Skip to content

Releases: cilium/tetragon

v1.6.0

23 Oct 10:53
@github-actions github-actions
v1.6.0
87ce9b7

Choose a tag to compare

View all tags
v1.6.0 Latest
Latest

Changes from v1.5.0 to v1.6.0

All contributions - total: 362 commits, prs: 187 pr commits: 362
Excluding cilium-renovate[bot] - total: 288 commits, prs: 114 pr commits: 288

Upgrade notes

Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.

Helm Values

  • The tetragonOperator.securityContext field has been deprecated in favor of tetragonOperator.containerSecurityContext for clarity. The old field is still supported for backward compatibility but might be removed in a future release. Users should migrate their configurations to use the new field.

  • The Tetragon Operator now defaults to running as a non-root user (UID 65532) for improved security. A new tetragonOperator.runAsRoot option has been added to override this behavior and run as root when needed. Set tetragonOperator.runAsRoot: true to maintain the previous root-based behavior if required.

Changelog

Bugfixes

Minor Changes

CI Changes

Documentation changes

Dependency updates

  • chore(deps): update module github.com/docker/docker to v28.3.3+incompatible [security] (main) (#3958) by @cilium-renovate[bot]
  • chore(deps): update renovatebot/github-action action to v43 (main) (#3965) by @cilium-renovate[bot]
  • chore(deps): update module github.com/cilium/cilium to v1.18.0 (main) (#3964) by @cilium-renovate[bot]
  • chore(deps): update all github action dependencies (main) (#3963) by @cilium-renovate[bot]
  • chore(deps): update all lvh-images main (main) (patch) (#3970) by @cilium-renovate[bot]
  • chore(deps): update dependency cilium/cilium-cli to v0.18.6 (main) (#3976) by @cilium-renovate[bot]
  • fix(deps): update module github.com/prometheus/client_golang to v1.23.0 (main) (#3977) by @cilium-renovate[bot]
  • chore(deps): update all lvh-images main (main) (patch) (https://github....
Read more

Contributors

kkourt, tklauser, and 30 other contributors
Assets 18

v1.6.0-rc.1

22 Oct 11:26
@github-actions github-actions
v1.6.0-rc.1
efe39f0

Choose a tag to compare

View all tags
v1.6.0-rc.1 Pre-release
Pre-release

Changes from v1.6.0-pre.0 to v1.6.0-rc.1

total: 280 commits, prs: 107 pr commits: 280

Bugfixes

  • Fix bug in process modeling where long executable filenames may cause command-line argument capture corruption.
  • helm: Quote tetragon.processAncestors.enabled
  • selectors: Ignore empty matchBinaries
  • pkg/cgroups/fsscan: fix incorrect path returned
  • pkg/crdutils: fix standalone custom resources validation
  • selectors: fix off by one bounds check

Minor Changes

  • option: Remove deprecated enable-process-ancestors boolean flags
  • tetragon: Enable TestTracepointLoadFormat on 6.1 and bpf-next
  • More robust process argument parsing logic.
  • tetragon: Add usdt sensor
  • tetragon: Change generic usdt op number
  • k8s: Enable k8s control plane for non-k8s deployment
  • tetragon: assorted fixes
  • fix: reject NotifyEnforcer kprobe action without an Enforcer
  • tetragon: Make TestUsdtArgs amd64 only
  • fix: detectUprobeRefCtrOffsetOnce init logic
  • bpf: turn environment configuration storage into a BPF ARRAY storage
  • new(tetra/getevents): allow to filter events by container name regex.
  • assorted fixes
  • api: Add pod uid field for k8s Pod
  • k8s: Reduce RBAC permission for non-k8s deployment
  • tetragon: support for current task data
  • tetragon: add usdt action support
  • tracingpolicy: add counters about actions performed for every policy
  • helm: run the Tetragon operator as non-root by default
  • tetra: add "probe config" command to check kernel configuration.
  • tetragon: allow to parse usdt sib argument
  • tetragon: Fix TestControllerSuite flake panic
  • tetragon: Fix struct perf_event_info_type layout
  • kprobe: Add support for bpf_prog argument
  • tetragon: add range filter
  • tetragon: Fix k8s validation of ArgSelector fields
  • Adds support for bpf ring buffer and sets that as the default from kernels v5.11 onwards.
  • k8s: Add retry support for ControllerManager
  • feat: add nameOverride support for tetragon-rthooks
  • tetragon: remove unused execve event flags bits
  • fix: Controller manager retry logic
  • tetragon: add support for usdt set action
  • tetragon: assorted fixes
  • Helm chart: add support for export.stdout.envFromSecrets to inject environment variables from Kubernetes secrets
  • tetragon: uprobe fixes
  • Dockerfile.clang: upgrade to clang-20
  • tetragon: assorted fixes
  • policies: support for resolve: in USDT policies
  • tetragon: add uprobe override action
  • tetragon: Add missing switch break to do_action

CI Changes

  • renovate: Remove manual step for cilium/cilium dep
  • ci: Re-enable label checker in ARM
  • fix: Resolve error message typo in TestHelperMain().
  • pin alexellis/arkade-get github action by hash
  • renovate: sync helm chart version/appVersion update with image tag
  • chore(ci): always use actions/setup-go after repo clone.
  • Makefile alias for docs generation and renovate config update
  • Makefile: add checkpatch target
  • Fix flaky downloads of eBPF for Windows deps
  • ci: always upload Go test artifacts for easier debugging
  • check-links: fix the periodic check issue creation

Documentation changes

  • Update tetragon enteprise URL
  • Fix a typo in kubectl in the runtime hook documentation
  • docs: improve path retrieval limits formatting
  • docs: Fix swapped event filters descriptions
  • docs: fix the yaml indent in selector semantics
  • Adds Tracing Policy API reference documentation
  • doc: add contribution ladder section
  • Chore: Add KubeCon NA 2025 to Announcement banner
  • docs: fix broken link in docs detected by the periodic check
  • ARM64 users: Tetragon may run on v4.19/v5.4 kernels with limited functionality; use v5.10 or later.

Dependency updates

  • chore(deps): update all lvh-images main (main) (patch)

Misc Changes

  • Starting v1.6 development
  • Restore upgrade notes in v1.5.0.md
  • bpf: remove unused func UpdateElementFromPointers
  • fix: Refactor SIZEOF_EVENT constant to not be a hard-coded value.
  • rthooks: Log container ID as a key-value pair
  • Update release template
  • lint: Ignore error check for cgroups.DiscoverSubSysIds call
  • deps: remove direct gopkg.in/yaml.v2 dep
  • fix: Remove unused constants from bpf/lib/process.h
  • e2e: Remove Cilium related flags
  • USDT ancestors support
  • pkg/cgroups/fsscan: add FindPodPath
  • contrib: Remove Vagrantfile and related docs
  • chore: Update goimport config with local-prefixes for consistency
  • helm: Add 'containers.extra' helper function
  • renovate: Allow go 1.24 for v1.3 branch
  • linters/staticcheck: fix underscore in names
  • helm: Add a Role for tetragon service account
  • Optimize Kprobe Rate Limit Test Performance
  • pkg/sensors: initialize RewriteConstant map in builder
  • new(cmd/tetra,pkg/bugtool): allow to extend bugtool with custom commands and grpc calls.
  • FindProgramFileUnderLocations: error logging
  • policy_stats: use the map only for policy sensors
  • k8s: Add alias for getting k8s config
  • bpf: additional errmetrics
  • chore(bpf, pkg/errmetrics): some probe_read() bpf errmetrics
  • policies: only warn once for stats and mode
  • pkg/errmetrics: expose error metrics via Prometheus metrics
  • k8s: Avoid hard coded CRD.spec.group
  • fix: always close the bpf link in detectKprobeMulti before returning
  • observer: deal with empty data in HandlePerfData
  • tetragon: assorted fixes
  • tetragon: testutils service both perf and bpf ring
  • cleanup: remove old build constraint syntax
  • pkg/asm: fuzz Assignment func parsing strings
  • new(tests/e2e): add a metrics checker on e2e tests.
  • fix(bpf/process): fix some missing break statements.
  • fix(bpf): force explicit switch case fallthrough
  • Prepare for v1.6.0-rc.1 release
Loading

v1.5.0

29 Jul 09:35
@github-actions github-actions
v1.5.0
b97cc72

Choose a tag to compare

View all tags
v1.5.0

Upgrade notes

Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.

  • Enabling ancestors for process events is now configured by a new --enable-ancestors flag.
    The following flags are being deprecarted in this (1.5) and are scheduled for removal in the next (1.6):

    • --enable-process-ancestors
    • --enable-process-kprobe-ancestors
    • --enable-process-tracepoint-ancestors
    • --enable-process-uprobe-ancestors
    • --enable-process-lsm-ancestors

  • The logging library used by Tetragon is migrated from logrus to log/slog.
    This change is not expected to affect the end user, but it may require some adjustments in custom scripts or tools
    that parse Tetragon logs.

    • level=warning is now level=warn

Helm Values

  • The default value of metrics scrape interval in both agent and operator
    ServiceMonitors (tetragon.prometheus.serviceMonitor.scrapeInterval and
    tetragonOperator.prometheus.serviceMonitor.scrapeInterval values
    respectively) is changed from 10s to 60s.

  • OciHookSetup section is removed after being deprecated in 1.2.

Changes from v1.4.1 to v1.5.0

total: 391 commits, prs: 182 pr commits: 390

Major Changes

Bugfixes

  • helm: fix extraHookargs in rthooks (#3566) by @kkourt
  • Fix event source pod attribution when env var HUBBLE_NODE_NAME is set (#3609) by @odinuge
  • fix(chart): correct operator securityContext values (#3681) by @JefeDavis
  • tracingpolicy: fix issue in argument order with the resolve argument option (#3737) by @kkourt
  • Fix an issue where inInitTree was not properly accounting processes started before Tetragon. (#3827) by @will-isovalent
  • tracinpolicy: respect syscall attribute in lists (#3895) by @kkourt
  • Fixes load sensor failure when mixing rate limited and non rate limited kprobes. (#3903) by @mtardy
  • bpf: fix issue with multiple inactive selectors (#3947) by @kkourt

Minor Changes

CI Changes

  • e2e: port forwarding fixes (#3555) by @kkourt
  • ci: In "Tetragon Go Test" add vmlinux in artifact when test fails (#3526) by @tdaudi
  • Revert "renovate: add v1.2 for golang 1.23" (#3598) by @mtardy
  • Update golangci-lint to v2 and fix newly discovered issues in the code base (#3607) by @mtardy
  • linters: take the golangci-lint v2 bump opportunity to enable more linters (#3608) by @mtardy
  • tetragon/windows: Add windows compile as a ci step (#3611) by @ExceptionalHan...
Read more

Contributors

ghost, kkourt, and 32 other contributors
Loading

v1.4.1

15 Jul 17:14
@github-actions github-actions
v1.4.1
5fb413b

Choose a tag to compare

View all tags
v1.4.1

Changes

Bugfixes

CI Changes

Dependency updates

  • chore(deps): update go to v1.24.2 (v1.4) (patch) (#3597) by @cilium-renovate[bot]
  • chore(deps): update module golang.org/x/net to v0.38.0 [security] (v1.4) (#3649) by @cilium-renovate[bot]
  • fix(deps): update module github.com/cilium/cilium to v1.17.3 [security] (v1.4) (#3660) by @cilium-renovate[bot]
  • chore(deps): update go to v1.24.3 (v1.4) (patch) (#3722) by @cilium-renovate[bot]
  • chore(deps): update docker.io/library/alpine docker tag to v3.22.0 (v1.4) (#3784) by @cilium-renovate[bot]
  • chore(deps): update go to v1.24.4 (v1.4) (patch) (#3811) by @cilium-renovate[bot]
  • chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.3.0 [security] (v1.4) (#3862) by @cilium-renovate[bot]
  • chore(deps): update go to v1.24.5 (v1.4) (patch) (#3880) by @cilium-renovate[bot]

Contributors

kkourt, tpapagian, and olsajiri
Loading

v1.4.0

21 Mar 17:27
@github-actions github-actions
v1.4.0
6a81c1f

Choose a tag to compare

View all tags
v1.4.0

Release notes

Upgrade notes

Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.

Helm Values

  • It's now supported to run multiple Tetragon operator replicas simultaneously. Enable it by setting tetragonOperator.replicas=2 and tetragonOperator.failoverLease.enabled=true.
  • tetragonOperator.strategy now sets a default rollingUpdate strategy (maxSurge=1, maxUnavailable=0) to reduce downtime during an upgrade.
  • The Tetragon operator Deployment now sets a default podAntiAffinity (preferredDuringSchedulingIgnoredDuringExecution) to improve the Pod distribution (if possible), without enforcing it to avoid being stuck during upgrades on single or two node clusters.

TracingPolicy (k8s CRD)

  • FollowFD, UnfollowFD, and CopyFD actions are being deprecarted in this (1.4) and are
    scheduled for removal in the next (1.5)

Metrics

  • tetragon_map_errors_total metric is replaced by map_errors_update_total and map_errors_delete_total.

Changes

total: 298 commits, prs: 110 pr commits: 298

Major Changes

  • feat: include ancestors in process events (#2938) by @t0x01
  • Add attribute resolution (#3143) by @ScriptSathi
  • policies: add support for setting a monitoring mode in tracing policies (#3393) by @kkourt
  • Windows: Build tetragon on Windows (Part -1) (#3445) by @ExceptionalHandler

Bugfixes

  • [fix] fix probe_read_str return type (#3236) by @arthur-zhang
  • tetragon: avoid the agent from hanging in some corner error conditions (#3321) by @kkourt
  • Fix in_init_tree flag for processes started before Tetragon. (#3338) by @will-isovalent
  • Fix a bug where unloading programs where detaching them even in the case of unpin false (i.e.) --keep-sensors-on-exit (#3347) by @mtardy
  • Fix path truncations in event values for cwd and path/file function arguments. The function responsible for reading dentry was upgraded to 4096 but some users were still using the previous limitation of 256. (#3427) by @mtardy
  • Use BTF to access skb_ext (#3439) by @xabrouck
  • watcher: Fix K8sWatcher.FindPod (#3409) by @lambdanis

Minor Changes

CI Changes

  • [CI] Fix virt-customize issue in vmtests (#3232) by @tpapagian
  • ci: remove buildjet runners and use GitHub arm64 runners (#3280) by @mtardy
  • renovate: disable digest update on Dockerfiles (#3285) by @mtardy
  • renovate: fix for config change 70ad4e7 (#3286) by @mtardy
  • renovate: remove matchBaseBranches on main for grouping rules (#3324) by @mtardy
  • renovate: update various versions in source code (#3342) by @mtardy
  • CI: build tetragon on every commit of a PR (#3354) by @mtardy
  • renovate: Group cel-go together with k8s dependencies (#3383) by @lambdanis
  • workflows: only run build every commit on pull request event (#3386) by @mtardy
  • renovate: more robust parser for Go version in go.mod (#3401) by @mtardy
  • Various renovate config tunings (#3420) by @mtardy
  • fix bug in e2e tests and update its dependencies (#3421) by @mtardy
  • workflow: fix a bug in build every commit (#3449) by @mtardy
  • chore: added verifier tests (#3433) by @AshishNaware
  • renovate config: automerge more (#3505) by @mtardy
  • ci: Refactor linters, formatters and generators checks (#3509) by @lambdanis
  • api: Copy API reference into docs (#3525) by @lambdanis

Documentation changes

  • docs: Add dev setup instructions for Apple silicon Macs (#3231) by @michi-covalent
  • docs: local dev with Apple Silicon small fixes (#3237) by @mtardy
  • docs: remove redundance CLI command in tracing policy example (#3256) by @arthur-zhang
  • docs: enhancements to the troubleshooting section (#3238) by @mtardy
  • fix: correcting the script path for minikube installation steps in do… (#3111) by @d-cryptic
  • Add link to Kubecon NA 2024 talk discussing Tetragon (#3303) by @daxmc99
  • fix: Troubleshooting documentation for System dump (#3325) by @z63d
  • docs: fix typo referencing kube-system as kubesystem (#3334) by @z63d
  • docs: fix the Example jq filter in Observability Policies (#3367) by @z63d
  • fix: returnArg index of TracingPolicy is not specified (#3388) by @z63d
  • docs: fix tracing policy options (#3470) by @z63d
  • docs: Remove incorrect event types from field filter docs examples. (https://github.com/cilium/...
Read more

Contributors

kkourt, knrc, and 20 other contributors
Loading

Release v1.3.0

13 Dec 13:12
@github-actions github-actions
v1.3.0
4a6643e

Choose a tag to compare

View all tags
Release v1.3.0

Please update the description with the actual release notes and publish the release.
See the release issue for instructions.

If this release was created from a test tag, please delete it.

v1.3.0

total: 364 commits, prs: 130 pr commits: 364

Upgrade notes

Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.

  • Behavior of export-file-perm flag (and corresponding Helm value tetragon.exportFilePerm) changed. In case the export file exists, but has different permissions than specified in the option, Tetragon will change the file permissions on the next log rotation. In older versions, log rotation preserved permissions of the existing file. Before upgrading check if permissions of the existing export file match the option (600 by default), and set the agent flag or Helm value to the desired value if needed.

Events (protobuf API)

New events for syscall64 type

Previous versions of Tetragon did not distinguish between different ABIs when using the syscall64 type
because the output was just a size_arg with the id. When executing the getcpu syscall, for example, the JSON
for 64- and 32-bits would be:

"args":[{"size_arg":"309"}]
"args":[{"size_arg":"318"}]

Note that id 318 for x86_64 is a different syscall: getrandom so we cannot distinguish between a getrandom syscall on x86_64
and a getcpu call on 32-bit (i386). To address this issue, the output of syscall64 was changed to a SyscallId object that
also includes the ABI. So the JSON for 64- and 32-bits getcpu now is:

"args":[{"syscall_id":{"id":309,"abi":"x64"}}]
"args":[{"syscall_id":{"id":318,"abi":"i386"}}]

Users that want to maintain the old behavior can use the --enable-compatibility-syscall64-size-type flag for this version.
The flag will be removed in v1.4.

Metrics

  • tetragon_ratelimit_dropped_total metric is renamed to tetragon_export_ratelimit_events_dropped_total

Major Changes:

  • IMA hashes in LSM events (#2818) by @anfedotoff
  • tetragon: add support for associating pod information when nested cgroups are used (#3170) by @kkourt

Bugfixes:

  • Fix clone event eventcache retry handler when missing pod info. (#2899) by @tpapagian
  • pkg/sensors: fix memory use of unloaded sensors (#3021) by @mtardy
  • tetragon: fix the process exit signal when core dumped (#3039) by @justin0u0
  • tetragon: improve how we handle cgroupv1 and cgroupv2 (#3053) by @tixxdz
  • [metrics] Fix overhead_program metrics for return probes (#3074) by @tpapagian
  • exec: fix tracking of matchBinary children (#3186) by @kkourt

Minor Changes:

  • Refactor & rename ratelimit metrics (#2890) by @lambdanis

  • bpf: improve the bpffs layout of tetragon objects (#2128) by @olsajiri

  • tetragon: Assorted fixes (#2906) by @olsajiri

  • tetragon: assorted fixes (#2926) by @olsajiri

  • tracing: support 32-bit ARM (aarch32) syscalls (#2898) by @kkourt

  • tetragon: Fix map PinPath setup in case the map is shared (#2944) by @olsajiri

  • Added metrics for LRU data cache (#2908) by @AshishNaware

  • tetragon: Factor grpc exec events test (#2952) by @olsajiri

  • bpf: support all operators (including Mask) for the syscall64 type (#2948) by @kkourt

  • tetragon: Add map ownership (#2945) by @olsajiri

  • tracingpolicy: add BPF operations support (#2943) by @tixxdz

  • Add an "enabled" switch to enable/disable the gops server via the Helm chart. It is now disabled by default. (#2961) by @XelK

  • Enabled tetra bash autocompletion in the Tetragon image (#2965) by @PhilipSchmid

  • tetragon: sensor cleanup fixes (#2968) by @olsajiri

  • tracing: include ABI information for syscall64 type (#2986) by @kkourt

  • tetra: Add debug progs command (#2967) by @olsajiri

  • Expose BPF map kernel memory use by tracing policy via the gRPC API and the metrics. Use tetra tp list to see the breakdown of BPF map memory use by policy or look for the tetragon_tracingpolicy_kernel_memory_bytes metric. (#2984) by @mtardy

  • tetragon: Use namespace in sensor policy directory (#2987) by @olsajiri

  • tetragon: Unpin map only if you are owner (#3004) by @olsajiri

  • enforcer: add tetragon_enforcer_missed_notifications_total metric (#2994) by @kkourt

  • ci:github: retry Test Tetragon on failure (#3001) by @tixxdz

  • Add an optional cluster_name field to GetEventsResponse (#3025) by @michi-covalent

  • tetragon: Make sure lsm programs return bounded value (#3032) by @olsajiri

  • tetragon: Fix TestCopyFd test on new v5.10 kernels (#3037) by @olsajiri

  • metrics: add version to build information (#3035) by @kkourt

  • Remove --expose-kernel-addresses and --pprof-addr flags (#3042) by @michi-covalent

  • Remove --enable-process-ancestors flag (#3043) by @michi-covalent

  • tetra: fix --policy-names to apply all event types (#3044) by @justin0u0

  • api: add bpf program types (#2997) by @tixxdz

  • tetragon: Fix TestExitSignal test (#3055) by @olsajiri

  • helm: Add part-of and component labels (#3052) by @lambdanis

  • tetragon: Add overhead metrics (#3040) by @olsajiri

  • tetragon: Load base sensor via sensor manager (#3045) by @olsajiri

  • crd: Added shortnames and catagory for Tetragon CRDs (#3065) by @PhilipSchmid

  • tetragon: Move procevents.GetRunningProcs call from base sensor load (#3097) by @olsajiri

  • Add Common Expression Language filter (#3098) by @michi-covalent

  • tetragon: un/pin fixes (#3079) by @olsajiri

  • tetragon: Allow multiple symbol instances in kprobe spec (#3121) by @olsajiri

  • tetragon: Unflake the TestGeneratedExecEvents test (#3141) by @olsajiri

  • tetragon: Setup tailcalls directly in bpf programs (#3002) by @olsajiri

  • Implement new regex filter type for parent process arguments. (#3155) by @will-isovalent

  • tetragon: update bpf makefile (#3159) by @olsajiri

  • sensors: reduce logging information by not emitting one line per map/prog being loaded by default (#3174) by @kkourt

  • cgtracker: add policyfilter support (#3180) by @kkourt

  • tetragon: Remove not needed rule commands (#3197) by @olsajiri

    • Introduce the in_init_tree flag for process events which indicates whether a process spawned from its container's init process tree (#3209) by @will-isovalent

    • Introduce a container_id export filter

    • Introduce an in_init_tree export filter

  • tetragon: setup to let match binary names use args as well (#3210) by @jrfastab

CI Changes:

  • renovate: run make vendor on any Go update (#2909) by @mtardy
  • CI: Improved lint Helm CI workflow (#2971) by @PhilipSchmid
  • vmtests: use ubuntu-latest (#2985) by @kkourt
  • vmtests: install dhclient (#3005) by @kkourt
  • workflows: fix usage of untrusted input in check links (#3029) by @mtardy
  • workflows: use GitHub arm64 runners instead of actuated (#3034) by @mtardy
  • workflows: simplify build image CI (#3031) by @mtardy
  • Renovate: Extend Helm files coverage (#3077) by @lambdanis
  • Fixes and QoF improvements on renovate config (#3132) by @mtardy
  • workflows: only run cron jobs on main repo (#3139) by @mtardy
  • digestcheck: take a list of files as input (#3145) by @mtardy

**Documentatio...

Read more

Contributors

kkourt, mozillazg, and 20 other contributors
Loading

Release v1.2.1

27 Nov 10:53
@github-actions github-actions
v1.2.1
This tag was signed with the committer’s verified signature.
tpapagian Anastasios Papagiannis
GPG key ID: 0B3DBEC9DF296F9E
Verified
Learn about vigilant mode.
4b33fd7

Choose a tag to compare

View all tags
Release v1.2.1

Changes from v1.2.0 to v1.2.1

Bugfixes:

  • [backport/v1.2][bugfix] Fix clone event caching due to missing pod info
  • [v1.2] helm: Remove deprecated tetragon.skipCRDCreation value

Minor Changes:

  • tetragon: make eventCache number of retries and delays tunable.
  • tetragon: pod association: add a cache for deleted pods
  • Implement new regex filter type for parent process arguments.

Misc Changes:

  • Prepare for v1.2.0 release
  • helm: Set rthooks.podSecurityContext to empty by default
  • chore: update containers/common
  • [v1.2 backport] Memory optimizations: remove BTF and kallsyms caches
  • [backport/v1.2] Add support to dump processLRU
  • [backport/v1.2] Add support to exclude valid processes from dump processCache
  • Backports/v1.2: tetragon: probe_read usage may cause issues with newer kernels
  • Prepare for v1.2.1 release

What's Changed

  • [backport/v1.2][bugfix] Fix clone event caching due to missing pod info by @tpapagian in #2903
  • [v1.2] helm: Remove deprecated tetragon.skipCRDCreation value by @lambdanis in #2924
  • helm: Set rthooks.podSecurityContext to empty by default by @michi-covalent in #2934
  • v1.2 backports by @kkourt in #2958
  • chore: update containers/common by @kkourt in #3008
  • chore(deps): update docker.io/library/golang:1.22.6 docker digest to a632201 (v1.2) by @cilium-renovate in #3015
  • fix(deps): update module github.com/containers/common to v0.60.4 [security] (v1.2) by @cilium-renovate in #3014
  • chore(deps): update go to v1.22.8 (v1.2) (patch) by @cilium-renovate in #3017
  • chore(deps): update docker.io/library/alpine docker tag to v3.20.3 (v1.2) by @cilium-renovate in #3016
  • chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.2) by @cilium-renovate in #3022
  • fix(deps): update module github.com/cilium/cilium to v1.15.10 [security] (v1.2) by @cilium-renovate in #3028
  • [v1.2 backport] Memory optimizations: remove BTF and kallsyms caches by @mtardy in #3036
  • [backport/v1.2] Add support to dump processLRU by @tpapagian in #3038
  • [backport/v1.2] Add support to exclude valid processes from dump processCache by @tpapagian in #3104
  • Backports/v1.2: tetragon: probe_read usage may cause issues with newer kernels by @kevsecurity in #3105
  • chore(deps): update docker.io/library/alpine:3.20.3 docker digest to 1e42bbe (v1.2) by @cilium-renovate in #3137
  • chore(deps): update go to v1.22.9 (v1.2) (patch) by @cilium-renovate in #3138
  • backports/v1.2: filters: implement parent_arguments_regex by @will-isovalent in #3157
  • Prepare for v1.2.1 release by @tpapagian in #3168

Full Changelog: v1.2.0...v1.2.1

Contributors

kkourt, tpapagian, and 4 other contributors
Loading

v1.2.0

05 Sep 13:26
@github-actions github-actions
v1.2.0
dc45886

Choose a tag to compare

View all tags
v1.2.0

v1.2.0 Releases notes

Upgrade notes

Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.

Helm Values

  • Tetragon container now uses the gRPC liveness probe by default. To continue using "tetra status" for liveness probe,
    specify tetragon.livenessProbe Helm value. For example:
tetragon:
  livenessProbe:
     timeoutSeconds: 60
     exec:
       command:
       - tetra
       - status
       - --server-address
       - "54321"
       - --retries
       - "5"

  • Deprecated tetragonOperator.skipCRDCreation Helm value is removed. Use crds.installMethod=none instead.

  • tetragon.ociHookSetup Helm value is deprecated. Use tetragon.rthooks instead.

Events (protobuf API)

  • Sensor managing methods have been deprecated:
    • ListSensors
    • EnableSensor
    • DisableSensor
    • RemoveSensor

Metrics

  • tetragon_policyfilter_metrics_total metric is renamed to tetragon_policyfilter_operations_total, and its op
    label is renamed to operation.
  • tetragon_missed_events_total metric is renamed to tetragon_bpf_missed_events_total.
  • Metrics related to ring buffer and events queue are renamed:
    • tetragon_ringbuf_perf_event_errors_total -> tetragon_observer_ringbuf_errors_total
    • tetragon_ringbuf_perf_event_received_total -> tetragon_observer_ringbuf_events_received_total
    • tetragon_ringbuf_perf_event_lost_total -> tetragon_observer_ringbuf_events_lost_total
    • tetragon_ringbuf_queue_received_total -> tetragon_observer_ringbuf_queue_events_received_total
    • tetragon_ringbuf_queue_lost_total -> tetragon_observer_ringbuf_queue_events_lost_total
  • tetragon_errors_total{type="process_cache_evicted"} metric is replaced by tetragon_process_cache_evicted_total.
  • tetragon_errors_total{type=~"process_cache_miss_on_get|process_cache_miss_on_remove"} metrics are replaced by
    tetragon_process_cache_misses_total{operation=~"get|remove"}.
  • tetragon_event_cache_<entry_type>_errors_total metrics are replaced by
    tetragon_event_cache_fetch_failures_total{entry_type="<entry_type>"}.
  • tetragon_event_cache_accesses_total metric is renamed to tetragon_event_cache_inserts_total.
  • tetragon_event_cache_retries_total metric is renamed to tetragon_event_cache_fetch_retries_total.
  • tetragon_errors_total{type="event_missing_process_info"} metric is replaced by
    tetragon_events_missing_process_info_total.
  • tetragon_errors_total{type="handler_error"} metric is removed. Use tetragon_handler_errors_total instead.

Major Changes:

Bugfixes:

  • bpf: use CORE for execve hook (#2399) by @kkourt
  • Don't create PodInfo if the pod is being deleted (#2431) by @michi-covalent
  • tetragon: allow namespaced and non-namespaced policies to have the same name (#2337) by @joshuajorel
  • operator: Don't start metrics server if Helm value tetragonOperator.prometheus.enabled is set to false. (#2484) by @yukinakanaka
  • enforcer: fix issue when using multiple calls with fmod_ret (#2524) by @kkourt
  • Reduce the kernel memory footprint (accounted by the cgroup memory controller) of the stack trace feature when unused. (#2546) by @mtardy
  • Reduce the kernel memory footprint (accounted by the cgroup memory controller) of the ratelimit feature when unused (around ~10MB per kprobe). (#2551) by @mtardy
  • Reduce the kernel memory footprint (accounted by the cgroup memory controller) of the fdinstall feature when unused (around ~11MB per kprobe). (#2563) by @mtardy
  • Do not increase the reference count when we cannot find a parent in kthreads. (#2620) by @tpapagian
  • Reduce the kernel memory footprint (accounted by the cgroup v2 memory controller) of the override feature when unused (around ~3MB per kprobe). (#2692) by @mtardy
  • Fix a bug related to the matchBinaries Prefix operator by increasing the buffer size used by our dentry walk. Now the matchBinaries Prefix operator can correctly trigger a match on any path above 255 chars. (#2764) by @mtardy
  • Fix a bug where the tetra getevents command would timeout even if the connection was successful. (#2765) by @mtardy
  • Fix missing cases in the compact encoder for tetra. (#2819) by @willfindlay
  • add support for pod association via cgroup id (#2776) by @kkourt
  • Allow disabling gRPC either by selecting 'enabled:false' in the helm chart or by passing an empty address to the agent (#2826) by @kkourt
  • Fix tetragon_process_cache_size metric (#2827) by @lambdanis

Minor Changes:

  • proc: set auid to -1 for generated kernel pid 0 (#2400) by @tixxdz
  • Wait for Tetragon's images exist before run test (#2401) by @Trung-DV
  • tetragon: Add cgroup rate support (#2177) by @olsajiri
  • oci-hook: allow users to set a list of namespace exceptions and define default (#2404) by @f1ko
  • test: fix TestTraceKernelModule test (#2433) by @tixxdz
  • tetragon: Add inline function macro (#2452) by @olsajiri
  • helm: Add tetragon.livenessProbe value (#2469) by @michi-covalent
  • tetragon: Use static funcs in few places (#2453) by @olsajiri
  • btf: print original error returned by ebpf btf.TypeByName() (#2458) by @tixxdz
  • tetragon: cache username lookups (#2448) by @tixxdz
  • helm: Remove deprecated tetragon.skipCRDCreation value (#2498) by @lambdanis
  • btf: take first entry on multiple btf validation (#2488) by @tixxdz
  • tetragon: Add LoadProgramOpts function (#2489) by @olsajiri
  • tetragon: Remove bpf_globals object (#2521) by @olsajiri
  • sensors: allow reporting policy status when loading/unloading sensors (#2506) by @kkourt
  • tetragon: Limit max entries of cgroup_rate_map when it's not used (#2555) by @olsajiri
  • tetragon: Factor the maps max entries setup (#2565) by @olsajiri
  • tetragon:username: use login name instead of display name (#2585) by @tixxdz
  • process:bpf: report euid as the process.uid (#2575) by @tixxdz
  • Implement an export filter to target parent process binary name. (#2607) by @willfindlay
  • tetragon: fail if --username-metadata receives invalid value (#2596) by @tixxdz
  • tetragon: resolve uid to username for exec events from /proc fs (#2588) by @tixxdz
  • cmd: Move metrics-docs out of tetra and refactor it (#2611) by @lambdanis
  • Reorg to factor mac entries setup and add a max entries test (#2587) by @olsajiri
  • tetragon: Add debug interface to track cgroups to workload/ns mappings (#2540) by @jrfastab
  • rthooks: support NRI (#2608) by @kkourt
  • helm, doc: Added debug Helm flag for the agent (#2622) by @PhilipSchmid
  • deprecate sensors gRPC API (#2630) by @kkourt
  • helm: Don't give operator permissions to create CRDs if not needed (#2326) by @itsCheithanya
  • store thread leader namespaces at fork and reduce false positives (#2695) by @tixxdz
  • tetragon: make resolving uid to username work with a processapi struct (#2705) by @tixxdz
  • tetra: LSM events compact print support (#2703) by @anfedotoff
  • tetragon: only allow single instance to run on a node (#2747) by @inliquid
  • tetragon: Factor loader tailcall setup (#2719) by @olsajiri
  • tracing: introduce FollowChildren attribute in MatchBinaries selector (#2720) by @kkourt
  • Add missed probes metrics (#1941) by @olsajiri
  • tetragon_policyfilter_metrics_total metric is renamed to tetragon_policyfilter_operations_total, and its op label is renamed to operation. (#2784) by @lambdanis
  • tetragon: persistent monitoring fixes (https://github.com/cilium/t...
Read more

Contributors

spkane, kkourt, and 31 other contributors
Loading

Release v1.1.2

12 Jun 13:43
@github-actions github-actions
v1.1.2
2d8f943

Choose a tag to compare

View all tags
Release v1.1.2

Upgrade notes for version v1.1.2

Helm

The default livenessProbe was changed to use a gRPC liveness probe instead of the tetra status
command.

Users can migrate to the old behavior by using a helm configuration such as:

   tetragon:
      livenessProbe:
         timeoutSeconds: 60
         exec:
           command:
           - tetra
           - status
           - --server-address
           - "54321"
           - --retries

Summary of changes

Bugfixes:

  • Don't create PodInfo if the pod is being deleted
  • [v1.1] backport: bpf: use CORE for execve hook
  • enforcer: fix issue when using multiple calls with fmod_ret

Minor Changes:

  • backports:1.1:tests: fix trace module testing
  • backports:1.1: uid username resolution support
  • helm: Add tetragon.livenessProbe value
  • backport:v1.1: btf: take first entry on multiple function matches

Misc Changes:

  • Prepare for v1.1.0 release
  • Use gRPC-based liveness probe instead of tetra status.
  • [v1.1] Introduce upgrade notes
  • Prepare for v1.1.1 release
  • [v1.1] Makefile: exclude api tags from version
  • v1.1: misc updates relating to release process
  • Prepare for v1.1.2 release

All PRs

  • fix(deps): update module k8s.io/kube-openapi to v0.0.0-20240430033511-f0e62f92d13f (v1.1) by @cilium-renovate in #2398
  • chore(deps): update dependency go to v1.22.2 (v1.1) by @cilium-renovate in #2394
  • chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20240501.013106 (v1.1) by @cilium-renovate in #2408
  • fix(deps): update module google.golang.org/protobuf to v1.34.1 (v1.1) by @cilium-renovate in #2411
  • fix(deps): update module github.com/sryoya/protorand to v0.0.0-20240429201223-e7440656b2a4 (v1.1) by @cilium-renovate in #2410
  • Don't create PodInfo if the pod is being deleted by @michi-covalent in #2435
  • backports:1.1:tests: fix trace module testing by @tixxdz in #2437
  • backports:1.1: uid username resolution support by @tixxdz in #2447
  • chore(deps): update docker.io/library/alpine docker tag to v3.20.0 (v1.1) by @cilium-renovate in #2466
  • helm: Add tetragon.livenessProbe value by @michi-covalent in #2471
  • [v1.1] backport: bpf: use CORE for execve hook by @kkourt in #2468
  • [backport/v1.1] Use gRPC-based liveness probe instead of tetra status by @tpapagian in #2480
  • [v1.1] Introduce upgrade notes by @lambdanis in #2499
  • backport:v1.1: btf: take first entry on multiple function matches by @tixxdz in #2504
  • chore(deps): update go to v1.22.4 (v1.1) (patch) by @cilium-renovate in #2513
  • [v1.1] enforcer backport by @kkourt in #2528
  • Prepare for v1.1.1 release by @kkourt in #2535
  • [v1.1] Makefile: exclude api tags from version by @kkourt in #2539
  • v1.1: misc updates relating to release process by @kkourt in #2537
  • Prepare for v1.1.2 release by @kkourt in #2543

Full Changelog: v1.1.0...v1.1.2

Contributors

kkourt, tpapagian, and 2 other contributors
Loading

v1.1.0

29 Apr 14:44
@github-actions github-actions
v1.1.0
7398faf

Choose a tag to compare

View all tags
v1.1.0

Release notes

v1.1.0 release is here! Please consider upgrading. This edition adds some notable features including user space stack traces, the enforcer sensor to easily deny system calls, metrics improvements, and numerous other fixes and improvements. Before upgrading please review deprecated fields and metric updates to check for any changes here that may impact your upgrade.

As always huge thanks to all the contributors, especially the new contributors. Also we appreciate all the bug reports, features requests and feedback from the users. Keep it coming this helps everyone everything from reading docs and just hearing user stories is great. Reach out and file an issue or ping @jrfastab if you have any feedback.

Additionally I wanted to thank @dwindsor, @vparla and their colleagues for detailed bug reports (#2069) and identifying multiple issues that the team was able to fix/improve in this release. 🚀 See the commit list below for details.

Upgrade notes

Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.

Helm Values

  • tetragonOperator.skipCRDCreation value is deprecated and will be removed. Use crds.installMethod=none instead.

TracingPolicy (k8s CRD)

  • The symbol field (string) in uprobe spec is replaced with symbols (array of strings). If using policies with uprobes, you need to replace the symbol field. (#1975) by @olsajiri
  • Killer is renamed to enforcer. If using policies with killers, you need to replace killers with enforcers and action: NotifyKiller with action: NotifyEnforcer. (#2117) by @olsajiri
  • To distinguish different stacktraces, kernel stacktraces are now enabled with kernelStackTrace policy field (renamed from stackTrace).

Events (protobuf API)

  • Deprecated pod.labels field is removed. Use pod.pod_labels instead. (#1848) by @michi-covalent
  • To distinguish different stacktraces, kernel stacktraces are now posted in kernel_stack_trace event field (renamed from stack_trace).

Metrics

  • Metrics related to monitoring BPF maps and userspace caches are fixed: (#1950) by @sadath-12
    • tetragon_map_drops_total is removed (it was duplicating tetragon_errors_total{type="process_cache_evicted"})
    • tetragon_map_in_use_gauge{map="eventcache"} is removed (event cache is not a BPF map)
    • tetragon_map_in_use_gauge{map="processLru"} is replaced with tetragon_process_cache_size (process cache is not a BPF map)
  • Metrics with known labels values are initialized to 0 on startup. (#2162) by @lambdanis
    This helps to ensure stable resources usage and metrics queries. This also involves changes in several metrics labels:
    • error_type label on tetragon_handler_errors_total metric is either "unknown_opcode" or "event_handler_failed" instead of the Go type of the error
    • event_type label on tetragon_event_cache*_errors_total metrics is one of the values defined in Tetragon API (tetragon.EventType) instead of the Go type of the event
    • error label on tetragon_event_cache_errors_total metric is "nil_process_pid"
    • error label is removed from tetragon_policyfilter_metrics_total metric
  • Metrics for map and cache sizes are improved: (#2291) by @lambdanis
    • tetragon_map_in_use_gauge metric is renamed to tetragon_map_entries and doesn't have total label anymore
    • New tetragon_map_capacity metric exposes the BPF maps capacity
    • New tetragon_event_cache_entries metric measures the event cache size
    • New tetragon_process_cache_size metric measures the process cache size
    • New tetragon_process_cache_capacity metric exposes the process cache capacity

New Contributors

Major Changes:

  • Tetragon oci hook setup (#1842) by @kkourt
  • tetragon: detect execve of anonymous binaries (#499) by @tixxdz
  • Introduce an export filter type for process capabilities. (#2107) by @willfindlay
  • Introduce redaction filters for censoring sensitive string data in process events. (#2243) by @willfindlay
  • tracing: add multi-link uprobe support (#1914) by @olsajiri
  • policyfilter: add a containerSelector that allows filtering policies by container name (#2231) by @BonySmoke
  • Support user mode stacktraces in events. To enable this feature, set userStackTrace: true in the policy Post action. (#2175) by @anfedotoff

Bugfixes:

  • Fix a segmentation fault related to filtering out pid information with field filters (#1700) by @willfindlay
  • Fix a number of segmentation faults related to field filters. (#1712) by @willfindlay
  • pkg/option: add metrics-label-filter flags (#1678) by @Jack-R-lantern
  • Do not add a new entry in the execve_map during clone events that we cannot find our parent. Additionally, return early on kernel threads. (#1708) by @tpapagian
  • Rework the matchBinaries selector implementation (#1731) by @mtardy
  • Fix a few bugs related to field filter configuration and significantly improve performance of field filters. (#1763) by @willfindlay
  • Fix a few bugs related to field filter configuration and significantly improve performance of field filters. (#1762) by @willfindlay
  • Fix an issue that caused Tetragon to hang when it encounters an error early on in its init phase. (#1770) by @willfindlay
  • Adds validation for sock and skb types (#1807) by @kevsecurity
  • Fixes prefix and postfix matching for strings longer than the prefix or postfix maximum length (#1806) by @kevsecurity
  • helm: Fix templating securityContext and tolerations (#1837) by @lambdanis
  • pkg/kernels: Fix large patch numbers (#1870) by @tpapagian
  • Fix a regression related to field filters that could cause top-level information to be missing from events. (#1882) by @willfindlay
  • bpf: unit tests and fixes for prepend_name function (#1902) by @mtardy
  • metrics: Do not return when we cannot find a _stats map (#1949) by @tpapagian
  • bpf: read and copy proc exe at execve for matchBinaries (#1926) by @mtardy
  • Dockerfile: bump bpftool revision to 7.3.0 (#1972) by @mtardy
  • Fix a hang when the event exporter fails to start. (#2119) by @willfindlay
  • tetra: avoid panic in the decoder (#2116) by @kkourt
  • Set events node_name field to the hostname in the standalone (non-k8s) mode. (#2123) by @lambdanis
  • policyfilter: fix issue in container fs scanning under cri-o (#2188) by @kkourt
  • metrics: Remove pod from the queue after deleting metrics (#2287) by @lambdanis
  • helm: Fix name and selector in operator ServiceMonitor (https://github.com/cilium/...
Read more

Contributors

kkourt, lmb, and 35 other contributors
Loading