Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: tracing policy concept updates #1621

Merged
merged 1 commit into from
Oct 19, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions docs/content/en/docs/concepts/tracing-policy/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ Tracing Policies can be loaded and unloaded at runtime in Tetragon, or on
startup using flags.
- With Kubernetes, you can use `kubectl` to add and remove a `TracingPolicy`.
- You can use `tetra` gRPC CLI to add and remove a `TracingPolicy`.
- You can use the `--tracing-policy` and `--tracing-policy-dir` flags, see more
in the [daemon configuration page]({{< ref "/docs/reference/tetragon-configuration#configure-tracing-policies-location" >}}).
- You can use the `--tracing-policy` and `--tracing-policy-dir` flags to statically add policies at
startup time, see more in the [daemon configuration page]({{< ref
"/docs/reference/tetragon-configuration#configure-tracing-policies-location" >}}).


Hence, even though Tracing Policies are structured as a Kubernetes CR, they can also be used in
non-Kubernetes environments using the last two loading methods.
33 changes: 22 additions & 11 deletions docs/content/en/docs/concepts/tracing-policy/example.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ spec:
- action: Sigkill
```

The policy checks for file descriptors being created, and sends a `SIGKILL` signal to any process that
creates a file descriptor to a file named `/tmp/tetragon`. We discuss the policy in more detail
next.

## Required fields

```yaml
Expand Down Expand Up @@ -68,11 +72,11 @@ spec:
type: "file"
```

The beginning of the specification describe the hook point to use. Here we are
The beginning of the specification describes the hook point to use. Here we are
using a kprobe, hooking on the kernel function `fd_install`. That's the kernel
function that gets called when a new file descriptor needs to be created. We
function that gets called when a new file descriptor is created. We
indicate that it's not a syscall, but a regular kernel function. We then
specify the argument of the specified function symbol to be able to extract
specify the function arguments, so that Tetragon's BPF code will extract
and optionally perform filtering on them.

See the [hook points page]({{< ref "/docs/concepts/tracing-policy/hooks" >}})
Expand All @@ -92,11 +96,11 @@ for further information on the various hook points available and arguments.
```

Selectors allow you to filter on the events to extract only a subset of the
events based on different properties and optionally take an enforcement action.
events based on different properties and optionally take an action.

In the example, we filter on the argument at index 1, passing a `file` struct
to the function. Tetragon has the knowledge on how to apply the `Equal`
operator over a Linux kernel `file` struct and you can basically match on the
operator over a Linux kernel `file` struct and match on the
path of the file.

Then we add the `Sigkill` action, meaning, that any match of the selector
Expand All @@ -112,33 +116,40 @@ First, let's create the `/tmp/tetragon` file with some content:
echo eBPF! > /tmp/tetragon
```

Starting Tetragon with the above `TracingPolicy`, for example putting the
policy in the `example.yaml` file, compiling the project locally and starting
Tetragon with (you can do similar things with container image releases, see the
docker run command in the [Try Tetragon on Linux guide]
You can save the policy in an `example.yaml` file, compile Tetragon locally, and start Tetragon:

```shell-session
sudo ./tetragon --bpf-lib bpf/objs --tracing-policy example.yaml
```

(See [Quick Kubernetes Install]({{< ref "/docs/getting-started/install-k8s" >}}) and [Quick Local
Docker Install]({{< ref "/docs/getting-started/install-docker" >}}) for other ways to start
Tetragon.)


{{< note >}}
Stop tetragon with <kbd>Ctrl</kbd>+<kbd>C</kbd> to disable the policy and
remove the BPF programs.
{{< /note >}}

Once the Tetragon starts, you can monitor events using `tetra`, the tetragon CLI:
```shell-session
./tetra tetra getevents -o compact
```

Reading the `/tmp/tetragon` file with `cat`:
```shell-session
cat /tmp/tetragon
```

Should result in the following events:
Results in the following events:
```
🚀 process /usr/bin/cat /tmp/tetragon
📬 open /usr/bin/cat /tmp/tetragon
💥 exit /usr/bin/cat /tmp/tetragon SIGKILL
```

And the shell will return:
And the shell where the `cat` command was performed will return:
```
Killed
```
Expand Down
Loading