiVersionstringcilium.io/v1alpha1true
    kindstringTracingPolicyNamespacedtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobjectsourcestring - Tracing policy specification.
    + Source of the data, if missing the default if function arguments
    		truefalse
    -### TracingPolicyNamespaced.spec -[↩ Parent](#tracingpolicynamespaced) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindex) -Tracing policy specification. +KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The +results of MatchPIDs and MatchArgs are ANDed. @@ -8865,122 +13420,113 @@ Tracing policy specification. - - + + - + - + - - + + - + - + - - + + - + - + - - + + - - + + - + - + - +
    containerSelectorobjectmacros[]string - ContainerSelector selects containers that this policy applies to. -A map of container fields will be constructed in the same way as a map of labels. -The name of the field represents the label "key", and the value of the field - label "value". -Currently, only the "name" field is supported.
    + A list of macros names, defined in spec.selectorsMacros. +Filters specified in macros will be appended to corresponding filters of the selector.
    		 false
    enforcersmatchActions []object - A enforcer spec.
    + A list of actions to execute when this selector matches
    		 false
    fentriesmatchArgs []object - A list of fentry specs.
    + A list of argument filters. MatchArgs are ANDed.
    		 false
    hostSelectorobjectmatchBinaries[]object - HostSelector selects hosts that this policy applies to. -For now only ~ (none) and {} (all) is supported.
    -
    - Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • + A list of binary exec name filters.
    		 false
    kprobesmatchCapabilities []object - A list of kprobe specs.
    + A list of capabilities and IDs
    		 false
    listsmatchCapabilityChanges []object - A list of list specs.
    + IDs for capabilities changes
    		 false
    loaderbooleanmatchData[]object - Enable loader events
    + A list of argument filters. MatchData are ANDed.
    		 false
    lsmhooksmatchNamespaceChanges []object - A list of uprobe specs.
    + IDs for namespace changes
    		 false
    optionsmatchNamespaces []object - A list of overloaded options
    + A list of namespaces and IDs
    		 false
    podSelectorobjectmatchPIDs[]object - PodSelector selects pods that this policy applies to
    + A list of process ID filters. MatchPIDs are ANDed.
    		 false
    selectorsMacrosmap[string]objectmatchParentBinaries[]object - SelectorsMacros is used to define selectors macros, which can be used -in probes/hooks selectors by their names.
    + A list of process parent exec name filters.
    		 false
    tracepointsmatchReturnActions []object - A list of tracepoint specs.
    + A list of actions to execute when MatchReturnArgs selector matches
    		 false
    uprobesmatchReturnArgs []object - A list of uprobe specs.
    + A list of argument filters. MatchArgs are ANDed.
    		 false
    usdtsmatchWorkloads []object - A list of usdt specs.
    + Workloads to match
    		 false
    -### TracingPolicyNamespaced.spec.containerSelector -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchActions[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) + -ContainerSelector selects containers that this policy applies to. -A map of container fields will be constructed in the same way as a map of labels. -The name of the field represents the label "key", and the value of the field - label "value". -Currently, only the "name" field is supported. @@ -8992,74 +13538,149 @@ Currently, only the "name" field is supported. - - + + + + + + + - - + + - -
    matchExpressions[]objectactionenum - matchExpressions is a list of label selector requirements. The requirements are ANDed.
    + Action to execute. +NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to +be removed in version 1.5.
    +
    + Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    +     		true
    argErrorinteger + error value for override action
    +
    + Format: int32
    		 false
    matchLabelsmap[string]stringargFdinteger - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels -map is equivalent to an element of matchExpressions, whose key field is "key", the -operator is "In", and the values array contains only "value". The requirements are ANDed.
    + An arg index for the fd for fdInstall action
    +
    + Format: int32
    		 false
    - - -### TracingPolicyNamespaced.spec.containerSelector.matchExpressions[index] -[↩ Parent](#tracingpolicynamespacedspeccontainerselector) - - -A label selector requirement is a selector that contains values, a key, and an operator that -relates the key and values. - - - - - - - - - - - - + + - + - - + + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    key
    argFqdn string - key is the label key that the selector applies to.
    + A FQDN to lookup for the dnsLookup action
    		truefalse
    operatorenumargIndexinteger - operator represents a key's relationship to a set of values. -Valid operators are In, NotIn, Exists and DoesNotExist.
    + An arg index for the set action

    - Enum: In, NotIn, Exists, DoesNotExist
    + Format: int32
    		truefalse
    valuesargNameinteger + An arg index for the filename for fdInstall action
    +
    + Format: int32
    +     		false
    argRegs []string - values is an array of string values. If the operator is In or NotIn, -the values array must be non-empty. If the operator is Exists or DoesNotExist, -the values array must be empty. This array is replaced during a strategic -merge patch.
    + An arg value for the regs action
    +     		false
    argSiginteger + A signal number for signal action
    +
    + Format: int32
    +     		false
    argSockinteger + An arg index for the sock for trackSock and untrackSock actions
    +
    + Format: int32
    +     		false
    argUrlstring + A URL for the getUrl action
    +     		false
    argValueinteger + An arg value for the set action
    +
    + Format: int32
    +     		false
    imaHashboolean + Enable collection of file hashes from integrity subsystem. +Only valid with the post action.
    +     		false
    kernelStackTraceboolean + Enable kernel stack trace export. Only valid with the post action.
    +     		false
    rateLimitstring + A time period within which repeated messages will not be posted. Can be +specified in seconds (default or with 's' suffix), minutes ('m' suffix) +or hours ('h' suffix). Only valid with the post action.
    +     		false
    rateLimitScopestring + The scope of the provided rate limit argument. Can be "thread" (default), +"process" (all threads for the same process), or "global". If "thread" is +selected then rate limiting applies per thread; if "process" is selected +then rate limiting applies per process; if "global" is selected then rate +limiting applies regardless of which process or thread caused the action. +Only valid with the post action and with a rateLimit specified.
    +     		false
    userStackTraceboolean + Enable user stack trace export. Only valid with the post action.
    		 false
    -### TracingPolicyNamespaced.spec.enforcers[index] -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchArgs[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) @@ -9074,18 +13695,44 @@ merge patch.
    - calls - []string + operator + enum - Calls where enforcer is executed in
    + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    true + + args + []integer + + Position of the operator arguments (in spec file) to apply fhe filter to.
    + + false + + index + integer + + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    + + false + + values + []string + + Value to compare the argument against.
    + + false -### TracingPolicyNamespaced.spec.fentries[index] -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchBinaries[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) @@ -9100,96 +13747,36 @@ merge patch.
    - call - string + operator + enum - Name of the function to apply the kprobe spec to.
    + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    true - args - []object - - A list of function arguments to include in the trace output.
    - - false - - data - []object - - A list of data to include in the trace output.
    - - false - - ignore - object - - Conditions for ignoring this kprobe
    - - false - - message - string + values + []string - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    + Value to compare the argument against.
    - false + true - return + followChildren boolean - Indicates whether to collect return value of the traced function.
    + In addition to binaries, match children processes of specified binaries.

    Default: false
    false - - returnArg - object - - A return argument to include in the trace output.
    - - false - - returnArgAction - string - - An action to perform on the return value. -Use returnArg to include the return value in the event output. -Supported actions are: TrackSock;UntrackSock
    - - false - - selectors - []object - - Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
    - - false - - syscall - boolean - - Indicates whether the traced function is a syscall.
    -
    - Default: true
    - - false - - tags - []string - - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    - - false -### TracingPolicyNamespaced.spec.fentries[index].args[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindex) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilities[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) @@ -9204,99 +13791,46 @@ Maximum of 16 Tags are supported.
    - index - integer - - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    - - true - - type + operator enum - Argument type.
    + Namespace selector operator.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn
    true - btfType - string - - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    - - false - - label - string - - Label to output in the JSON
    - - false - - maxData - boolean - - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    - - false - - resolve - string + values + []string - Resolve the path to a specific attribute
    -
    - Default:
    + Capabilities to match.
    - false + true - returnCopy + isNamespaceCapability boolean - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    + Indicates whether these caps are namespace caps.

    Default: false
    false - sizeArgIndex - integer + type + enum - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    + Type of capabilities

    - Format: int32
    - Minimum: 0
    - - false - - source - string - - Source of the data, if missing the default if function arguments
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    false -### TracingPolicyNamespaced.spec.fentries[index].data[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindex) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilityChanges[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) @@ -9311,102 +13845,101 @@ This field is used only for char_buf and char_iovec types.
    - index - integer - - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    - - true - - type + operator enum - Argument type.
    + Namespace selector operator.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn
    true - btfType - string + values + []string - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    + Capabilities to match.
    - false + true - label - string + isNamespaceCapability + boolean - Label to output in the JSON
    + Indicates whether these caps are namespace caps.
    +
    + Default: false
    false - maxData - boolean - - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    + type + enum + + Type of capabilities

    - Default: false
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    false - - resolve - string + + + + +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchData[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) + + + + + + + + + + + + + + + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum - Resolve the path to a specific attribute
    + Filter operation.

    - Default:
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		falsetrue
    returnCopybooleanargs[]integer - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    -
    - Default: false
    + Position of the operator arguments (in spec file) to apply fhe filter to.
    		 false
    sizeArgIndexindex integer - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    + Position of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		 false
    sourcestringvalues[]string - Source of the data, if missing the default if function arguments
    + Value to compare the argument against.
    		 false
    -### TracingPolicyNamespaced.spec.fentries[index].ignore -[↩ Parent](#tracingpolicynamespacedspecfentriesindex) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaceChanges[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) + -Conditions for ignoring this kprobe @@ -9418,21 +13951,30 @@ Conditions for ignoring this kprobe - - + + - + + + + + +
    callNotFoundbooleanoperatorenum - Ignores calls that are not present in the system
    + Namespace selector operator.
    +
    + Enum: In, NotIn
    		falsetrue
    values[]string + Namespace types (e.g., Mnt, Pid) to match.
    +     		true
    -### TracingPolicyNamespaced.spec.fentries[index].returnArg -[↩ Parent](#tracingpolicynamespacedspecfentriesindex) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaces[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) + -A return argument to include in the trace output. @@ -9444,103 +13986,39 @@ A return argument to include in the trace output. - - + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - +
    indexintegernamespaceenum - Position of the argument.
    + Namespace selector name.

    - Format: int32
    - Minimum: 0
    + Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		 true
    typeoperator enum - Argument type.
    + Namespace selector operator.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn
    		 true
    btfTypestring - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    -     		false
    labelstring - Label to output in the JSON
    -     		false
    maxDataboolean - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    -     		false
    resolvestring - Resolve the path to a specific attribute
    -
    - Default:
    -     		false
    returnCopyboolean - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    -
    - Default: false
    -     		false
    sizeArgIndexinteger - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    -
    - Format: int32
    - Minimum: 0
    -     		false
    sourcestringvalues[]string - Source of the data, if missing the default if function arguments
    + Namespace IDs (or host_ns for host namespace) of namespaces to match.
    		falsetrue
    -### TracingPolicyNamespaced.spec.fentries[index].selectors[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindex) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchPIDs[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) + -KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The -results of MatchPIDs and MatchArgs are ANDed. @@ -9552,103 +14030,89 @@ results of MatchPIDs and MatchArgs are ANDed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - + - - + + - + - - + + - - + + - - - + +
    macros[]string - A list of macros names, defined in spec.selectorsMacros. -Filters specified in macros will be appended to corresponding filters of the selector.
    -     		false
    matchActions[]object - A list of actions to execute when this selector matches
    -     		false
    matchArgs[]object - A list of argument filters. MatchArgs are ANDed.
    -     		false
    matchBinaries[]object - A list of binary exec name filters.
    -     		false
    matchCapabilities[]object - A list of capabilities and IDs
    -     		false
    matchCapabilityChanges[]object - IDs for capabilities changes
    -     		false
    matchData[]objectoperatorenum - A list of argument filters. MatchData are ANDed.
    + PID selector operator.
    +
    + Enum: In, NotIn
    		falsetrue
    matchNamespaceChanges[]objectvalues[]integer - IDs for namespace changes
    + Process IDs to match.
    		falsetrue
    matchNamespaces[]objectfollowForksboolean - A list of namespaces and IDs
    + Matches any descendant processes of the matching PIDs.
    +
    + Default: false
    		 false
    matchPIDs[]objectisNamespacePIDboolean - A list of process ID filters. MatchPIDs are ANDed.
    + Indicates whether PIDs are namespace PIDs.
    +
    + Default: false
    		 false
    matchParentBinaries[]object
    + + +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchParentBinaries[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) + + + + + + + + + + + + + + + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum - A list of process parent exec name filters.
    + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		falsetrue
    matchReturnActions[]objectvalues[]string - A list of actions to execute when MatchReturnArgs selector matches
    + Value to compare the argument against.
    		falsetrue
    matchReturnArgs[]objectfollowChildrenboolean - A list of argument filters. MatchArgs are ANDed.
    + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    		 false
    -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchActions[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnActions[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) @@ -9804,8 +14268,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchArgs[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnArgs[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) @@ -9856,160 +14320,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchBinaries[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    operatorenum - Filter operation.
    -
    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    -     		true
    values[]string - Value to compare the argument against.
    -     		true
    followChildrenboolean - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    -     		false
    - - -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchCapabilities[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    operatorenum - Namespace selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]string - Capabilities to match.
    -     		true
    isNamespaceCapabilityboolean - Indicates whether these caps are namespace caps.
    -
    - Default: false
    -     		false
    typeenum - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    -     		false
    - - -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchCapabilityChanges[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    operatorenum - Namespace selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]string - Capabilities to match.
    -     		true
    isNamespaceCapabilityboolean - Indicates whether these caps are namespace caps.
    -
    - Default: false
    -     		false
    typeenum - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    -     		false
    - - -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchData[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) @@ -10024,47 +14336,44 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum - - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    - - true - - args - []integer + containerSelector + object - Position of the operator arguments (in spec file) to apply fhe filter to.
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    false - index - integer + hostSelector + object - Position of the argument (in function prototype) to apply fhe filter to.
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.

    - Format: int32
    - Minimum: 0
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • false - values - []string + podSelector + object - Value to compare the argument against.
    + PodSelector selects pods that this policy applies to
    false -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchNamespaceChanges[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) - +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindex) +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. @@ -10076,30 +14385,31 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - + - - + + - +
    operatorenummatchExpressions[]object - Namespace selector operator.
    -
    - Enum: In, NotIn
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		truefalse
    values[]stringmatchLabelsmap[string]string - Namespace types (e.g., Mnt, Pid) to match.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		truefalse
    -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchNamespaces[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) - +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindexcontainerselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -10111,39 +14421,42 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - +
    namespaceenumkeystring - Namespace selector name.
    -
    - Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    + key is the label key that the selector applies to.
    		 true
    operator enum - Namespace selector operator.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Namespace IDs (or host_ns for host namespace) of namespaces to match.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		truefalse
    -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchPIDs[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) - +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindex) +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. @@ -10155,48 +14468,31 @@ Only valid with the post action and with a rateLimit specified.
    - - - - - - - - - - - - + + - - + +
    operatorenum - PID selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]integer - Process IDs to match.
    -     		true
    followForksbooleanmatchExpressions[]object - Matches any descendant processes of the matching PIDs.
    -
    - Default: false
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    isNamespacePIDbooleanmatchLabelsmap[string]string - Indicates whether PIDs are namespace PIDs.
    -
    - Default: false
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchParentBinaries[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) - +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindexhostselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -10208,39 +14504,41 @@ Only valid with the post action and with a rateLimit specified.
    + + + + + - - - - -
    keystring + key is the label key that the selector applies to.
    +     		true
    operator enum - Filter operation.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Value to compare the argument against.
    -     		true
    followChildrenboolean - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchReturnActions[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) - +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindex) +PodSelector selects pods that this policy applies to @@ -10252,149 +14550,74 @@ Only valid with the post action and with a rateLimit specified.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - + + - - + +
    actionenum - Action to execute. -NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to -be removed in version 1.5.
    -
    - Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    -     		true
    argErrorinteger - error value for override action
    -
    - Format: int32
    -     		false
    argFdinteger - An arg index for the fd for fdInstall action
    -
    - Format: int32
    -     		false
    argFqdnstring - A FQDN to lookup for the dnsLookup action
    -     		false
    argIndexinteger - An arg index for the set action
    -
    - Format: int32
    -     		false
    argNameinteger - An arg index for the filename for fdInstall action
    -
    - Format: int32
    -     		false
    argRegs[]string - An arg value for the regs action
    -     		false
    argSiginteger - A signal number for signal action
    -
    - Format: int32
    -     		false
    argSockinteger - An arg index for the sock for trackSock and untrackSock actions
    -
    - Format: int32
    -     		false
    argUrlstring - A URL for the getUrl action
    -     		false
    argValueinteger - An arg value for the set action
    -
    - Format: int32
    -     		false
    imaHashbooleanmatchExpressions[]object - Enable collection of file hashes from integrity subsystem. -Only valid with the post action.
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    kernelStackTracebooleanmatchLabelsmap[string]string - Enable kernel stack trace export. Only valid with the post action.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    rateLimit
    + + +### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindexmatchworkloadsindexpodselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + - - - - - + + + + - + - - + +
    NameTypeDescriptionRequired
    key string - A time period within which repeated messages will not be posted. Can be -specified in seconds (default or with 's' suffix), minutes ('m' suffix) -or hours ('h' suffix). Only valid with the post action.
    + key is the label key that the selector applies to.
    		false
    rateLimitScopestring - The scope of the provided rate limit argument. Can be "thread" (default), -"process" (all threads for the same process), or "global". If "thread" is -selected then rate limiting applies per thread; if "process" is selected -then rate limiting applies per process; if "global" is selected then rate -limiting applies regardless of which process or thread caused the action. -Only valid with the post action and with a rateLimit specified.
    +     		true
    operatorenum + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    userStackTracebooleanvalues[]string - Enable user stack trace export. Only valid with the post action.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchReturnArgs[index] -[↩ Parent](#tracingpolicynamespacedspecfentriesindexselectorsindex) +### TracingPolicyNamespaced.spec.lists[index] +[↩ Parent](#tracingpolicynamespacedspec) @@ -10409,48 +14632,51 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum + name + string - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    + Name of the list
    true - args - []integer + pattern + string - Position of the operator arguments (in spec file) to apply fhe filter to.
    + Pattern for 'generated' lists.
    false - index - integer + type + enum - Position of the argument (in function prototype) to apply fhe filter to.
    + Indicates the type of the list values.

    - Format: int32
    - Minimum: 0
    + Enum: syscalls, generated_syscalls, generated_ftrace
    + + false + + validated + boolean + + List was validated
    false values []string - Value to compare the argument against.
    + Values of the list
    false -### TracingPolicyNamespaced.spec.hostSelector +### TracingPolicyNamespaced.spec.lsmhooks[index] [↩ Parent](#tracingpolicynamespacedspec) -HostSelector selects hosts that this policy applies to. -For now only ~ (none) and {} (all) is supported. + @@ -10462,31 +14688,51 @@ For now only ~ (none) and {} (all) is supported. - + + + + + + - - + + + + + + + + + + + +
    matchExpressionshookstring + Name of the function to apply the kprobe spec to.
    +     		true
    args []object - matchExpressions is a list of label selector requirements. The requirements are ANDed.
    + A list of function arguments to include in the trace output.
    		 false
    matchLabelsmap[string]stringmessagestring - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels -map is equivalent to an element of matchExpressions, whose key field is "key", the -operator is "In", and the values array contains only "value". The requirements are ANDed.
    + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    +     		false
    selectors[]object + Selectors to apply before producing trace output. Selectors are ORed.
    +     		false
    tags[]string + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    		 false
    -### TracingPolicyNamespaced.spec.hostSelector.matchExpressions[index] -[↩ Parent](#tracingpolicynamespacedspechostselector) +### TracingPolicyNamespaced.spec.lsmhooks[index].args[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindex) + -A label selector requirement is a selector that contains values, a key, and an operator that -relates the key and values. @@ -10498,41 +14744,103 @@ relates the key and values. - - + + - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    keystringindexinteger - key is the label key that the selector applies to.
    + Position of the argument.
    +
    + Format: int32
    + Minimum: 0
    		 true
    operatortype enum - operator represents a key's relationship to a set of values. -Valid operators are In, NotIn, Exists and DoesNotExist.
    + Argument type.

    - Enum: In, NotIn, Exists, DoesNotExist
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    		 true
    values[]stringbtfTypestring - values is an array of string values. If the operator is In or NotIn, -the values array must be non-empty. If the operator is Exists or DoesNotExist, -the values array must be empty. This array is replaced during a strategic -merge patch.
    + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    +     		false
    labelstring + Label to output in the JSON
    +     		false
    maxDataboolean + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on
    +
    + Default: false
    +     		false
    resolvestring + Resolve the path to a specific attribute
    +
    + Default:
    +     		false
    returnCopyboolean + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    +     		false
    sizeArgIndexinteger + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    sourcestring + Source of the data, if missing the default if function arguments
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index] -[↩ Parent](#tracingpolicynamespacedspec) - +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindex) +KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The +results of MatchPIDs and MatchArgs are ANDed. @@ -10544,96 +14852,110 @@ merge patch.
    - - + + - + - + - + - - + + - - + + - - + + + + + + + + + + + + + + + + + - - + + - - + + - + - - + + - - + +
    callstringmacros[]string - Name of the function to apply the kprobe spec to.
    + A list of macros names, defined in spec.selectorsMacros. +Filters specified in macros will be appended to corresponding filters of the selector.
    		truefalse
    argsmatchActions []object - A list of function arguments to include in the trace output.
    + A list of actions to execute when this selector matches
    		 false
    datamatchArgs []object - A list of data to include in the trace output.
    + A list of argument filters. MatchArgs are ANDed.
    		 false
    ignoreobjectmatchBinaries[]object - Conditions for ignoring this kprobe
    + A list of binary exec name filters.
    		 false
    messagestringmatchCapabilities[]object - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    + A list of capabilities and IDs
    		 false
    returnbooleanmatchCapabilityChanges[]object - Indicates whether to collect return value of the traced function.
    -
    - Default: false
    + IDs for capabilities changes
    +     		false
    matchData[]object + A list of argument filters. MatchData are ANDed.
    +     		false
    matchNamespaceChanges[]object + IDs for namespace changes
    +     		false
    matchNamespaces[]object + A list of namespaces and IDs
    		 false
    returnArgobjectmatchPIDs[]object - A return argument to include in the trace output.
    + A list of process ID filters. MatchPIDs are ANDed.
    		 false
    returnArgActionstringmatchParentBinaries[]object - An action to perform on the return value. -Use returnArg to include the return value in the event output. -Supported actions are: TrackSock;UntrackSock
    + A list of process parent exec name filters.
    		 false
    selectorsmatchReturnActions []object - Selectors to apply before producing trace output. Selectors are ORed and short-circuited.
    + A list of actions to execute when MatchReturnArgs selector matches
    		 false
    syscallbooleanmatchReturnArgs[]object - Indicates whether the traced function is a syscall.
    -
    - Default: true
    + A list of argument filters. MatchArgs are ANDed.
    		 false
    tags[]stringmatchWorkloads[]object - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    + Workloads to match
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index].args[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindex) +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchActions[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) @@ -10648,99 +14970,149 @@ Maximum of 16 Tags are supported.
    - index + action + enum + + Action to execute. +NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to +be removed in version 1.5.
    +
    + Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    + + true + + argError integer - Position of the argument.
    + error value for override action

    Format: int32
    - Minimum: 0
    - true + false - type - enum + argFd + integer - Argument type.
    + An arg index for the fd for fdInstall action

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Format: int32
    - true + false - btfType + argFqdn string - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    + A FQDN to lookup for the dnsLookup action
    false - label - string + argIndex + integer - Label to output in the JSON
    + An arg index for the set action
    +
    + Format: int32
    false - maxData - boolean + argName + integer - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    + An arg index for the filename for fdInstall action

    - Default: false
    + Format: int32
    false - resolve - string + argRegs + []string - Resolve the path to a specific attribute
    + An arg value for the regs action
    + + false + + argSig + integer + + A signal number for signal action

    - Default:
    + Format: int32
    false - returnCopy - boolean + argSock + integer - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    + An arg index for the sock for trackSock and untrackSock actions

    - Default: false
    + Format: int32
    false - sizeArgIndex + argUrl + string + + A URL for the getUrl action
    + + false + + argValue integer - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    + An arg value for the set action

    Format: int32
    - Minimum: 0
    false - source + imaHash + boolean + + Enable collection of file hashes from integrity subsystem. +Only valid with the post action.
    + + false + + kernelStackTrace + boolean + + Enable kernel stack trace export. Only valid with the post action.
    + + false + + rateLimit string - Source of the data, if missing the default if function arguments
    + A time period within which repeated messages will not be posted. Can be +specified in seconds (default or with 's' suffix), minutes ('m' suffix) +or hours ('h' suffix). Only valid with the post action.
    + + false + + rateLimitScope + string + + The scope of the provided rate limit argument. Can be "thread" (default), +"process" (all threads for the same process), or "global". If "thread" is +selected then rate limiting applies per thread; if "process" is selected +then rate limiting applies per process; if "global" is selected then rate +limiting applies regardless of which process or thread caused the action. +Only valid with the post action and with a rateLimit specified.
    + + false + + userStackTrace + boolean + + Enable user stack trace export. Only valid with the post action.
    false -### TracingPolicyNamespaced.spec.kprobes[index].data[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindex) +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchArgs[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) @@ -10755,102 +15127,91 @@ This field is used only for char_buf and char_iovec types.
    - index - integer - - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    - - true - - type + operator enum - Argument type.
    + Filter operation.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    true - btfType - string - - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    - - false - - label - string + args + []integer - Label to output in the JSON
    + Position of the operator arguments (in spec file) to apply fhe filter to.
    false - maxData - boolean + index + integer - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    + Position of the argument (in function prototype) to apply fhe filter to.

    - Default: false
    + Format: int32
    + Minimum: 0
    false - resolve - string + values + []string - Resolve the path to a specific attribute
    -
    - Default:
    + Value to compare the argument against.
    false - - returnCopy - boolean - - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    + + + + +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchBinaries[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) + + + + + + + + + + + + + + + + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.

    - Default: false
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		falsetrue
    sizeArgIndexintegervalues[]string - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    -
    - Format: int32
    - Minimum: 0
    + Value to compare the argument against.
    		falsetrue
    sourcestringfollowChildrenboolean - Source of the data, if missing the default if function arguments
    + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index].ignore -[↩ Parent](#tracingpolicynamespacedspeckprobesindex) +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilities[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) + -Conditions for ignoring this kprobe @@ -10862,21 +15223,49 @@ Conditions for ignoring this kprobe - + + + + + + + + + + + + + + + +
    callNotFoundoperatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Capabilities to match.
    +     		true
    isNamespaceCapability boolean - Ignores calls that are not present in the system
    + Indicates whether these caps are namespace caps.
    +
    + Default: false
    +     		false
    typeenum + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index].returnArg -[↩ Parent](#tracingpolicynamespacedspeckprobesindex) +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilityChanges[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) + -A return argument to include in the trace output. @@ -10888,103 +15277,101 @@ A return argument to include in the trace output. - - - - - - + - - - - - - - + + - + - + - - + + - - - + +
    indexinteger - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    -     		true
    typeoperator enum - Argument type.
    + Namespace selector operator.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn
    		 true
    btfTypestring - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    -     		false
    labelstringvalues[]string - Label to output in the JSON
    + Capabilities to match.
    		falsetrue
    maxDataisNamespaceCapability boolean - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    + Indicates whether these caps are namespace caps.

    Default: false
    		 false
    resolvestringtypeenum - Resolve the path to a specific attribute
    + Type of capabilities

    - Default:
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    		 false
    returnCopyboolean
    + + +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchData[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    + Filter operation.

    - Default: false
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    +     		true
    args[]integer + Position of the operator arguments (in spec file) to apply fhe filter to.
    		 false
    sizeArgIndexindex integer - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    + Position of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		 false
    sourcestringvalues[]string - Source of the data, if missing the default if function arguments
    + Value to compare the argument against.
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindex) +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaceChanges[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) + -KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The -results of MatchPIDs and MatchArgs are ANDed. @@ -10996,103 +15383,168 @@ results of MatchPIDs and MatchArgs are ANDed. - - - - - - - + + - + - - + + - - - - + + +
    macros[]string - A list of macros names, defined in spec.selectorsMacros. -Filters specified in macros will be appended to corresponding filters of the selector.
    -     		false
    matchActions[]objectoperatorenum - A list of actions to execute when this selector matches
    + Namespace selector operator.
    +
    + Enum: In, NotIn
    		falsetrue
    matchArgs[]objectvalues[]string - A list of argument filters. MatchArgs are ANDed.
    + Namespace types (e.g., Mnt, Pid) to match.
    		false
    matchBinaries[]objecttrue
    + + +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaces[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) + + + + + + + + + + + + + + + + - + - - + + - + - - + + - - - - + + +
    NameTypeDescriptionRequired
    namespaceenum - A list of binary exec name filters.
    + Namespace selector name.
    +
    + Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		falsetrue
    matchCapabilities[]objectoperatorenum - A list of capabilities and IDs
    + Namespace selector operator.
    +
    + Enum: In, NotIn
    		falsetrue
    matchCapabilityChanges[]objectvalues[]string - IDs for capabilities changes
    + Namespace IDs (or host_ns for host namespace) of namespaces to match.
    		false
    matchData[]objecttrue
    + + +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchPIDs[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) + + + + + + + + + + + + + + + + - + - - + + - + - - + + - - + + - - - + +
    NameTypeDescriptionRequired
    operatorenum - A list of argument filters. MatchData are ANDed.
    + PID selector operator.
    +
    + Enum: In, NotIn
    		falsetrue
    matchNamespaceChanges[]objectvalues[]integer - IDs for namespace changes
    + Process IDs to match.
    		falsetrue
    matchNamespaces[]objectfollowForksboolean - A list of namespaces and IDs
    + Matches any descendant processes of the matching PIDs.
    +
    + Default: false
    		 false
    matchPIDs[]objectisNamespacePIDboolean - A list of process ID filters. MatchPIDs are ANDed.
    + Indicates whether PIDs are namespace PIDs.
    +
    + Default: false
    		 false
    matchParentBinaries[]object
    + + +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchParentBinaries[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) + + + + + + + + + + + + + + + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum - A list of process parent exec name filters.
    + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		falsetrue
    matchReturnActions[]objectvalues[]string - A list of actions to execute when MatchReturnArgs selector matches
    + Value to compare the argument against.
    		falsetrue
    matchReturnArgs[]objectfollowChildrenboolean - A list of argument filters. MatchArgs are ANDed.
    + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchActions[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnActions[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) @@ -11248,8 +15700,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchArgs[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnArgs[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) @@ -11283,28 +15735,196 @@ Only valid with the post action and with a rateLimit specified.
    index integer - Position of the argument (in function prototype) to apply fhe filter to.
    -
    - Format: int32
    - Minimum: 0
    + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    + + false + + values + []string + + Value to compare the argument against.
    + + false + + + + +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    containerSelectorobject + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    +     		false
    hostSelectorobject + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
    +
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • +     		false
    podSelectorobject + PodSelector selects pods that this policy applies to
    +     		false
    + + +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindex) + + +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    +     		false
    matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    +     		false
    + + +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindexcontainerselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    keystring + key is the label key that the selector applies to.
    +     		true
    operatorenum + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.
    +
    + Enum: In, NotIn, Exists, DoesNotExist
    +     		true
    values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    +     		false
    + + +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindex) + + +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. + + + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    values[]stringmatchLabelsmap[string]string - Value to compare the argument against.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchBinaries[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) - +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindexhostselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -11316,39 +15936,41 @@ Only valid with the post action and with a rateLimit specified.
    + + + + + - - - - -
    keystring + key is the label key that the selector applies to.
    +     		true
    operator enum - Filter operation.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Value to compare the argument against.
    -     		true
    followChildrenboolean - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilities[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) - +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindex) +PodSelector selects pods that this policy applies to @@ -11360,49 +15982,31 @@ Only valid with the post action and with a rateLimit specified.
    - - - - - - - - - - - - + + - - + +
    operatorenum - Namespace selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]string - Capabilities to match.
    -     		true
    isNamespaceCapabilitybooleanmatchExpressions[]object - Indicates whether these caps are namespace caps.
    -
    - Default: false
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    typeenummatchLabelsmap[string]string - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilityChanges[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) - +### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindexmatchworkloadsindexpodselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -11414,46 +16018,38 @@ Only valid with the post action and with a rateLimit specified.
    + + + + + - - - - - - - - - -
    keystring + key is the label key that the selector applies to.
    +     		true
    operator enum - Namespace selector operator.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Capabilities to match.
    -     		true
    isNamespaceCapabilityboolean - Indicates whether these caps are namespace caps.
    -
    - Default: false
    -     		false
    typeenum - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchData[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.options[index] +[↩ Parent](#tracingpolicynamespacedspec) @@ -11468,47 +16064,28 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum + name + string - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    + Name of the option
    true - args - []integer - - Position of the operator arguments (in spec file) to apply fhe filter to.
    - - false - - index - integer - - Position of the argument (in function prototype) to apply fhe filter to.
    -
    - Format: int32
    - Minimum: 0
    - - false - - values - []string + value + string - Value to compare the argument against.
    + Value of the option
    false -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaceChanges[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) - +### TracingPolicyNamespaced.spec.podSelector +[↩ Parent](#tracingpolicynamespacedspec) +PodSelector selects pods that this policy applies to @@ -11520,30 +16097,31 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - + - - + + - +
    operatorenummatchExpressions[]object - Namespace selector operator.
    -
    - Enum: In, NotIn
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		truefalse
    values[]stringmatchLabelsmap[string]string - Namespace types (e.g., Mnt, Pid) to match.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		truefalse
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaces[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) - +### TracingPolicyNamespaced.spec.podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecpodselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -11555,39 +16133,42 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - +
    namespaceenumkeystring - Namespace selector name.
    -
    - Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    + key is the label key that the selector applies to.
    		 true
    operator enum - Namespace selector operator.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Namespace IDs (or host_ns for host namespace) of namespaces to match.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		truefalse
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchPIDs[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) - +### TracingPolicyNamespaced.spec.selectorsMacros[key] +[↩ Parent](#tracingpolicynamespacedspec) +KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The +results of MatchPIDs and MatchArgs are ANDed. @@ -11599,89 +16180,110 @@ Only valid with the post action and with a rateLimit specified.
    - - + + + + + + + + + + + + + + + + + + + + + + - + - - + + - + - - + + - - + + - -
    operatorenummacros[]string + A list of macros names, defined in spec.selectorsMacros. +Filters specified in macros will be appended to corresponding filters of the selector.
    +     		false
    matchActions[]object + A list of actions to execute when this selector matches
    +     		false
    matchArgs[]object + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchBinaries[]object + A list of binary exec name filters.
    +     		false
    matchCapabilities[]object - PID selector operator.
    -
    - Enum: In, NotIn
    + A list of capabilities and IDs
    		truefalse
    values[]integermatchCapabilityChanges[]object - Process IDs to match.
    + IDs for capabilities changes
    		truefalse
    followForksbooleanmatchData[]object - Matches any descendant processes of the matching PIDs.
    -
    - Default: false
    + A list of argument filters. MatchData are ANDed.
    		 false
    isNamespacePIDbooleanmatchNamespaceChanges[]object - Indicates whether PIDs are namespace PIDs.
    -
    - Default: false
    + IDs for namespace changes
    		 false
    - - -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchParentBinaries[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) - - - - - - - - - - - - - - - - + + + - + - - + + - + - - + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum
    matchNamespaces[]object - Filter operation.
    -
    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + A list of namespaces and IDs
    		truefalse
    values[]stringmatchPIDs[]object - Value to compare the argument against.
    + A list of process ID filters. MatchPIDs are ANDed.
    		truefalse
    followChildrenbooleanmatchParentBinaries[]object - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    + A list of process parent exec name filters.
    +     		false
    matchReturnActions[]object + A list of actions to execute when MatchReturnArgs selector matches
    +     		false
    matchReturnArgs[]object + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchWorkloads[]object + Workloads to match
    		 false
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnActions[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchActions[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) @@ -11837,8 +16439,158 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnArgs[index] -[↩ Parent](#tracingpolicynamespacedspeckprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchArgs[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    +     		true
    args[]integer + Position of the operator arguments (in spec file) to apply fhe filter to.
    +     		false
    indexinteger + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    +     		false
    values[]string + Value to compare the argument against.
    +     		false
    + + +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchBinaries[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    +     		true
    values[]string + Value to compare the argument against.
    +     		true
    followChildrenboolean + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    +     		false
    + + +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchCapabilities[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Capabilities to match.
    +     		true
    isNamespaceCapabilityboolean + Indicates whether these caps are namespace caps.
    +
    + Default: false
    +     		false
    typeenum + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    +     		false
    + + +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchCapabilityChanges[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) @@ -11856,41 +16608,43 @@ Only valid with the post action and with a rateLimit specified.
    operator enum - Filter operation.
    + Namespace selector operator.

    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    + Enum: In, NotIn
    true - args - []integer + values + []string - Position of the operator arguments (in spec file) to apply fhe filter to.
    + Capabilities to match.
    - false + true - index - integer + isNamespaceCapability + boolean - Position of the argument (in function prototype) to apply fhe filter to.
    + Indicates whether these caps are namespace caps.

    - Format: int32
    - Minimum: 0
    + Default: false
    false - values - []string + type + enum - Value to compare the argument against.
    + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    false -### TracingPolicyNamespaced.spec.lists[index] -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchData[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) @@ -11905,48 +16659,44 @@ Only valid with the post action and with a rateLimit specified.
    - name - string + operator + enum - Name of the list
    + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    true - pattern - string + args + []integer - Pattern for 'generated' lists.
    + Position of the operator arguments (in spec file) to apply fhe filter to.
    false - type - enum + index + integer - Indicates the type of the list values.
    + Position of the argument (in function prototype) to apply fhe filter to.

    - Enum: syscalls, generated_syscalls, generated_ftrace
    - - false - - validated - boolean - - List was validated
    + Format: int32
    + Minimum: 0
    false values []string - Values of the list
    + Value to compare the argument against.
    false -### TracingPolicyNamespaced.spec.lsmhooks[index] -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchNamespaceChanges[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) @@ -11961,48 +16711,27 @@ Only valid with the post action and with a rateLimit specified.
    - hook - string + operator + enum - Name of the function to apply the kprobe spec to.
    + Namespace selector operator.
    +
    + Enum: In, NotIn
    true - args - []object - - A list of function arguments to include in the trace output.
    - - false - - message - string - - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    - - false - - selectors - []object - - Selectors to apply before producing trace output. Selectors are ORed.
    - - false - - tags + values []string - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    + Namespace types (e.g., Mnt, Pid) to match.
    - false + true -### TracingPolicyNamespaced.spec.lsmhooks[index].args[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindex) +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchNamespaces[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) @@ -12017,103 +16746,39 @@ Maximum of 16 Tags are supported.
    - index - integer + namespace + enum - Position of the argument.
    + Namespace selector name.

    - Format: int32
    - Minimum: 0
    + Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    true - type + operator enum - Argument type.
    + Namespace selector operator.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn
    true - btfType - string - - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    - - false - - label - string - - Label to output in the JSON
    - - false - - maxData - boolean - - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    - - false - - resolve - string - - Resolve the path to a specific attribute
    -
    - Default:
    - - false - - returnCopy - boolean - - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    -
    - Default: false
    - - false - - sizeArgIndex - integer - - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    -
    - Format: int32
    - Minimum: 0
    - - false - - source - string + values + []string - Source of the data, if missing the default if function arguments
    + Namespace IDs (or host_ns for host namespace) of namespaces to match.
    - false + true -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindex) +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchPIDs[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) + -KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The -results of MatchPIDs and MatchArgs are ANDed. @@ -12125,103 +16790,89 @@ results of MatchPIDs and MatchArgs are ANDed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - + - - + + - + - - + + - - + + - - - + +
    macros[]string - A list of macros names, defined in spec.selectorsMacros. -Filters specified in macros will be appended to corresponding filters of the selector.
    -     		false
    matchActions[]object - A list of actions to execute when this selector matches
    -     		false
    matchArgs[]object - A list of argument filters. MatchArgs are ANDed.
    -     		false
    matchBinaries[]object - A list of binary exec name filters.
    -     		false
    matchCapabilities[]object - A list of capabilities and IDs
    -     		false
    matchCapabilityChanges[]object - IDs for capabilities changes
    -     		false
    matchData[]objectoperatorenum - A list of argument filters. MatchData are ANDed.
    + PID selector operator.
    +
    + Enum: In, NotIn
    		falsetrue
    matchNamespaceChanges[]objectvalues[]integer - IDs for namespace changes
    + Process IDs to match.
    		falsetrue
    matchNamespaces[]objectfollowForksboolean - A list of namespaces and IDs
    + Matches any descendant processes of the matching PIDs.
    +
    + Default: false
    		 false
    matchPIDs[]objectisNamespacePIDboolean - A list of process ID filters. MatchPIDs are ANDed.
    + Indicates whether PIDs are namespace PIDs.
    +
    + Default: false
    		 false
    matchParentBinaries[]object
    + + +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchParentBinaries[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) + + + + + + + + + + + + + + + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum - A list of process parent exec name filters.
    + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		falsetrue
    matchReturnActions[]objectvalues[]string - A list of actions to execute when MatchReturnArgs selector matches
    + Value to compare the argument against.
    		falsetrue
    matchReturnArgs[]objectfollowChildrenboolean - A list of argument filters. MatchArgs are ANDed.
    + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    		 false
    -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchActions[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchReturnActions[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) @@ -12377,8 +17028,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchArgs[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchReturnArgs[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) @@ -12429,8 +17080,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchBinaries[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) @@ -12445,40 +17096,81 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum + containerSelector + object - Filter operation.
    -
    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    - true + false - values - []string + hostSelector + object - Value to compare the argument against.
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
    +
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • - true + false - followChildren - boolean + podSelector + object - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    + PodSelector selects pods that this policy applies to
    false -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilities[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindex) + + +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    +     		false
    matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    +     		false
    +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindexcontainerselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + @@ -12489,49 +17181,78 @@ Only valid with the post action and with a rateLimit specified.
    + + + + + - - - - + + +
    keystring + key is the label key that the selector applies to.
    +     		true
    operator enum - Namespace selector operator.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Capabilities to match.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		true
    isNamespaceCapabilitybooleanfalse
    + + +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindex) + + +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. + + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object - Indicates whether these caps are namespace caps.
    -
    - Default: false
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    typeenummatchLabelsmap[string]string - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilityChanges[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) - +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindexhostselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -12543,49 +17264,77 @@ Only valid with the post action and with a rateLimit specified.
    + + + + + - - - - - + +
    keystring + key is the label key that the selector applies to.
    +     		true
    operator enum - Namespace selector operator.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Capabilities to match.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		true
    isNamespaceCapabilityboolean - Indicates whether these caps are namespace caps.
    -
    - Default: false
    +     		false
    + + +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindex) + + +PodSelector selects pods that this policy applies to + + + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    typeenummatchLabelsmap[string]string - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchData[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) - +### TracingPolicyNamespaced.spec.selectorsMacros[key].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskeymatchworkloadsindexpodselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -12597,44 +17346,38 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - - - - - - - + + - +
    operatorenumkeystring - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    + key is the label key that the selector applies to.
    		 true
    args[]integer - Position of the operator arguments (in spec file) to apply fhe filter to.
    -     		false
    indexintegeroperatorenum - Position of the argument (in function prototype) to apply fhe filter to.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Format: int32
    - Minimum: 0
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    values []string - Value to compare the argument against.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaceChanges[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) +### TracingPolicyNamespaced.spec.tracepoints[index] +[↩ Parent](#tracingpolicynamespacedspec) @@ -12649,27 +17392,62 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum + event + string - Namespace selector operator.
    -
    - Enum: In, NotIn
    + Tracepoint event
    true - values - []string + subsystem + string - Namespace types (e.g., Mnt, Pid) to match.
    + Tracepoint subsystem
    true + + args + []object + + A list of function arguments to include in the trace output.
    + + false + + message + string + + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    + + false + + raw + boolean + + Enable raw tracepoint arguments
    + + false + + selectors + []object + + Selectors to apply before producing trace output. Selectors are ORed.
    + + false + + tags + []string + + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    + + false -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaces[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) +### TracingPolicyNamespaced.spec.tracepoints[index].args[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindex) @@ -12684,39 +17462,103 @@ Only valid with the post action and with a rateLimit specified.
    - namespace - enum + index + integer - Namespace selector name.
    + Position of the argument.

    - Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    + Format: int32
    + Minimum: 0
    true - operator + type enum - Namespace selector operator.
    + Argument type.

    - Enum: In, NotIn
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    true - values - []string + btfType + string - Namespace IDs (or host_ns for host namespace) of namespaces to match.
    + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    - true + false + + label + string + + Label to output in the JSON
    + + false + + maxData + boolean + + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on
    +
    + Default: false
    + + false + + resolve + string + + Resolve the path to a specific attribute
    +
    + Default:
    + + false + + returnCopy + boolean + + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    + + false + + sizeArgIndex + integer + + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    + + false + + source + string + + Source of the data, if missing the default if function arguments
    + + false -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchPIDs[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) - +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindex) +KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The +results of MatchPIDs and MatchArgs are ANDed. @@ -12728,89 +17570,110 @@ Only valid with the post action and with a rateLimit specified.
    - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - + + - + - - + + - - + + - -
    operatorenummacros[]string - PID selector operator.
    -
    - Enum: In, NotIn
    + A list of macros names, defined in spec.selectorsMacros. +Filters specified in macros will be appended to corresponding filters of the selector.
    +     		false
    matchActions[]object + A list of actions to execute when this selector matches
    +     		false
    matchArgs[]object + A list of argument filters. MatchArgs are ANDed.
    +     		false
    matchBinaries[]object + A list of binary exec name filters.
    +     		false
    matchCapabilities[]object + A list of capabilities and IDs
    +     		false
    matchCapabilityChanges[]object + IDs for capabilities changes
    +     		false
    matchData[]object + A list of argument filters. MatchData are ANDed.
    +     		false
    matchNamespaceChanges[]object + IDs for namespace changes
    		truefalse
    values[]integermatchNamespaces[]object - Process IDs to match.
    + A list of namespaces and IDs
    		truefalse
    followForksbooleanmatchPIDs[]object - Matches any descendant processes of the matching PIDs.
    -
    - Default: false
    + A list of process ID filters. MatchPIDs are ANDed.
    		 false
    isNamespacePIDbooleanmatchParentBinaries[]object - Indicates whether PIDs are namespace PIDs.
    -
    - Default: false
    + A list of process parent exec name filters.
    		 false
    - - -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchParentBinaries[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) - - - - - - - - - - - - - - - - + + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum
    matchReturnActions[]object - Filter operation.
    -
    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + A list of actions to execute when MatchReturnArgs selector matches
    		truefalse
    values[]stringmatchReturnArgs[]object - Value to compare the argument against.
    + A list of argument filters. MatchArgs are ANDed.
    		truefalse
    followChildrenbooleanmatchWorkloads[]object - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    + Workloads to match
    		 false
    -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnActions[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchActions[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) @@ -12966,8 +17829,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnArgs[index] -[↩ Parent](#tracingpolicynamespacedspeclsmhooksindexselectorsindex) +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchArgs[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) @@ -13018,8 +17881,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.options[index] -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchBinaries[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) @@ -13034,28 +17897,199 @@ Only valid with the post action and with a rateLimit specified.
    - name - string + operator + enum + + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + + true + + values + []string + + Value to compare the argument against.
    + + true + + followChildren + boolean + + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    + + false + + + + +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilities[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Capabilities to match.
    +     		true
    isNamespaceCapabilityboolean + Indicates whether these caps are namespace caps.
    +
    + Default: false
    +     		false
    typeenum + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    +     		false
    + + +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilityChanges[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    operatorenum + Namespace selector operator.
    +
    + Enum: In, NotIn
    +     		true
    values[]string + Capabilities to match.
    +     		true
    isNamespaceCapabilityboolean + Indicates whether these caps are namespace caps.
    +
    + Default: false
    +     		false
    typeenum + Type of capabilities
    +
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    +     		false
    + + +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchData[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum + Filter operation.
    +
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    +     		true
    args[]integer + Position of the operator arguments (in spec file) to apply fhe filter to.
    +     		false
    indexinteger - Name of the option
    + Position of the argument (in function prototype) to apply fhe filter to.
    +
    + Format: int32
    + Minimum: 0
    		truefalse
    valuestringvalues[]string - Value of the option
    + Value to compare the argument against.
    		 false
    -### TracingPolicyNamespaced.spec.podSelector -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaceChanges[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) + -PodSelector selects pods that this policy applies to @@ -13067,31 +18101,30 @@ PodSelector selects pods that this policy applies to - - + + - + - - + + - +
    matchExpressions[]objectoperatorenum - matchExpressions is a list of label selector requirements. The requirements are ANDed.
    + Namespace selector operator.
    +
    + Enum: In, NotIn
    		falsetrue
    matchLabelsmap[string]stringvalues[]string - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels -map is equivalent to an element of matchExpressions, whose key field is "key", the -operator is "In", and the values array contains only "value". The requirements are ANDed.
    + Namespace types (e.g., Mnt, Pid) to match.
    		falsetrue
    -### TracingPolicyNamespaced.spec.podSelector.matchExpressions[index] -[↩ Parent](#tracingpolicynamespacedspecpodselector) +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaces[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) + -A label selector requirement is a selector that contains values, a key, and an operator that -relates the key and values. @@ -13103,42 +18136,39 @@ relates the key and values. - - + + - +
    keystringnamespaceenum - key is the label key that the selector applies to.
    + Namespace selector name.
    +
    + Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		 true
    operator enum - operator represents a key's relationship to a set of values. -Valid operators are In, NotIn, Exists and DoesNotExist.
    + Namespace selector operator.

    - Enum: In, NotIn, Exists, DoesNotExist
    + Enum: In, NotIn
    		 true
    values []string - values is an array of string values. If the operator is In or NotIn, -the values array must be non-empty. If the operator is Exists or DoesNotExist, -the values array must be empty. This array is replaced during a strategic -merge patch.
    + Namespace IDs (or host_ns for host namespace) of namespaces to match.
    		falsetrue
    -### TracingPolicyNamespaced.spec.selectorsMacros[key] -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchPIDs[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) + -KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The -results of MatchPIDs and MatchArgs are ANDed. @@ -13150,103 +18180,89 @@ results of MatchPIDs and MatchArgs are ANDed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - + - - + + - + - - + + - - + + - - - + +
    macros[]string - A list of macros names, defined in spec.selectorsMacros. -Filters specified in macros will be appended to corresponding filters of the selector.
    -     		false
    matchActions[]object - A list of actions to execute when this selector matches
    -     		false
    matchArgs[]object - A list of argument filters. MatchArgs are ANDed.
    -     		false
    matchBinaries[]object - A list of binary exec name filters.
    -     		false
    matchCapabilities[]object - A list of capabilities and IDs
    -     		false
    matchCapabilityChanges[]object - IDs for capabilities changes
    -     		false
    matchData[]objectoperatorenum - A list of argument filters. MatchData are ANDed.
    + PID selector operator.
    +
    + Enum: In, NotIn
    		falsetrue
    matchNamespaceChanges[]objectvalues[]integer - IDs for namespace changes
    + Process IDs to match.
    		falsetrue
    matchNamespaces[]objectfollowForksboolean - A list of namespaces and IDs
    + Matches any descendant processes of the matching PIDs.
    +
    + Default: false
    		 false
    matchPIDs[]objectisNamespacePIDboolean - A list of process ID filters. MatchPIDs are ANDed.
    + Indicates whether PIDs are namespace PIDs.
    +
    + Default: false
    		 false
    matchParentBinaries[]object
    + + +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchParentBinaries[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) + + + + + + + + + + + + + + + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum - A list of process parent exec name filters.
    + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		falsetrue
    matchReturnActions[]objectvalues[]string - A list of actions to execute when MatchReturnArgs selector matches
    + Value to compare the argument against.
    		falsetrue
    matchReturnArgs[]objectfollowChildrenboolean - A list of argument filters. MatchArgs are ANDed.
    + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    		 false
    -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchActions[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnActions[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) @@ -13388,74 +18404,22 @@ or hours ('h' suffix). Only valid with the post action.
    selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. -Only valid with the post action and with a rateLimit specified.
    - - false - - userStackTrace - boolean - - Enable user stack trace export. Only valid with the post action.
    - - false - - - - -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchArgs[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +
    NameTypeDescriptionRequired
    operatorenum - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    -     		true
    args[]integer - Position of the operator arguments (in spec file) to apply fhe filter to.
    -     		false
    indexinteger - Position of the argument (in function prototype) to apply fhe filter to.
    -
    - Format: int32
    - Minimum: 0
    +Only valid with the post action and with a rateLimit specified.
    		 false
    values[]stringuserStackTraceboolean - Value to compare the argument against.
    + Enable user stack trace export. Only valid with the post action.
    		 false
    -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchBinaries[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnArgs[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) @@ -13475,31 +18439,39 @@ Only valid with the post action and with a rateLimit specified.
    Filter operation.

    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    true - values - []string + args + []integer - Value to compare the argument against.
    + Position of the operator arguments (in spec file) to apply fhe filter to.
    - true + false - followChildren - boolean + index + integer - In addition to binaries, match children processes of specified binaries.
    + Position of the argument (in function prototype) to apply fhe filter to.

    - Default: false
    + Format: int32
    + Minimum: 0
    + + false + + values + []string + + Value to compare the argument against.
    false -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchCapabilities[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) @@ -13514,49 +18486,44 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum - - Namespace selector operator.
    -
    - Enum: In, NotIn
    - - true - - values - []string + containerSelector + object - Capabilities to match.
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    - true + false - isNamespaceCapability - boolean + hostSelector + object - Indicates whether these caps are namespace caps.
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.

    - Default: false
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • false - type - enum + podSelector + object - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + PodSelector selects pods that this policy applies to
    false -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchCapabilityChanges[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) - +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindex) +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. @@ -13568,49 +18535,31 @@ Only valid with the post action and with a rateLimit specified.
    - - - - - - - - - - - - + + - - + +
    operatorenum - Namespace selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]string - Capabilities to match.
    -     		true
    isNamespaceCapabilitybooleanmatchExpressions[]object - Indicates whether these caps are namespace caps.
    -
    - Default: false
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    typeenummatchLabelsmap[string]string - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchData[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) - +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindexcontainerselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -13622,47 +18571,42 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - - - - - - - + + - +
    operatorenumkeystring - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    + key is the label key that the selector applies to.
    		 true
    args[]integer - Position of the operator arguments (in spec file) to apply fhe filter to.
    -     		false
    indexintegeroperatorenum - Position of the argument (in function prototype) to apply fhe filter to.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Format: int32
    - Minimum: 0
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    values []string - Value to compare the argument against.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchNamespaceChanges[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) - +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindex) +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. @@ -13674,30 +18618,31 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - + - - + + - +
    operatorenummatchExpressions[]object - Namespace selector operator.
    -
    - Enum: In, NotIn
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		truefalse
    values[]stringmatchLabelsmap[string]string - Namespace types (e.g., Mnt, Pid) to match.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		truefalse
    -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchNamespaces[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) - +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindexhostselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -13709,39 +18654,41 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - +
    namespaceenumkeystring - Namespace selector name.
    -
    - Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    + key is the label key that the selector applies to.
    		 true
    operator enum - Namespace selector operator.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Namespace IDs (or host_ns for host namespace) of namespaces to match.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		truefalse
    -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchPIDs[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) - +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindex) +PodSelector selects pods that this policy applies to @@ -13753,48 +18700,31 @@ Only valid with the post action and with a rateLimit specified.
    - - - - - - - - - - - - + + - - + +
    operatorenum - PID selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]integer - Process IDs to match.
    -     		true
    followForksbooleanmatchExpressions[]object - Matches any descendant processes of the matching PIDs.
    -
    - Default: false
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    isNamespacePIDbooleanmatchLabelsmap[string]string - Indicates whether PIDs are namespace PIDs.
    -
    - Default: false
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchParentBinaries[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) - +### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindexmatchworkloadsindexpodselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -13806,36 +18736,38 @@ Only valid with the post action and with a rateLimit specified.
    + + + + + - - - - -
    keystring + key is the label key that the selector applies to.
    +     		true
    operator enum - Filter operation.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Value to compare the argument against.
    -     		true
    followChildrenboolean - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchReturnActions[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) +### TracingPolicyNamespaced.spec.uprobes[index] +[↩ Parent](#tracingpolicynamespacedspec) @@ -13850,149 +18782,106 @@ Only valid with the post action and with a rateLimit specified.
    - action - enum + path + string - Action to execute. -NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to -be removed in version 1.5.
    -
    - Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    + Name of the traced binary
    true - argError - integer + addrs + []integer - error value for override action
    -
    - Format: int32
    + List of the traced addresses
    false - argFd - integer + args + []object - An arg index for the fd for fdInstall action
    -
    - Format: int32
    + A list of function arguments to include in the trace output.
    false - argFqdn + btfPath string - A FQDN to lookup for the dnsLookup action
    - - false - - argIndex - integer - - An arg index for the set action
    -
    - Format: int32
    - - false - - argName - integer - - An arg index for the filename for fdInstall action
    -
    - Format: int32
    - - false - - argRegs - []string - - An arg value for the regs action
    + path for a BTF file for the traced binary
    false - argSig - integer + data + []object - A signal number for signal action
    -
    - Format: int32
    + A list of data to include in the trace output.
    false - argSock - integer + message + string - An arg index for the sock for trackSock and untrackSock actions
    -
    - Format: int32
    + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    false - argUrl - string + offsets + []integer - A URL for the getUrl action
    + List of the traced offsets
    false - argValue - integer + refCtrOffsets + []integer - An arg value for the set action
    -
    - Format: int32
    + List of the traced ref_ctr_offsets
    false - imaHash + return boolean - Enable collection of file hashes from integrity subsystem. -Only valid with the post action.
    + Indicates whether to collect return value of the traced function.
    +
    + Default: false
    false - kernelStackTrace - boolean + returnArg + object - Enable kernel stack trace export. Only valid with the post action.
    + A return argument to include in the trace output.
    false - rateLimit - string + selectors + []object - A time period within which repeated messages will not be posted. Can be -specified in seconds (default or with 's' suffix), minutes ('m' suffix) -or hours ('h' suffix). Only valid with the post action.
    + Selectors to apply before producing trace output. Selectors are ORed.
    false - rateLimitScope - string + symbols + []string - The scope of the provided rate limit argument. Can be "thread" (default), -"process" (all threads for the same process), or "global". If "thread" is -selected then rate limiting applies per thread; if "process" is selected -then rate limiting applies per process; if "global" is selected then rate -limiting applies regardless of which process or thread caused the action. -Only valid with the post action and with a rateLimit specified.
    + List of the traced symbols
    false - userStackTrace - boolean + tags + []string - Enable user stack trace export. Only valid with the post action.
    + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    false -### TracingPolicyNamespaced.spec.selectorsMacros[key].matchReturnArgs[index] -[↩ Parent](#tracingpolicynamespacedspecselectorsmacroskey) +### TracingPolicyNamespaced.spec.uprobes[index].args[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindex) @@ -14007,44 +18896,99 @@ Only valid with the post action and with a rateLimit specified.
    - operator + index + integer + + Position of the argument.
    +
    + Format: int32
    + Minimum: 0
    + + true + + type enum - Filter operation.
    + Argument type.

    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    true - args - []integer + btfType + string - Position of the operator arguments (in spec file) to apply fhe filter to.
    + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    false - index + label + string + + Label to output in the JSON
    + + false + + maxData + boolean + + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on
    +
    + Default: false
    + + false + + resolve + string + + Resolve the path to a specific attribute
    +
    + Default:
    + + false + + returnCopy + boolean + + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    + + false + + sizeArgIndex integer - Position of the argument (in function prototype) to apply fhe filter to.
    + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    false - values - []string + source + string - Value to compare the argument against.
    + Source of the data, if missing the default if function arguments
    false -### TracingPolicyNamespaced.spec.tracepoints[index] -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.uprobes[index].data[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindex) @@ -14059,65 +19003,102 @@ Only valid with the post action and with a rateLimit specified.
    - event - string + index + integer - Tracepoint event
    + Position of the argument.
    +
    + Format: int32
    + Minimum: 0
    + + true + + type + enum + + Argument type.
    +
    + Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    + Default: auto
    true - subsystem + btfType + string + + Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with +the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the +type.
    + + false + + label string - Tracepoint subsystem
    + Label to output in the JSON
    - true + false - args - []object + maxData + boolean - A list of function arguments to include in the trace output.
    + Read maximum possible data (currently 327360). This field is only used +for char_buff data. When this value is false (default), the bpf program +will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon +supports fetching up to 327360 bytes if this flag is turned on
    +
    + Default: false
    false - message + resolve string - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    + Resolve the path to a specific attribute
    +
    + Default:
    false - raw + returnCopy boolean - Enable raw tracepoint arguments
    + This field is used only for char_buf and char_iovec types. It indicates +that this argument should be read later (when the kretprobe for the +symbol is triggered) because it might not be populated when the kprobe +is triggered at the entrance of the function. For example, a buffer +supplied to read(2) won't have content until kretprobe is triggered.
    +
    + Default: false
    false - selectors - []object + sizeArgIndex + integer - Selectors to apply before producing trace output. Selectors are ORed.
    + Specifies the position of the corresponding size argument for this argument. +This field is used only for char_buf and char_iovec types.
    +
    + Format: int32
    + Minimum: 0
    false - tags - []string + source + string - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    + Source of the data, if missing the default if function arguments
    false -### TracingPolicyNamespaced.spec.tracepoints[index].args[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindex) - +### TracingPolicyNamespaced.spec.uprobes[index].returnArg +[↩ Parent](#tracingpolicynamespacedspecuprobesindex) +A return argument to include in the trace output. @@ -14220,8 +19201,8 @@ This field is used only for char_buf and char_iovec types.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindex) KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The @@ -14245,95 +19226,102 @@ Filters specified in macros will be appended to corresponding filters of the sel false - matchActions + matchActions []object A list of actions to execute when this selector matches
    false - matchArgs + matchArgs []object A list of argument filters. MatchArgs are ANDed.
    false - matchBinaries + matchBinaries []object A list of binary exec name filters.
    false - matchCapabilities + matchCapabilities []object A list of capabilities and IDs
    false - matchCapabilityChanges + matchCapabilityChanges []object IDs for capabilities changes
    false - matchData + matchData []object A list of argument filters. MatchData are ANDed.
    false - matchNamespaceChanges + matchNamespaceChanges []object IDs for namespace changes
    false - matchNamespaces + matchNamespaces []object A list of namespaces and IDs
    false - matchPIDs + matchPIDs []object A list of process ID filters. MatchPIDs are ANDed.
    false - matchParentBinaries + matchParentBinaries []object A list of process parent exec name filters.
    false - matchReturnActions + matchReturnActions []object A list of actions to execute when MatchReturnArgs selector matches
    false - matchReturnArgs + matchReturnArgs []object A list of argument filters. MatchArgs are ANDed.
    false + + matchWorkloads + []object + + Workloads to match
    + + false -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchActions[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchActions[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -14489,8 +19477,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchArgs[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchArgs[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -14541,8 +19529,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchBinaries[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchBinaries[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -14585,8 +19573,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilities[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilities[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -14639,8 +19627,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilityChanges[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilityChanges[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -14693,8 +19681,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchData[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchData[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -14745,8 +19733,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaceChanges[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaceChanges[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -14780,8 +19768,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaces[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaces[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -14824,8 +19812,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchPIDs[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchPIDs[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -14877,8 +19865,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchParentBinaries[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchParentBinaries[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -14921,8 +19909,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnActions[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnActions[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -15078,8 +20066,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnArgs[index] -[↩ Parent](#tracingpolicynamespacedspectracepointsindexselectorsindex) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnArgs[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -15130,8 +20118,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.uprobes[index] -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) @@ -15146,109 +20134,163 @@ Only valid with the post action and with a rateLimit specified.
    - path - string - - Name of the traced binary
    - - true - - addrs - []integer + containerSelector + object - List of the traced addresses
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    false - args - []object + hostSelector + object - A list of function arguments to include in the trace output.
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.
    +
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    • false - btfPath - string + podSelector + object - path for a BTF file for the traced binary
    + PodSelector selects pods that this policy applies to
    false - - data + + + + +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindex) + + +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. + + + + + + + + + + + + - - - - - - - + + - - - + +
    NameTypeDescriptionRequired
    matchExpressions []object - A list of data to include in the trace output.
    -     		false
    messagestring - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    offsets[]integermatchLabelsmap[string]string - List of the traced offsets
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    refCtrOffsets[]integer
    + + +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindexcontainerselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + - + - - + + - - - - - - + - - + + - - - + +
    NameTypeDescriptionRequired
    keystring - List of the traced ref_ctr_offsets
    + key is the label key that the selector applies to.
    		falsetrue
    returnbooleanoperatorenum - Indicates whether to collect return value of the traced function.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Default: false
    -     		false
    returnArgobject - A return argument to include in the trace output.
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    selectors[]objectvalues[]string - Selectors to apply before producing trace output. Selectors are ORed.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    symbols[]string
    + + +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindex) + + +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. + + + + + + + + + + + + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object - List of the traced symbols
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    tags[]stringmatchLabelsmap[string]string - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.uprobes[index].args[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindex) - +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindexhostselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -15260,99 +20302,120 @@ Maximum of 16 Tags are supported.
    - - + + - + - - + + - - - + +
    indexintegerkeystring - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    + key is the label key that the selector applies to.
    		 true
    typeoperator enum - Argument type.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    btfTypestringvalues[]string - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    labelstring
    + + +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindex) + + +PodSelector selects pods that this policy applies to + + + + + + + + + + + + + - - + + - - + +
    NameTypeDescriptionRequired
    matchExpressions[]object - Label to output in the JSON
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    maxDatabooleanmatchLabelsmap[string]string - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    resolve
    + + +### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindexmatchworkloadsindexpodselector) + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + - - - - - - + - - + + - + - - + +
    NameTypeDescriptionRequired
    key string - Resolve the path to a specific attribute
    -
    - Default:
    -     		false
    returnCopyboolean - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    -
    - Default: false
    + key is the label key that the selector applies to.
    		falsetrue
    sizeArgIndexintegeroperatorenum - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Format: int32
    - Minimum: 0
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    sourcestringvalues[]string - Source of the data, if missing the default if function arguments
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicyNamespaced.spec.uprobes[index].data[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindex) +### TracingPolicyNamespaced.spec.usdts[index] +[↩ Parent](#tracingpolicynamespacedspec) @@ -15367,102 +20430,72 @@ This field is used only for char_buf and char_iovec types.
    - index - integer - - Position of the argument.
    -
    - Format: int32
    - Minimum: 0
    - - true - - type - enum + name + string - Argument type.
    -
    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Usdt name
    true - btfType + path string - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    + Name of the traced binary
    - false + true - label + provider string - Label to output in the JSON
    + Usdt provider name
    - false + true - maxData - boolean + args + []object - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    + A list of function arguments to include in the trace output.
    false - resolve + btfPath string - Resolve the path to a specific attribute
    -
    - Default:
    + path for a BTF file for the traced binary
    false - returnCopy - boolean + message + string - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    -
    - Default: false
    + A short message of 256 characters max that will be included +in the event output to inform users what is going on.
    false - sizeArgIndex - integer + selectors + []object - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    -
    - Format: int32
    - Minimum: 0
    + Selectors to apply before producing trace output. Selectors are ORed.
    false - - source - string + + tags + []string - Source of the data, if missing the default if function arguments
    + Tags to categorize the event, will be include in the event output. +Maximum of 16 Tags are supported.
    false -### TracingPolicyNamespaced.spec.uprobes[index].returnArg -[↩ Parent](#tracingpolicynamespacedspecuprobesindex) +### TracingPolicyNamespaced.spec.usdts[index].args[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindex) + -A return argument to include in the trace output. @@ -15565,8 +20598,8 @@ This field is used only for char_buf and char_iovec types.
    -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindex) +### TracingPolicyNamespaced.spec.usdts[index].selectors[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindex) KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The @@ -15590,95 +20623,102 @@ Filters specified in macros will be appended to corresponding filters of the sel false - matchActions + matchActions []object A list of actions to execute when this selector matches
    false - matchArgs + matchArgs []object A list of argument filters. MatchArgs are ANDed.
    false - matchBinaries + matchBinaries []object A list of binary exec name filters.
    false - matchCapabilities + matchCapabilities []object A list of capabilities and IDs
    false - matchCapabilityChanges + matchCapabilityChanges []object IDs for capabilities changes
    false - matchData + matchData []object A list of argument filters. MatchData are ANDed.
    false - matchNamespaceChanges + matchNamespaceChanges []object IDs for namespace changes
    false - matchNamespaces + matchNamespaces []object A list of namespaces and IDs
    false - matchPIDs + matchPIDs []object A list of process ID filters. MatchPIDs are ANDed.
    false - matchParentBinaries + matchParentBinaries []object A list of process parent exec name filters.
    false - matchReturnActions + matchReturnActions []object A list of actions to execute when MatchReturnArgs selector matches
    false - matchReturnArgs + matchReturnArgs []object A list of argument filters. MatchArgs are ANDed.
    false + + matchWorkloads + []object + + Workloads to match
    + + false -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchActions[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchActions[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -15825,221 +20865,17 @@ Only valid with the post action and with a rateLimit specified.
    false userStackTrace - boolean - - Enable user stack trace export. Only valid with the post action.
    - - false - - - - -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchArgs[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    operatorenum - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    -     		true
    args[]integer - Position of the operator arguments (in spec file) to apply fhe filter to.
    -     		false
    indexinteger - Position of the argument (in function prototype) to apply fhe filter to.
    -
    - Format: int32
    - Minimum: 0
    -     		false
    values[]string - Value to compare the argument against.
    -     		false
    - - -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchBinaries[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    operatorenum - Filter operation.
    -
    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    -     		true
    values[]string - Value to compare the argument against.
    -     		true
    followChildrenboolean - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    -     		false
    - - -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilities[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    operatorenum - Namespace selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]string - Capabilities to match.
    -     		true
    isNamespaceCapabilityboolean - Indicates whether these caps are namespace caps.
    -
    - Default: false
    -     		false
    typeenum - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    -     		false
    - - -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilityChanges[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
    NameTypeDescriptionRequired
    operatorenum - Namespace selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]string - Capabilities to match.
    -     		true
    isNamespaceCapabilityboolean - Indicates whether these caps are namespace caps.
    -
    - Default: false
    -     		false
    typeenum - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    +     		boolean + Enable user stack trace export. Only valid with the post action.
    		 false
    -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchData[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchArgs[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -16090,8 +20926,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaceChanges[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchBinaries[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -16109,68 +20945,33 @@ Only valid with the post action and with a rateLimit specified.
    operator enum - Namespace selector operator.
    + Filter operation.

    - Enum: In, NotIn
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    true values []string - Namespace types (e.g., Mnt, Pid) to match.
    - - true - - - - -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaces[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) - - - - - - - - - - - - - - - - - - - + + - - - - - - +
    NameTypeDescriptionRequired
    namespaceenum - Namespace selector name.
    -
    - Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    + Value to compare the argument against.
    		 true
    operatorenumfollowChildrenboolean - Namespace selector operator.
    + In addition to binaries, match children processes of specified binaries.

    - Enum: In, NotIn
    -     		true
    values[]string - Namespace IDs (or host_ns for host namespace) of namespaces to match.
    + Default: false
    		truefalse
    -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchPIDs[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilities[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -16188,42 +20989,43 @@ Only valid with the post action and with a rateLimit specified.
    operator enum - PID selector operator.
    + Namespace selector operator.

    Enum: In, NotIn
    true values - []integer + []string - Process IDs to match.
    + Capabilities to match.
    true - followForks + isNamespaceCapability boolean - Matches any descendant processes of the matching PIDs.
    + Indicates whether these caps are namespace caps.

    Default: false
    false - isNamespacePID - boolean + type + enum - Indicates whether PIDs are namespace PIDs.
    + Type of capabilities

    - Default: false
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    false -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchParentBinaries[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilityChanges[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -16241,190 +21043,43 @@ Only valid with the post action and with a rateLimit specified.
    operator enum - Filter operation.
    + Namespace selector operator.

    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + Enum: In, NotIn
    true values []string - Value to compare the argument against.
    + Capabilities to match.
    true - followChildren + isNamespaceCapability boolean - In addition to binaries, match children processes of specified binaries.
    + Indicates whether these caps are namespace caps.

    Default: false
    false - - - - -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnActions[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    actionenum - Action to execute. -NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to -be removed in version 1.5.
    -
    - Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    -     		true
    argErrorinteger - error value for override action
    -
    - Format: int32
    -     		false
    argFdinteger - An arg index for the fd for fdInstall action
    -
    - Format: int32
    -     		false
    argFqdnstring - A FQDN to lookup for the dnsLookup action
    -     		false
    argIndexinteger - An arg index for the set action
    -
    - Format: int32
    -     		false
    argNameinteger - An arg index for the filename for fdInstall action
    -
    - Format: int32
    -     		false
    argRegs[]string - An arg value for the regs action
    -     		false
    argSiginteger - A signal number for signal action
    -
    - Format: int32
    -     		false
    argSockinteger - An arg index for the sock for trackSock and untrackSock actions
    -
    - Format: int32
    -     		false
    argUrlstring - A URL for the getUrl action
    -     		false
    argValueintegertypeenum - An arg value for the set action
    + Type of capabilities

    - Format: int32
    -     		false
    imaHashboolean - Enable collection of file hashes from integrity subsystem. -Only valid with the post action.
    -     		false
    kernelStackTraceboolean - Enable kernel stack trace export. Only valid with the post action.
    -     		false
    rateLimitstring - A time period within which repeated messages will not be posted. Can be -specified in seconds (default or with 's' suffix), minutes ('m' suffix) -or hours ('h' suffix). Only valid with the post action.
    -     		false
    rateLimitScopestring - The scope of the provided rate limit argument. Can be "thread" (default), -"process" (all threads for the same process), or "global". If "thread" is -selected then rate limiting applies per thread; if "process" is selected -then rate limiting applies per process; if "global" is selected then rate -limiting applies regardless of which process or thread caused the action. -Only valid with the post action and with a rateLimit specified.
    -     		false
    userStackTraceboolean - Enable user stack trace export. Only valid with the post action.
    + Enum: Effective, Inheritable, Permitted
    + Default: Effective
    		 false
    -### TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnArgs[index] -[↩ Parent](#tracingpolicynamespacedspecuprobesindexselectorsindex) +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchData[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -16475,8 +21130,8 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.usdts[index] -[↩ Parent](#tracingpolicynamespacedspec) +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaceChanges[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -16491,69 +21146,27 @@ Only valid with the post action and with a rateLimit specified.
    - name - string - - Usdt name
    - - true - - path - string - - Name of the traced binary
    - - true - - provider - string + operator + enum - Usdt provider name
    + Namespace selector operator.
    +
    + Enum: In, NotIn
    true - args - []object - - A list of function arguments to include in the trace output.
    - - false - - btfPath - string - - path for a BTF file for the traced binary
    - - false - - message - string - - A short message of 256 characters max that will be included -in the event output to inform users what is going on.
    - - false - - selectors - []object - - Selectors to apply before producing trace output. Selectors are ORed.
    - - false - - tags + values []string - Tags to categorize the event, will be include in the event output. -Maximum of 16 Tags are supported.
    + Namespace types (e.g., Mnt, Pid) to match.
    - false + true -### TracingPolicyNamespaced.spec.usdts[index].args[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindex) +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaces[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -16568,103 +21181,39 @@ Maximum of 16 Tags are supported.
    - index - integer + namespace + enum - Position of the argument.
    + Namespace selector name.

    - Format: int32
    - Minimum: 0
    + Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    true - type + operator enum - Argument type.
    + Namespace selector operator.

    - Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    - Default: auto
    + Enum: In, NotIn
    true - btfType - string - - Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with -the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the -type.
    - - false - - label - string - - Label to output in the JSON
    - - false - - maxData - boolean - - Read maximum possible data (currently 327360). This field is only used -for char_buff data. When this value is false (default), the bpf program -will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon -supports fetching up to 327360 bytes if this flag is turned on
    -
    - Default: false
    - - false - - resolve - string - - Resolve the path to a specific attribute
    -
    - Default:
    - - false - - returnCopy - boolean - - This field is used only for char_buf and char_iovec types. It indicates -that this argument should be read later (when the kretprobe for the -symbol is triggered) because it might not be populated when the kprobe -is triggered at the entrance of the function. For example, a buffer -supplied to read(2) won't have content until kretprobe is triggered.
    -
    - Default: false
    - - false - - sizeArgIndex - integer - - Specifies the position of the corresponding size argument for this argument. -This field is used only for char_buf and char_iovec types.
    -
    - Format: int32
    - Minimum: 0
    - - false - - source - string + values + []string - Source of the data, if missing the default if function arguments
    + Namespace IDs (or host_ns for host namespace) of namespaces to match.
    - false + true -### TracingPolicyNamespaced.spec.usdts[index].selectors[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindex) +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchPIDs[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) + -KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The -results of MatchPIDs and MatchArgs are ANDed. @@ -16676,102 +21225,88 @@ results of MatchPIDs and MatchArgs are ANDed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - + - - + + - + - - + + - - + + - - - + +
    macros[]string - A list of macros names, defined in spec.selectorsMacros. -Filters specified in macros will be appended to corresponding filters of the selector.
    -     		false
    matchActions[]object - A list of actions to execute when this selector matches
    -     		false
    matchArgs[]object - A list of argument filters. MatchArgs are ANDed.
    -     		false
    matchBinaries[]object - A list of binary exec name filters.
    -     		false
    matchCapabilities[]object - A list of capabilities and IDs
    -     		false
    matchCapabilityChanges[]object - IDs for capabilities changes
    -     		false
    matchData[]objectoperatorenum - A list of argument filters. MatchData are ANDed.
    + PID selector operator.
    +
    + Enum: In, NotIn
    		falsetrue
    matchNamespaceChanges[]objectvalues[]integer - IDs for namespace changes
    + Process IDs to match.
    		falsetrue
    matchNamespaces[]objectfollowForksboolean - A list of namespaces and IDs
    + Matches any descendant processes of the matching PIDs.
    +
    + Default: false
    		 false
    matchPIDs[]objectisNamespacePIDboolean - A list of process ID filters. MatchPIDs are ANDed.
    + Indicates whether PIDs are namespace PIDs.
    +
    + Default: false
    		 false
    matchParentBinaries[]object
    + + +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchParentBinaries[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) + + + + + + + + + + + + + + + + - + - - + + - + - - + +
    NameTypeDescriptionRequired
    operatorenum - A list of process parent exec name filters.
    + Filter operation.
    +
    + Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		falsetrue
    matchReturnActions[]objectvalues[]string - A list of actions to execute when MatchReturnArgs selector matches
    + Value to compare the argument against.
    		falsetrue
    matchReturnArgs[]objectfollowChildrenboolean - A list of argument filters. MatchArgs are ANDed.
    + In addition to binaries, match children processes of specified binaries.
    +
    + Default: false
    		 false
    -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchActions[index] +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnActions[index] [↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -16928,7 +21463,7 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchArgs[index] +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnArgs[index] [↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -16980,51 +21515,7 @@ Only valid with the post action and with a rateLimit specified.
    -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchBinaries[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    operatorenum - Filter operation.
    -
    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    -     		true
    values[]string - Value to compare the argument against.
    -     		true
    followChildrenboolean - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    -     		false
    - - -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilities[index] +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index] [↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) @@ -17040,103 +21531,44 @@ Only valid with the post action and with a rateLimit specified.
    - operator - enum - - Namespace selector operator.
    -
    - Enum: In, NotIn
    - - true - - values - []string - - Capabilities to match.
    - - true - - isNamespaceCapability - boolean - - Indicates whether these caps are namespace caps.
    -
    - Default: false
    - - false - - type - enum + containerSelector + object - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported.
    false - - - - -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilityChanges[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - - + + - - + +
    NameTypeDescriptionRequired
    operatorenum - Namespace selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]string - Capabilities to match.
    -     		true
    isNamespaceCapabilitybooleanhostSelectorobject - Indicates whether these caps are namespace caps.
    + HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported.

    - Default: false
    + Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    		•  false
    typeenumpodSelectorobject - Type of capabilities
    -
    - Enum: Effective, Inheritable, Permitted
    - Default: Effective
    + PodSelector selects pods that this policy applies to
    		 false
    -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchData[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].containerSelector +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindex) +ContainerSelector selects containers that this policy applies to. +A map of container fields will be constructed in the same way as a map of labels. +The name of the field represents the label "key", and the value of the field - label "value". +Currently, only the "name" field is supported. @@ -17148,82 +21580,31 @@ Only valid with the post action and with a rateLimit specified.
    - - - - - - - - - - - - + + - - + +
    operatorenum - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    -     		true
    args[]integer - Position of the operator arguments (in spec file) to apply fhe filter to.
    -     		false
    indexintegermatchExpressions[]object - Position of the argument (in function prototype) to apply fhe filter to.
    -
    - Format: int32
    - Minimum: 0
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    values[]stringmatchLabelsmap[string]string - Value to compare the argument against.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaceChanges[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    operatorenum - Namespace selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]string - Namespace types (e.g., Mnt, Pid) to match.
    -     		true
    - - -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaces[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].containerSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindexcontainerselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -17235,39 +21616,42 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - +
    namespaceenumkeystring - Namespace selector name.
    -
    - Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    + key is the label key that the selector applies to.
    		 true
    operator enum - Namespace selector operator.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Namespace IDs (or host_ns for host namespace) of namespaces to match.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		truefalse
    -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchPIDs[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].hostSelector +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindex) +HostSelector selects hosts that this policy applies to. +For now only ~ (none) and {} (all) is supported. @@ -17279,48 +21663,31 @@ Only valid with the post action and with a rateLimit specified.
    - - - - - - - - - - - - + + - - + +
    operatorenum - PID selector operator.
    -
    - Enum: In, NotIn
    -     		true
    values[]integer - Process IDs to match.
    -     		true
    followForksbooleanmatchExpressions[]object - Matches any descendant processes of the matching PIDs.
    -
    - Default: false
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    isNamespacePIDbooleanmatchLabelsmap[string]string - Indicates whether PIDs are namespace PIDs.
    -
    - Default: false
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchParentBinaries[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].hostSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindexhostselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -17332,39 +21699,41 @@ Only valid with the post action and with a rateLimit specified.
    + + + + + - - - - -
    keystring + key is the label key that the selector applies to.
    +     		true
    operator enum - Filter operation.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    + Enum: In, NotIn, Exists, DoesNotExist
    		 true
    values []string - Value to compare the argument against.
    -     		true
    followChildrenboolean - In addition to binaries, match children processes of specified binaries.
    -
    - Default: false
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false
    -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnActions[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].podSelector +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindex) +PodSelector selects pods that this policy applies to @@ -17376,152 +21745,31 @@ Only valid with the post action and with a rateLimit specified.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - + +
    actionenum - Action to execute. -NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to -be removed in version 1.5.
    -
    - Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    -     		true
    argErrorinteger - error value for override action
    -
    - Format: int32
    -     		false
    argFdinteger - An arg index for the fd for fdInstall action
    -
    - Format: int32
    -     		false
    argFqdnstring - A FQDN to lookup for the dnsLookup action
    -     		false
    argIndexinteger - An arg index for the set action
    -
    - Format: int32
    -     		false
    argNameinteger - An arg index for the filename for fdInstall action
    -
    - Format: int32
    -     		false
    argRegs[]string - An arg value for the regs action
    -     		false
    argSiginteger - A signal number for signal action
    -
    - Format: int32
    -     		false
    argSockinteger - An arg index for the sock for trackSock and untrackSock actions
    -
    - Format: int32
    -     		false
    argUrlstring - A URL for the getUrl action
    -     		false
    argValueinteger - An arg value for the set action
    -
    - Format: int32
    -     		false
    imaHashboolean - Enable collection of file hashes from integrity subsystem. -Only valid with the post action.
    -     		false
    kernelStackTraceboolean - Enable kernel stack trace export. Only valid with the post action.
    -     		false
    rateLimitstring - A time period within which repeated messages will not be posted. Can be -specified in seconds (default or with 's' suffix), minutes ('m' suffix) -or hours ('h' suffix). Only valid with the post action.
    -     		false
    rateLimitScopestringmatchExpressions[]object - The scope of the provided rate limit argument. Can be "thread" (default), -"process" (all threads for the same process), or "global". If "thread" is -selected then rate limiting applies per thread; if "process" is selected -then rate limiting applies per process; if "global" is selected then rate -limiting applies regardless of which process or thread caused the action. -Only valid with the post action and with a rateLimit specified.
    + matchExpressions is a list of label selector requirements. The requirements are ANDed.
    		 false
    userStackTracebooleanmatchLabelsmap[string]string - Enable user stack trace export. Only valid with the post action.
    + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed.
    		 false
    -### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnArgs[index] -[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindex) - +### TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchWorkloads[index].podSelector.matchExpressions[index] +[↩ Parent](#tracingpolicynamespacedspecusdtsindexselectorsindexmatchworkloadsindexpodselector) +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. @@ -17533,36 +21781,30 @@ Only valid with the post action and with a rateLimit specified.
    - - + + - - - - - - - + + - + From 6c172fafc1d42b90f0e61869849efd870194202a Mon Sep 17 00:00:00 2001 From: Anastasios Papagiannis Date: Wed, 22 Apr 2026 09:32:06 +0300 Subject: [PATCH 3/7] Add eBPF code for matchWorkloads selector We expect to have a map named workloads_map that have pairs of selector IDs and policy IDs. Then we reuse the policy_filter_check function to check if the policy is applied to a specific selector. In next patches, the agent will populate the workloads_map. The idea is to reuse the existing infra that we have inside policyfilter and is used in global selectors. Signed-off-by: Anastasios Papagiannis --- bpf/process/pfilter.h | 6 +++++- bpf/process/policy_filter.h | 18 ++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/bpf/process/pfilter.h b/bpf/process/pfilter.h index 8ff9e01455b..8b3997e28c2 100644 --- a/bpf/process/pfilter.h +++ b/bpf/process/pfilter.h @@ -2,6 +2,7 @@ #define __PFILTER_H__ #include "bpf_process_event.h" +#include "policy_filter.h" /** * Process filters (see generic_process_filter) @@ -427,7 +428,10 @@ selector_process_filter(__u32 *f, __u32 index, struct execve_map_value *enter, __u32 len; __u64 i; - /* Do binary and parent filter first for selector index */ + /* Do workload filter first for selector index */ + if (!match_workloads(index)) + return 0; + if (!match_binaries(index, enter, &enter->bin)) return 0; diff --git a/bpf/process/policy_filter.h b/bpf/process/policy_filter.h index 95cba33b250..ea342328fa3 100644 --- a/bpf/process/policy_filter.h +++ b/bpf/process/policy_filter.h @@ -93,4 +93,22 @@ FUNC_INLINE bool policy_filter_check(u32 policy_id) return !map_lookup_elem(policy_map, &cgroupid); } +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, MAX_SELECTORS); + __type(key, __u32); /* selector id */ + __type(value, __u32); /* policy_id */ +} workloads_map SEC(".maps"); + +FUNC_INLINE int match_workloads(__u32 selector_id) +{ + __u32 *pol_id = 0; + + pol_id = map_lookup_elem(&workloads_map, &selector_id); + if (!pol_id) + return 1; // no matchWorkload in this selector so match + + return policy_filter_check(*pol_id); +} + #endif /* POLICY_FILTER_MAPS_H__ */ From bb009f8e7424beb149db0e96ffe433c53941d87e Mon Sep 17 00:00:00 2001 From: Anastasios Papagiannis Date: Mon, 4 May 2026 17:31:14 +0300 Subject: [PATCH 4/7] Extract common functionality Will be used in the next patch. Signed-off-by: Anastasios Papagiannis --- pkg/selectors/helpers.go | 15 +++++++++ pkg/selectors/helpers_test.go | 58 +++++++++++++++++++++++++++++++++++ pkg/sensors/k8s.go | 15 +++------ 3 files changed, 78 insertions(+), 10 deletions(-) create mode 100644 pkg/selectors/helpers.go create mode 100644 pkg/selectors/helpers_test.go diff --git a/pkg/selectors/helpers.go b/pkg/selectors/helpers.go new file mode 100644 index 00000000000..3ea03a79f92 --- /dev/null +++ b/pkg/selectors/helpers.go @@ -0,0 +1,15 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +package selectors + +import slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1" + +func MatchAllLabelSelector(s *slimv1.LabelSelector) bool { + all := &slimv1.LabelSelector{} + return all.DeepEqual(s) +} + +func MatchNothingLabelSelector(s *slimv1.LabelSelector) bool { + return s == nil +} diff --git a/pkg/selectors/helpers_test.go b/pkg/selectors/helpers_test.go new file mode 100644 index 00000000000..be710ec24d0 --- /dev/null +++ b/pkg/selectors/helpers_test.go @@ -0,0 +1,58 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +package selectors + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1" +) + +func TestMatchAll(t *testing.T) { + assert.True(t, MatchAllLabelSelector(&slimv1.LabelSelector{})) + assert.True(t, MatchAllLabelSelector(&slimv1.LabelSelector{ + MatchLabels: map[string]slimv1.MatchLabelsValue{}, + })) + assert.True(t, MatchAllLabelSelector(&slimv1.LabelSelector{ + MatchExpressions: []slimv1.LabelSelectorRequirement{}, + })) + assert.True(t, MatchAllLabelSelector(&slimv1.LabelSelector{ + MatchLabels: map[string]slimv1.MatchLabelsValue{}, + MatchExpressions: []slimv1.LabelSelectorRequirement{}, + })) + assert.False(t, MatchAllLabelSelector(nil)) + assert.False(t, MatchAllLabelSelector(&slimv1.LabelSelector{ + MatchLabels: map[string]slimv1.MatchLabelsValue{ + "a": "b", + }, + })) + assert.False(t, MatchAllLabelSelector(&slimv1.LabelSelector{ + MatchExpressions: []slimv1.LabelSelectorRequirement{ + { + Key: "a", + Operator: "In", + Values: []string{ + "b", + }, + }, + }, + })) + assert.False(t, MatchAllLabelSelector(&slimv1.LabelSelector{ + MatchLabels: map[string]slimv1.MatchLabelsValue{ + "a": "b", + }, + MatchExpressions: []slimv1.LabelSelectorRequirement{ + { + Key: "a", + Operator: "In", + Values: []string{ + "b", + }, + }, + }, + })) + +} diff --git a/pkg/sensors/k8s.go b/pkg/sensors/k8s.go index 52473605c8a..a71620c7c1b 100644 --- a/pkg/sensors/k8s.go +++ b/pkg/sensors/k8s.go @@ -10,6 +10,7 @@ import ( slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1" "github.com/cilium/tetragon/pkg/policyfilter" + "github.com/cilium/tetragon/pkg/selectors" "github.com/cilium/tetragon/pkg/tracingpolicy" ) @@ -38,29 +39,23 @@ func (h *handler) updatePolicyFilter(tp tracingpolicy.TracingPolicy, tpID uint64 // If the user specifies a podSelector but don't specify a containerSelector, // we assume that the user cares for all containers inside the pods that match. - if podSelector != nil && containerSelector == nil { + if podSelector != nil && selectors.MatchNothingLabelSelector(containerSelector) { containerSelector = &slimv1.LabelSelector{} } // If the user specifies a containerSelector but don't specify a podSelector, // we assume that the user cares for containers that match inside all pods. - if containerSelector != nil && podSelector == nil { + if containerSelector != nil && selectors.MatchNothingLabelSelector(podSelector) { podSelector = &slimv1.LabelSelector{} } // This is the case where all of podSelector, containerSelector, hostSelector are excplicitly defined to be {}. // In that case we match everything so no need to apply a policyfilter. - matchAll := func(s *slimv1.LabelSelector) bool { - return (s != nil && (len(s.MatchLabels)+len(s.MatchExpressions) == 0)) - } - globalSelectorsMatchAll := matchAll(podSelector) && matchAll(containerSelector) && matchAll(hostSelector) + globalSelectorsMatchAll := selectors.MatchAllLabelSelector(podSelector) && selectors.MatchAllLabelSelector(containerSelector) && selectors.MatchAllLabelSelector(hostSelector) // This covers the "special" case where all of podSelector, containerSelector, hostSelector are nil (default). // In that case we match everything so no need to apply a policyfilter. - matchNothing := func(s *slimv1.LabelSelector) bool { - return s == nil - } - globalSelectorsMatchNothing := matchNothing(podSelector) && matchNothing(containerSelector) && matchNothing(hostSelector) + globalSelectorsMatchNothing := selectors.MatchNothingLabelSelector(podSelector) && selectors.MatchNothingLabelSelector(containerSelector) && selectors.MatchNothingLabelSelector(hostSelector) // we do not call AddPolicy unless filtering is actually needed. This // means that if policyfilter is disabled From 9f009a9e95b0c13facade8752eafc2bef0d0ad1e Mon Sep 17 00:00:00 2001 From: Anastasios Papagiannis Date: Mon, 4 May 2026 17:32:53 +0300 Subject: [PATCH 5/7] Add support in the agent for matchWorkloads selector In order to achieve that we reuse the existing support for global selectors inside policyfilter. For each selector that has a matchWorkloads filter, we allocate a new policy ID. In order not to collide with global policy IDs we start to allocate IDs after the range of IDs for global selectors. Based on that we assume that each matchWorkloads selector is a global selector and we call AddPolicy with the selector. We also take care of deallocating all of those when a policy is removed. Signed-off-by: Anastasios Papagiannis --- pkg/policyfilter/nok8s.go | 11 ++++ pkg/policyfilter/selectors.go | 14 +++++ pkg/selectors/kernel.go | 71 ++++++++++++++++++++++++ pkg/selectors/selectors.go | 8 +++ pkg/sensors/tracing/generickprobe.go | 3 + pkg/sensors/tracing/genericlsm.go | 3 + pkg/sensors/tracing/generictracepoint.go | 3 + pkg/sensors/tracing/genericuprobe.go | 3 +- pkg/sensors/tracing/genericusdt.go | 3 +- pkg/sensors/tracing/kprobe_test.go | 8 +-- pkg/sensors/tracing/lsm_test.go | 6 +- pkg/sensors/tracing/selectors.go | 13 +++++ pkg/sensors/tracing/tracepoint_test.go | 6 +- pkg/sensors/tracing/uprobe_test.go | 8 +-- pkg/sensors/tracing/usdt_test.go | 6 +- 15 files changed, 147 insertions(+), 19 deletions(-) create mode 100644 pkg/policyfilter/selectors.go diff --git a/pkg/policyfilter/nok8s.go b/pkg/policyfilter/nok8s.go index 61635f8582b..592c958957d 100644 --- a/pkg/policyfilter/nok8s.go +++ b/pkg/policyfilter/nok8s.go @@ -10,6 +10,7 @@ import ( "fmt" "sync" + slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1" "github.com/cilium/tetragon/pkg/labels" "github.com/cilium/tetragon/pkg/option" "github.com/cilium/tetragon/pkg/podhelpers" @@ -53,3 +54,13 @@ func (s *State) AddPodContainer(podID PodID, namespace, workload, kind string, p containerID string, cgID CgroupID, containerInfo podhelpers.ContainerInfo) error { return nil } + +func (s *State) AddPolicy(polID PolicyID, namespace string, podSelector *slimv1.LabelSelector, + containerSelector *slimv1.LabelSelector, hostSelector *slimv1.LabelSelector) error { + return nil +} + +// for matchWorkloads +func GetSelectorPolicyID() PolicyID { + return PolicyID(0) +} diff --git a/pkg/policyfilter/selectors.go b/pkg/policyfilter/selectors.go new file mode 100644 index 00000000000..1f43e8b4cd1 --- /dev/null +++ b/pkg/policyfilter/selectors.go @@ -0,0 +1,14 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright Authors of Tetragon + +//go:build !nok8s + +package policyfilter + +import "sync/atomic" + +var ops atomic.Uint32 + +func GetSelectorPolicyID() PolicyID { + return PolicyID(ops.Add(1) + polMaxPolicies) +} diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index e91f6a10359..0989fbf00b5 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -24,9 +24,11 @@ import ( "github.com/cilium/tetragon/pkg/config" gt "github.com/cilium/tetragon/pkg/generictypes" "github.com/cilium/tetragon/pkg/idtable" + slimv1 "github.com/cilium/tetragon/pkg/k8s/slim/k8s/apis/meta/v1" "github.com/cilium/tetragon/pkg/kernels" "github.com/cilium/tetragon/pkg/mbset" "github.com/cilium/tetragon/pkg/option" + "github.com/cilium/tetragon/pkg/policyfilter" "github.com/cilium/tetragon/pkg/reader/namespace" "github.com/cilium/tetragon/pkg/reader/network" ) @@ -1263,6 +1265,59 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a return nil } +func ParseMatchWorkloads(k *KernelSelectorState, workloads []v1alpha1.WorkloadsSelector, selIdx int) error { + if len(workloads) > 1 { + return errors.New("only a single selector under matchWorkloads is supported") + } + if len(workloads) == 0 { + return nil + } + + state, err := policyfilter.GetState() + if err != nil { + return fmt.Errorf("parseMatchWorkloads: failed to get policyfilter state: %w", err) + } + + podSelector := workloads[0].PodSelector + containerSelector := workloads[0].ContainerSelector + hostSelector := workloads[0].HostSelector + + // If the user specifies a podSelector but doesn't specify a containerSelector, + // we assume that the user cares for all containers inside the pods that match. + if podSelector != nil && MatchNothingLabelSelector(containerSelector) { + containerSelector = &slimv1.LabelSelector{} + } + + // If the user specifies a containerSelector but doesn't specify a podSelector, + // we assume that the user cares for containers that match inside all pods. + if containerSelector != nil && MatchNothingLabelSelector(podSelector) { + podSelector = &slimv1.LabelSelector{} + } + + // The user explicitly defined all podSelector, containerSelector, and hostSelector + // to be {}. This will match everything and for this reason we should not use + // a policyfilter at all. + if MatchAllLabelSelector(podSelector) && MatchAllLabelSelector(containerSelector) && MatchAllLabelSelector(hostSelector) { + return nil + } + + // This covers the "special" case where all of podSelector, containerSelector, hostSelector + // are nil (default). In that case we match everything so no need to apply a policyfilter. + if MatchNothingLabelSelector(podSelector) && MatchNothingLabelSelector(containerSelector) && MatchNothingLabelSelector(hostSelector) { + return nil + } + + selPolId := policyfilter.GetSelectorPolicyID() + err = state.AddPolicy(selPolId, "", podSelector, containerSelector, hostSelector) + if err != nil { + return fmt.Errorf("parseMatchWorkloads: failed to add policy: %w", err) + } + + k.matchWorkloadIDs[selIdx] = selPolId + + return nil +} + func ParseMatchActions(k *KernelSelectorState, actions []v1alpha1.ActionSelector, actionArgTable *idtable.Table) error { if len(actions) > 3 { return fmt.Errorf("only %d actions are support for selector (current number of values is %d)", 3, len(actions)) @@ -1695,6 +1750,9 @@ func InitKernelSelectorState(args *KernelSelectorArgs) (*KernelSelectorState, er if err := ParseMatchArgs(k, selector.MatchArgs, selector.MatchData, args.Args, args.Data); err != nil { return fmt.Errorf("parseMatchArgs error: %w", err) } + if err := ParseMatchWorkloads(k, selector.MatchWorkloads, selIdx); err != nil { + return fmt.Errorf("parseMatchWorkloads error: %w", err) + } if err := ParseMatchActions(k, selector.MatchActions, args.ActionArgTable); err != nil { return fmt.Errorf("parseMatchActions error: %w", err) } @@ -1732,6 +1790,19 @@ func CleanupKernelSelectorState(state *KernelSelectorState) error { errs = errors.Join(errs, err) } } + + s, err := policyfilter.GetState() + if err != nil { + errs = errors.Join(errs, err) + return errs + } + + for _, polID := range state.MatchWorkloadIDs() { + if err := s.DelPolicy(polID); err != nil { + errs = errors.Join(errs, err) + } + } + return errs } diff --git a/pkg/selectors/selectors.go b/pkg/selectors/selectors.go index b25751360ee..1b8e42e7d4c 100644 --- a/pkg/selectors/selectors.go +++ b/pkg/selectors/selectors.go @@ -11,6 +11,7 @@ import ( "github.com/cilium/tetragon/pkg/api/processapi" "github.com/cilium/tetragon/pkg/kernels" + "github.com/cilium/tetragon/pkg/policyfilter" ) type KernelLPMTrie4 struct { @@ -138,6 +139,8 @@ type KernelSelectorState struct { subStrs []string celExprFunctions *CelExprFunctions + + matchWorkloadIDs map[int]policyfilter.PolicyID } func NewKernelSelectorState( @@ -159,6 +162,7 @@ func NewKernelSelectorState( maps: maps, isUprobe: isUprobe, celExprFunctions: celExprs, + matchWorkloadIDs: make(map[int]policyfilter.PolicyID), } } @@ -174,6 +178,10 @@ func (k KernelSelectorState) MatchBinariesPaths() map[int][][processapi.BINARY_P return k.matchBinariesPaths } +func (k KernelSelectorState) MatchWorkloadIDs() map[int]policyfilter.PolicyID { + return k.matchWorkloadIDs +} + func (k *KernelSelectorState) WriteMatchBinariesPath(selectorID int, path string) { var bytePath [processapi.BINARY_PATH_MAX_LEN]byte copy(bytePath[:], path) diff --git a/pkg/sensors/tracing/generickprobe.go b/pkg/sensors/tracing/generickprobe.go index d30f0c5c9e9..760140898d8 100644 --- a/pkg/sensors/tracing/generickprobe.go +++ b/pkg/sensors/tracing/generickprobe.go @@ -1040,6 +1040,9 @@ func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe filterMap := program.MapBuilderProgram("filter_map", load) maps = append(maps, filterMap) + workloadsMap := program.MapBuilderProgram("workloads_map", load) + maps = append(maps, workloadsMap) + if has.selector { maps = append(maps, createSelectorMaps(load, getProgramSelector(load, kprobeEntry))...) diff --git a/pkg/sensors/tracing/genericlsm.go b/pkg/sensors/tracing/genericlsm.go index 41733236678..0ac170fb519 100644 --- a/pkg/sensors/tracing/genericlsm.go +++ b/pkg/sensors/tracing/genericlsm.go @@ -593,6 +593,9 @@ func createLsmSensorFromEntry(polInfo *policyInfo, lsmEntry *genericLsm, filterMap := program.MapBuilderProgram("filter_map", load) maps = append(maps, filterMap) + workloadsMap := program.MapBuilderProgram("workloads_map", load) + maps = append(maps, workloadsMap) + maps = append(maps, createSelectorMaps(load, lsmEntry.selectors)...) callHeap := program.MapBuilderProgram("process_call_heap", load) diff --git a/pkg/sensors/tracing/generictracepoint.go b/pkg/sensors/tracing/generictracepoint.go index c28cf675199..7df3209a2bf 100644 --- a/pkg/sensors/tracing/generictracepoint.go +++ b/pkg/sensors/tracing/generictracepoint.go @@ -649,6 +649,9 @@ func createGenericTracepointSensor( filterMap := program.MapBuilderProgram("filter_map", prog0) maps = append(maps, filterMap) + workloadsMap := program.MapBuilderProgram("workloads_map", prog0) + maps = append(maps, workloadsMap) + maps = append(maps, createSelectorMaps(prog0, tp.selectors)...) if has.enforcer { diff --git a/pkg/sensors/tracing/genericuprobe.go b/pkg/sensors/tracing/genericuprobe.go index 880c1249fcb..eb5af9aa16d 100644 --- a/pkg/sensors/tracing/genericuprobe.go +++ b/pkg/sensors/tracing/genericuprobe.go @@ -1029,8 +1029,9 @@ func createUprobeSensorFromEntry(polInfo *policyInfo, uprobeEntry *genericUprobe filterMap := program.MapBuilderProgram("filter_map", load) retProbe := program.MapBuilderSensor("retprobe_map", load) selMatchBinariesMap := program.MapBuilderProgram("tg_mb_sel_opts", load) + workloadsMap := program.MapBuilderProgram("workloads_map", load) - maps = append(maps, configMap, tailCalls, filterMap, selMatchBinariesMap, retProbe) + maps = append(maps, configMap, tailCalls, filterMap, selMatchBinariesMap, retProbe, workloadsMap) maps = append(maps, createSelectorMaps(load, getUprobeProgramSelector(load, uprobeEntry))...) if has.substring { diff --git a/pkg/sensors/tracing/genericusdt.go b/pkg/sensors/tracing/genericusdt.go index 564a9094a79..37efccb167a 100644 --- a/pkg/sensors/tracing/genericusdt.go +++ b/pkg/sensors/tracing/genericusdt.go @@ -194,8 +194,9 @@ func createMultiUsdtSensor( configMap := program.MapBuilderProgram("config_map", load) tailCalls := program.MapBuilderProgram("usdt_calls", load) filterMap := program.MapBuilderProgram("filter_map", load) + workloadsMap := program.MapBuilderProgram("workloads_map", load) - maps = append(maps, configMap, tailCalls, filterMap) + maps = append(maps, configMap, tailCalls, filterMap, workloadsMap) filterMap.SetMaxEntries(len(multiIDs)) configMap.SetMaxEntries(len(multiIDs)) diff --git a/pkg/sensors/tracing/kprobe_test.go b/pkg/sensors/tracing/kprobe_test.go index 7febe7cfff0..dacd30cdd62 100644 --- a/pkg/sensors/tracing/kprobe_test.go +++ b/pkg/sensors/tracing/kprobe_test.go @@ -5022,7 +5022,7 @@ func TestLoadKprobeSensor(t *testing.T) { {Name: "config_map", Progs: []uint{0, 1, 2, 5}}, // generic_kprobe_event - {Name: "tg_conf_map", Progs: []uint{0, 2, 6, 10}}, + {Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6, 10}}, // shared with base sensor {Name: "execve_map", Progs: []uint{4, 5, 6, 7, 9}}, @@ -5091,10 +5091,10 @@ func TestLoadKprobeSensor(t *testing.T) { sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_rb_events", Progs: []uint{2, 6, 11}}) // generic_kprobe_event - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 6, 11}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6, 11}}) } else { // generic_kprobe_event - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}}) } } else { sensorProgs = append(sensorProgs, tus.SensorProg{Name: "generic_kprobe_process_event_2", Type: ebpf.Kprobe}) @@ -5117,7 +5117,7 @@ func TestLoadKprobeSensor(t *testing.T) { sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tcpmon_map", Progs: []uint{6, 11}}) // generic_kprobe_event - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}}) // generic_retkprobe_event sensorMaps = append(sensorMaps, tus.SensorMap{Name: "retkprobe_calls", Progs: []uint{8, 9, 10, 14}}) diff --git a/pkg/sensors/tracing/lsm_test.go b/pkg/sensors/tracing/lsm_test.go index 2b4b43eb926..b2bfe0f1602 100644 --- a/pkg/sensors/tracing/lsm_test.go +++ b/pkg/sensors/tracing/lsm_test.go @@ -72,7 +72,7 @@ func TestLSMObjectLoad(t *testing.T) { {Name: "config_map", Progs: []uint{0, 1, 2, 5}}, // generic_lsm_event - {Name: "tg_conf_map", Progs: []uint{0, 2, 6}}, + {Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6}}, // shared with base sensor {Name: "execve_map", Progs: []uint{4, 5, 6}}, @@ -118,10 +118,10 @@ func TestLSMObjectLoad(t *testing.T) { } // generic_lsm_event if config.EnableV511Progs() { - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 6}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6}}) sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_rb_events", Progs: []uint{2, 6}}) } else { - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}}) } } diff --git a/pkg/sensors/tracing/selectors.go b/pkg/sensors/tracing/selectors.go index 55585a6de65..120b1a3a965 100644 --- a/pkg/sensors/tracing/selectors.go +++ b/pkg/sensors/tracing/selectors.go @@ -109,6 +109,19 @@ func selectorsMaploads(ks *selectors.KernelSelectorState, index uint32) []*progr }, }, } + if len(ks.MatchWorkloadIDs()) > 0 { + maps = append(maps, &program.MapLoad{ + Name: "workloads_map", + Load: func(m *ebpf.Map, _ string) error { + for selID, polID := range ks.MatchWorkloadIDs() { + if err := m.Update(uint32(selID), polID, ebpf.UpdateAny); err != nil { + return err + } + } + return nil + }, + }) + } if kernels.MinKernelVersion("5.11") { maps = append(maps, []*program.MapLoad{ { diff --git a/pkg/sensors/tracing/tracepoint_test.go b/pkg/sensors/tracing/tracepoint_test.go index 6febaa76685..f4171d581d1 100644 --- a/pkg/sensors/tracing/tracepoint_test.go +++ b/pkg/sensors/tracing/tracepoint_test.go @@ -463,10 +463,10 @@ func TestLoadTracepointSensor(t *testing.T) { sensorMaps = append(sensorMaps, tus.SensorMap{Name: "buffer_heap_map", Progs: []uint{2, 3}}) if config.EnableV511Progs() { - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 5}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 3, 5}}) sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_rb_events", Progs: []uint{5}}) } else { - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 3}}) } } else { sensorProgs = append(sensorProgs, tus.SensorProg{Name: "generic_tracepoint_process_event_2", Type: ebpf.TracePoint}) @@ -490,7 +490,7 @@ func TestLoadTracepointSensor(t *testing.T) { // only generic_tracepoint_event* sensorMaps = append(sensorMaps, tus.SensorMap{Name: "buffer_heap_map", Progs: []uint{2, 6}}) - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 3}}) } readHook := ` diff --git a/pkg/sensors/tracing/uprobe_test.go b/pkg/sensors/tracing/uprobe_test.go index cc150e98a00..4385ee396a9 100644 --- a/pkg/sensors/tracing/uprobe_test.go +++ b/pkg/sensors/tracing/uprobe_test.go @@ -76,7 +76,7 @@ func TestLoadUprobeSensor(t *testing.T) { {Name: "tg_rb_events", Progs: []uint{6}}, // generic_uprobe_event - {Name: "tg_conf_map", Progs: []uint{0, 6}}, + {Name: "tg_conf_map", Progs: []uint{0, 4, 6}}, // shared with base sensor {Name: "execve_map", Progs: []uint{4, 5, 6}}, @@ -113,10 +113,10 @@ func TestLoadUprobeSensor(t *testing.T) { sensorMaps = append(sensorMaps, tus.SensorMap{Name: "filter_map", Progs: []uint{3, 4, 5}}) if config.EnableV511Progs() { - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 6}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4, 6}}) sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_rb_events", Progs: []uint{6}}) } else { - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}}) } } else { sensorProgs = append(sensorProgs, tus.SensorProg{Name: "generic_uprobe_process_event_2", Type: ebpf.Kprobe}) @@ -130,7 +130,7 @@ func TestLoadUprobeSensor(t *testing.T) { // shared with base sensor sensorMaps = append(sensorMaps, tus.SensorMap{Name: "execve_map", Progs: []uint{4}}) - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}}) // generic_uprobe_process_filter,generic_uprobe_filter_arg*,generic_uprobe_actions sensorMaps = append(sensorMaps, tus.SensorMap{Name: "filter_map", Progs: []uint{3, 4, 5, 9}}) diff --git a/pkg/sensors/tracing/usdt_test.go b/pkg/sensors/tracing/usdt_test.go index 440c375c04d..eaa7d7fc468 100644 --- a/pkg/sensors/tracing/usdt_test.go +++ b/pkg/sensors/tracing/usdt_test.go @@ -69,7 +69,7 @@ func TestUsdtLoadSensor(t *testing.T) { {Name: "tg_rb_events", Progs: []uint{2, 6}}, // generic_usdt_event - {Name: "tg_conf_map", Progs: []uint{0, 2, 6}}, + {Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6}}, // shared with base sensor {Name: "execve_map", Progs: []uint{4, 5, 6}}, @@ -107,10 +107,10 @@ func TestUsdtLoadSensor(t *testing.T) { // shared with base sensor sensorMaps = append(sensorMaps, tus.SensorMap{Name: "execve_map", Progs: []uint{4, 5, 6}}) if config.EnableV511Progs() { - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 6}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 2, 4, 6}}) sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_rb_events", Progs: []uint{2, 6}}) } else { - sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0}}) + sensorMaps = append(sensorMaps, tus.SensorMap{Name: "tg_conf_map", Progs: []uint{0, 4}}) } } else { // shared with base sensor From bc85fb92c89528494ad41504253e8698660cbf2a Mon Sep 17 00:00:00 2001 From: Anastasios Papagiannis Date: Wed, 22 Apr 2026 09:35:01 +0300 Subject: [PATCH 6/7] Add new e2e test for matchWorkloads Signed-off-by: Anastasios Papagiannis --- .../tests/policyfilter/policyfilter_test.go | 226 +++++++++++++++++- 1 file changed, 224 insertions(+), 2 deletions(-) diff --git a/tests/e2e/tests/policyfilter/policyfilter_test.go b/tests/e2e/tests/policyfilter/policyfilter_test.go index a593bfec3e8..59c770966aa 100644 --- a/tests/e2e/tests/policyfilter/policyfilter_test.go +++ b/tests/e2e/tests/policyfilter/policyfilter_test.go @@ -25,6 +25,7 @@ import ( "github.com/cilium/tetragon/tests/e2e/checker" "github.com/cilium/tetragon/tests/e2e/helpers" "github.com/cilium/tetragon/tests/e2e/helpers/grpc" + e2e "github.com/cilium/tetragon/tests/e2e/install/tetragon" "github.com/cilium/tetragon/tests/e2e/runners" ) @@ -62,11 +63,23 @@ var ( // - check that we only receive events from the matching container containerSelectorNamespace = "nsfield" - testNamespaces = []string{otherNamespace, policyNamespace, podlblNamespace, containerSelectorNamespace} + // for the matchWorkloads test, we: + // - create a namespaces + // - start a pod with 2 containers: one is named passwd and reads /etc/passwd and one is named shadow and reads /etc/shadow + // - install a policy for monitoring file operations with two selectors, one for each of the containers + // - check that we get events from both containers on different files + fileNamespace = "file-ns" + + testNamespaces = []string{otherNamespace, policyNamespace, podlblNamespace, containerSelectorNamespace, fileNamespace} ) func TestMain(m *testing.M) { - runner = runners.NewRunner().Init() + runner = runners.NewRunner().WithInstallTetragon(e2e.WithHelmOptions(map[string]string{ + "tetragon.exportAllowList": "", + "tetragon.enablePolicyFilter": "true", + "tetragon.rthooks.enabled": "true", + "tetragon.rthooks.interface": "nri-hook", + })).Init() // Here we ensure our test namespace doesn't already exist then create it. runner.Setup(func(ctx context.Context, c *envconf.Config) (context.Context, error) { @@ -632,3 +645,212 @@ func TestContainerFieldRepoFilters(t *testing.T) { checker := containerSelectorRepoChecker().WithTimeLimit(30 * time.Second).WithEventLimit(20) testContainerFieldFilters(t, checker, containerSelectorRepoPolicy, "debian-container-syscalls", ubuntuPodL4) } + +const matchWorkloadsPolicy = ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "file-match-workloads" +spec: + kprobes: + - call: "security_file_permission" + syscall: false + return: true + args: + - index: 0 + type: "file" # (struct file *) used for getting the path + - index: 1 + type: "int" # 0x04 is MAY_READ, 0x02 is MAY_WRITE + returnArg: + index: 0 + type: "int" + selectors: + - matchArgs: + - index: 0 + operator: "Prefix" + values: + - "/etc/passwd" + - index: 1 + operator: "Equal" + values: + - "4" # MAY_READ + matchWorkloads: + - containerSelector: + matchExpressions: + - key: "name" + operator: In + values: + - "passwd" + - matchArgs: + - index: 0 + operator: "Prefix" + values: + - "/etc/shadow" + - index: 1 + operator: "Equal" + values: + - "4" # MAY_READ + matchWorkloads: + - containerSelector: + matchExpressions: + - key: "name" + operator: In + values: + - "shadow" +` + +const ubuntuFilePod = ` +kind: Deployment +apiVersion: apps/v1 +metadata: + name: ubuntu-file +spec: + replicas: 1 + selector: + matchLabels: + app: "ubuntu-file" + template: + metadata: + labels: + app: "ubuntu-file" + spec: + containers: + - name: passwd + image: ubuntu:20.04 + imagePullPolicy: IfNotPresent + command: ["bash"] + args: ["-c", "while sleep 1; do cat /etc/passwd; done"] + - name: shadow + image: ubuntu:20.04 + imagePullPolicy: IfNotPresent + command: ["bash"] + args: ["-c", "while sleep 1; do cat /etc/shadow; done"] +` + +func matchWorkloadsChecker() *checker.RPCChecker { + return checker.NewRPCChecker(&matchWorkloadsFileChecker{}, "policyfilter-match-workloads-checker") +} + +type matchWorkloadsFileChecker struct { + matchesShadow int + matchesPasswd int +} + +func (cfc *matchWorkloadsFileChecker) Done() bool { + return cfc.matchesPasswd > 0 && cfc.matchesShadow > 0 +} + +func (cfc *matchWorkloadsFileChecker) NextEventCheck(event ec.Event, _ *slog.Logger) (bool, error) { + // ignore non-trace point events + ev, ok := event.(*tetragon.ProcessKprobe) + if !ok { + return false, errors.New("not a kprobe") + } + + // ignore other kprobes + if ev.GetFunctionName() != "security_file_permission" { + return false, fmt.Errorf("not security_file_permission kprobe (%s instead)", ev.GetFunctionName()) + } + + // ignore other tracing policies + if ev.GetPolicyName() != "file-match-workloads" { + return false, fmt.Errorf("not file-match-workloads (%s instead)", ev.GetPolicyName()) + } + + // check that we have the correct number of args + args := ev.GetArgs() + if len(args) == 0 { + return true, fmt.Errorf("unexpected event %+v withn not arguments", ev) + } + + arg := args[0].GetFileArg() + container := ev.GetProcess().GetPod().GetContainer() + + switch arg.Path { + case "/etc/passwd": + if container.Name == "passwd" { + cfc.matchesPasswd++ + return cfc.Done(), nil + } + return true, fmt.Errorf("unexpected event %+v for /etc/passwd from a container with a different name than passwd", ev) + case "/etc/shadow": + if container.Name == "shadow" { + cfc.matchesShadow++ + return cfc.Done(), nil + } + return true, fmt.Errorf("unexpected event %+v for /etc/shadow from a container with a different name than shadow", ev) + default: + return false, nil + } +} + +func (cfc *matchWorkloadsFileChecker) FinalCheck(_ *slog.Logger) error { + if cfc.Done() { + return nil + } + return fmt.Errorf("match-workloads checker failed, had %d matches for /etc/passwd and %d matches for /etc/shadow", cfc.matchesPasswd, cfc.matchesShadow) +} + +func TestMatchWorkloadsSelector(t *testing.T) { + checker := matchWorkloadsChecker().WithTimeLimit(30 * time.Second).WithEventLimit(20) + testMatchWorkloadsSelector(t, checker) +} + +func testMatchWorkloadsSelector(t *testing.T, checker *checker.RPCChecker) { + runEventChecker := features.New("Run Event Checks"). + Assess("Run Event Checks", checker.CheckWithFilters( + 30*time.Second, + // allow list + []*tetragon.Filter{{ + EventSet: []tetragon.EventType{tetragon.EventType_PROCESS_KPROBE}, + Namespace: []string{fileNamespace}, + }}, + // deny list + []*tetragon.Filter{}, + )).Feature() + + runWorkload := features.New("Match workloads test"). + Assess("Install policy", func(ctx context.Context, _ *testing.T, c *envconf.Config) context.Context { + ctx, err := helpers.LoadCRDString("", matchWorkloadsPolicy, false)(ctx, c) + if err != nil { + klog.ErrorS(err, "failed to install policy") + t.Fail() + } + return ctx + }). + Assess("Wait for policy", func(ctx context.Context, _ *testing.T, _ *envconf.Config) context.Context { + if err := grpc.WaitForTracingPolicy(ctx, "file-match-workloads"); err != nil { + klog.ErrorS(err, "failed to wait for policy") + t.Fail() + } + return ctx + }). + Assess("Wait for Checker", checker.Wait(30*time.Second)). + Assess("Start pods", func(ctx context.Context, _ *testing.T, c *envconf.Config) context.Context { + ctx, err := helpers.LoadCRDString(fileNamespace, ubuntuFilePod, true)(ctx, c) + if err != nil { + klog.ErrorS(err, "failed to load pod") + t.Fail() + } + return ctx + }). + Assess("Uninstall policy", func(ctx context.Context, _ *testing.T, c *envconf.Config) context.Context { + ctx, err := helpers.UnloadCRDString("", matchWorkloadsPolicy, false)(ctx, c) + if err != nil { + klog.ErrorS(err, "failed to uninstall policy") + t.Fail() + } + return ctx + }). + Assess("Stop pods", func(ctx context.Context, _ *testing.T, c *envconf.Config) context.Context { + ctx, err := helpers.UnloadCRDString(fileNamespace, ubuntuFilePod, true)(ctx, c) + if err != nil { + klog.ErrorS(err, "failed to uninstall pod") + t.Fail() + } + return ctx + }). + Feature() + + runner.TestInParallel(t, runWorkload, runEventChecker) +} From 23f20b15e52cce72a3685dfc8ae6c33eaa663f48 Mon Sep 17 00:00:00 2001 From: Anastasios Papagiannis Date: Wed, 22 Apr 2026 10:24:20 +0300 Subject: [PATCH 7/7] docs: Document matchWorkloads selector Signed-off-by: Anastasios Papagiannis --- .../docs/concepts/tracing-policy/selectors.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/content/en/docs/concepts/tracing-policy/selectors.md b/docs/content/en/docs/concepts/tracing-policy/selectors.md index 662c46fe931..f9d82dd4e43 100644 --- a/docs/content/en/docs/concepts/tracing-policy/selectors.md +++ b/docs/content/en/docs/concepts/tracing-policy/selectors.md @@ -21,6 +21,7 @@ Each selector comprises a set of filters: - [`matchCapabilities`](#capabilities-filter): filter on Linux capabilities. - [`matchNamespaceChanges`](#namespace-changes-filter): filter on Linux namespaces changes. - [`matchCapabilityChanges`](#capability-changes-filter): filter on Linux capabilities changes. +- [`matchWorkloads`](#workloads-filter): filter on Kubernetes workloads. And a set of actions that will be performed if the specified filters match: - [`matchActions`](#actions-filter): apply an action on selector matching. @@ -716,6 +717,32 @@ matchCapabilityChanges: See a [demonstration example](https://github.com/cilium/tetragon/blob/main/examples/tracingpolicy/fd_install_cap_changes.yaml) of this feature. +## Workloads filter + +Workloads filter can be specified under the `matchWorkloads` field and provides +filtering based on Kubernetes workloads. Inside `matchWorkloads` the user can +define a `hostSelector`, a `podSelector`, and a `containerSelector`. + +This works in a similar way to global workload selectors such as `spec.hostSelector`, +`spec.podSelector`, and `spec.containerSelector`. More details on these +can be found in [Filtering semantics]({{< ref "/docs/concepts/tracing-policy/k8s-filtering/#filtering-semantics" >}}). + +Loading a tracing policy with `matchWorkloads` outside of Kubernetes will fail +in a similar way to global workload selectors. + +The following match host workloads and pods inside `kube-system` namespace: + +```yaml +matchWorkloads: +- hostSelector: {} + podSelector: + matchExpressions: + - key: "k8s:io.kubernetes.pod.namespace" + operator: In + values: + - "kube-system" +``` + ## Actions filter Actions filters are a list of actions that execute when an appropriate selector
    operatorenumkeystring - Filter operation.
    -
    - Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    + key is the label key that the selector applies to.
    		 true
    args[]integer - Position of the operator arguments (in spec file) to apply fhe filter to.
    -     		false
    indexintegeroperatorenum - Position of the argument (in function prototype) to apply fhe filter to.
    + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    - Format: int32
    - Minimum: 0
    + Enum: In, NotIn, Exists, DoesNotExist
    		falsetrue
    values []string - Value to compare the argument against.
    + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
    		 false