doc: document gRPC unix socket

Signed-off-by: Djalal Harouni <[email protected]>
cilium · May 4, 2023 · fff6d7c · fff6d7c
1 parent 3469c70
commit fff6d7c
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/docs/content/en/docs/getting-started/configuration.md b/docs/content/en/docs/getting-started/configuration.md
@@ -75,3 +75,39 @@ directory into the `/etc/tetragon/tetragon.conf.d/` subdirectory. The latter is
 generally recommended. Defaults can be restored by simply deleting this file
 and all drop-ins.
 
+
+### Restrict gRPC API access
+
+The gRPC API supports unix sockets, it can be set using one of the following methods:
+
+- Use the `--server-address` flag:
+
+   ```
+   --server-address unix:///var/run/tetragon/tetragon.sock
+   ```
+
+- Or use the drop-in configuration file `/etc/tetragon/tetragon.conf.d/server-address` containing:
+
+   ```
+   unix:///var/run/tetragon/tetragon.sock
+   ```
+
+{{< note >}}
+Tetragon tarball by default listens to  `unix:///var/run/tetragon/tetragon.sock`
+{{< /note >}}
+
+Then to access the gRPC API with `tetra` client, set `--server-address` to point to the corresponding address:
+
+   ```
+   sudo tetra --server-address unix:///var/run/tetragon/tetragon.sock getevents
+   ```
+
+{{< note >}}
+When reading events with the `tetra` client, if `--server-address` is not specified,
+it will try to detect if Tetragon daemon is running on the same host and use its
+`server-address` configuration.
+{{< /note >}}
+
+{{< caution >}}
+Ensure that you have enough privileges to open the gRPC unix socket since it is restricted to privileged users only.
+{{< /caution >}}