tetragon icon indicating copy to clipboard operation
tetragon copied to clipboard

Published 20 hours ago verified publisher icon cilium

Tetragon does not allow getting healthcheck and non healthcheck events at the same time

Open alexeysofin opened this issue 9 months ago • 0 comments

What happened?

I need to get all process_exec events (healthchecks and non-healthchecks) but that seems impossible, leaving out {"health_check":true} in deny filter seems to behave identical to setting it to true. Tried setting it to null, adding allow filter with both false and true but no luck in any case.

environment: k8s cluster

config:

export-allowlist: '{"event_set":["PROCESS_EXEC"]}'
export-denylist: '{"namespace":["", "cilium", "kube-system"]}'

logs:

time="2024-05-28T16:48:01Z" level=info msg="Starting tetragon" version=v1.0.3
time="2024-05-28T16:48:01Z" level=info msg="config settings" config="map[bpf-lib:/var/lib/tetragon/ btf: config-dir:/etc/tetragon/tetragon.conf.d/ cpuprofile: data-cache-size:1024 debug:false disable-kprobe-multi:false enable-export-aggregation:false enable-k8s-api:true enable-msg-handling-latency:false enable-pid-set-filter:false enable-pod-info:false enable-policy-filter:true enable-policy-filter-debug:false enable-process-ancestors:true enable-process-cred:false enable-process-ns:false event-queue-size:10000 export-aggregation-buffer-size:10000 export-aggregation-window-size:15s export-allowlist:{\"event_set\":[\"PROCESS_EXEC\"]} export-denylist:{\"namespace\":[\"\", \"cilium\", \"kube-system\"]} export-file-compress:false export-file-max-backups:5 export-file-max-size-mb:100 export-file-perm:600 export-file-rotation-interval:0s export-filename:/var/log/cilium/tetragon/tetragon.log export-rate-limit:-1 expose-kernel-addresses:false field-filters: force-large-progs:false force-small-progs:false gops-address:localhost:8118 k8s-kubeconfig-path: kernel: kmods:[] log-format:text log-level:info memprofile: metrics-label-filter:namespace,workload,pod,binary metrics-server::2112 netns-dir:/var/run/docker/netns/ pprof-addr: process-cache-size:65536 procfs:/procRoot rb-queue-size:65535 rb-size:0 rb-size-total:0 redaction-filters: release-pinned-bpf:true server-address:localhost:54321 tracing-policy: tracing-policy-dir:/etc/tetragon/tetragon.tp.d verbose:0]"

Tetragon Version

1.0.3

Kernel Version

Linux ubuntu ** SMP Mon May 22 20:06:37 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

1.29

Bugtool

No response

Relevant log output

No response

Anything else?

No response

alexeysofin avatar May 28 '24 17:05 alexeysofin