From fc77143a5db1ec209ff28a49fd5de5aee2e6bb26 Mon Sep 17 00:00:00 2001 From: William Findlay Date: Wed, 11 Dec 2024 15:08:00 -0500 Subject: [PATCH] docs: add missing event filter docs Add docs for missing event filter types: - cel - container_id - in_init_tree Signed-off-by: William Findlay --- docs/content/en/docs/concepts/events.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/content/en/docs/concepts/events.md b/docs/content/en/docs/concepts/events.md index 6ff6c9f2233..5e53958d9bc 100644 --- a/docs/content/en/docs/concepts/events.md +++ b/docs/content/en/docs/concepts/events.md @@ -161,8 +161,11 @@ flags, or environment variables. | `labels` | Filter events by pod labels using [Kubernetes label selector syntax](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) Note that this filter never matches events without the pod field (i.e. host process events). | | `policy_names` | Filter events by tracing policy names. | | `capabilities` | Filter events by Linux process capability. | +| `cel_expression` | Filter using CEL expressions. CEL filters support IP and CIDR notiation extensions from the k8s project. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP and https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR for details. | | `parent_binary_regex` | Filter process events by a list of regular expressions of parent process binary names (e.g. `"^/home/kubernetes/bin/kubelet$"`). You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | -| `parent_arguments_regex` | Filter by parent process arguments using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | +| `parent_arguments_regex` | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | +| `container_id` | Filter by parent process arguments using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | +| `in_init_tree` | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | #### Field Filtering