tetragon icon indicating copy to clipboard operation
tetragon copied to clipboard
verified publisher icon cilium

host_ns namespace selector is leaking some host related events

Open genie-zs opened this issue 8 months ago • 2 comments

What happened?

Hello! I am trying to remove host-related events from my tracing policies deployed in a Kubernetes environment with Containerd as a runtime. I use the following namespace selector for this:

- matchNamespaces:
  - namespace: Pid
    operator: NotIn
    values:
    - "host_ns"

So, I expect that I will stop receiving host pid namespace-related events. However, for some reason, I am still receiving some of them (see the file for the exact content).

tetragon_events.json

Moreover, they are all marked with the is_host: true attribute.

Tetragon Version

1.1.2

Kernel Version

Tested on LTS kernels with different distributions:

  • 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux
  • 6.1.0-31-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.128-1 (2025-02-07) x86_64 GNU/Linux
  • 5.4.0-205-generic #225-Ubuntu SMP Fri Jan 10 22:23:35 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
  • 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  • 6.12.0-51.el10.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Feb 7 17:16:47 UTC 2025 x86_64 GNU/Linux
  • 6.6.28-1-debug #astra2+ci96 SMP PREEMPT_DYNAMIC Fri Dec 6 13:12:50 MSK 2024 x86_64 GNU/Linux

Kubernetes Version

  • 1.32.2
  • 1.27.16

Bugtool

No response

Relevant log output

Anything else?

Containerd versions:

  • 1.7.25
  • 1.7.24
  • 1.7.13
  • 1.7.12
  • 1.6.20

genie-zs avatar Apr 08 '25 08:04 genie-zs

Thanks for the report. Can you please provide the full policy?

kkourt avatar May 15 '25 06:05 kkourt

Sure. file-monitoring.zip

genie-zs avatar May 20 '25 11:05 genie-zs