Please update the description with the actual release notes and publish the release.
See the release issue for instructions.
If this release was created from a test tag, please delete it.
v1.3.0
total: 364 commits, prs: 130 pr commits: 364
Upgrade notes
Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.
- Behavior of
export-file-perm
flag (and corresponding Helm valuetetragon.exportFilePerm
) changed. In case the export file exists, but has different permissions than specified in the option, Tetragon will change the file permissions on the next log rotation. In older versions, log rotation preserved permissions of the existing file. Before upgrading check if permissions of the existing export file match the option (600 by default), and set the agent flag or Helm value to the desired value if needed.
Events (protobuf API)
New events for syscall64
type
Previous versions of Tetragon did not distinguish between different ABIs when using the syscall64 type
because the output was just a size_arg
with the id. When executing the getcpu
syscall, for example, the JSON
for 64- and 32-bits would be:
"args":[{"size_arg":"309"}]
"args":[{"size_arg":"318"}]
Note that id 318 for x86_64
is a different syscall: getrandom
so we cannot distinguish between a getrandom
syscall on x86_64
and a getcpu
call on 32-bit (i386
). To address this issue, the output of syscall64
was changed to a SyscallId
object that
also includes the ABI. So the JSON for 64- and 32-bits getcpu
now is:
"args":[{"syscall_id":{"id":309,"abi":"x64"}}]
"args":[{"syscall_id":{"id":318,"abi":"i386"}}]
Users that want to maintain the old behavior can use the --enable-compatibility-syscall64-size-type
flag for this version.
The flag will be removed in v1.4.
Metrics
tetragon_ratelimit_dropped_total
metric is renamed totetragon_export_ratelimit_events_dropped_total
Major Changes:
- IMA hashes in LSM events (#2818) by @anfedotoff
- tetragon: add support for associating pod information when nested cgroups are used (#3170) by @kkourt
Bugfixes:
- Fix clone event eventcache retry handler when missing pod info. (#2899) by @tpapagian
- pkg/sensors: fix memory use of unloaded sensors (#3021) by @mtardy
- tetragon: fix the process exit signal when core dumped (#3039) by @justin0u0
- tetragon: improve how we handle cgroupv1 and cgroupv2 (#3053) by @tixxdz
- [metrics] Fix overhead_program metrics for return probes (#3074) by @tpapagian
- exec: fix tracking of matchBinary children (#3186) by @kkourt
Minor Changes:
-
Refactor & rename ratelimit metrics (#2890) by @lambdanis
-
bpf: improve the bpffs layout of tetragon objects (#2128) by @olsajiri
-
tracing: support 32-bit ARM (aarch32) syscalls (#2898) by @kkourt
-
tetragon: Fix map PinPath setup in case the map is shared (#2944) by @olsajiri
-
Added metrics for LRU data cache (#2908) by @AshishNaware
-
bpf: support all operators (including Mask) for the syscall64 type (#2948) by @kkourt
-
tracingpolicy: add BPF operations support (#2943) by @tixxdz
-
Add an "enabled" switch to enable/disable the gops server via the Helm chart. It is now disabled by default. (#2961) by @XelK
-
Enabled
tetra
bash autocompletion in the Tetragon image (#2965) by @PhilipSchmid -
tracing: include ABI information for syscall64 type (#2986) by @kkourt
-
Expose BPF map kernel memory use by tracing policy via the gRPC API and the metrics. Use
tetra tp list
to see the breakdown of BPF map memory use by policy or look for thetetragon_tracingpolicy_kernel_memory_bytes
metric. (#2984) by @mtardy -
tetragon: Use namespace in sensor policy directory (#2987) by @olsajiri
-
tetragon: Unpin map only if you are owner (#3004) by @olsajiri
-
enforcer: add
tetragon_enforcer_missed_notifications_total
metric (#2994) by @kkourt -
ci:github: retry Test Tetragon on failure (#3001) by @tixxdz
-
Add an optional cluster_name field to GetEventsResponse (#3025) by @michi-covalent
-
tetragon: Make sure lsm programs return bounded value (#3032) by @olsajiri
-
tetragon: Fix TestCopyFd test on new v5.10 kernels (#3037) by @olsajiri
-
metrics: add version to build information (#3035) by @kkourt
-
Remove --expose-kernel-addresses and --pprof-addr flags (#3042) by @michi-covalent
-
Remove --enable-process-ancestors flag (#3043) by @michi-covalent
-
tetra: fix
--policy-names
to apply all event types (#3044) by @justin0u0 -
helm: Add part-of and component labels (#3052) by @lambdanis
-
tetragon: Load base sensor via sensor manager (#3045) by @olsajiri
-
crd: Added shortnames and catagory for Tetragon CRDs (#3065) by @PhilipSchmid
-
tetragon: Move procevents.GetRunningProcs call from base sensor load (#3097) by @olsajiri
-
Add Common Expression Language filter (#3098) by @michi-covalent
-
tetragon: Allow multiple symbol instances in kprobe spec (#3121) by @olsajiri
-
tetragon: Unflake the TestGeneratedExecEvents test (#3141) by @olsajiri
-
tetragon: Setup tailcalls directly in bpf programs (#3002) by @olsajiri
-
Implement new regex filter type for parent process arguments. (#3155) by @will-isovalent
-
sensors: reduce logging information by not emitting one line per map/prog being loaded by default (#3174) by @kkourt
-
tetragon: Remove not needed rule commands (#3197) by @olsajiri
-
-
Introduce the in_init_tree flag for process events which indicates whether a process spawned from its container's init process tree (#3209) by @will-isovalent
-
Introduce a container_id export filter
-
Introduce an in_init_tree export filter
-
-
tetragon: setup to let match binary names use args as well (#3210) by @jrfastab
-
- add IP and CIDR helpers to CEL filters (#3211) by @will-isovalent
CI Changes:
- renovate: run make vendor on any Go update (#2909) by @mtardy
- CI: Improved lint Helm CI workflow (#2971) by @PhilipSchmid
- vmtests: use ubuntu-latest (#2985) by @kkourt
- vmtests: install dhclient (#3005) by @kkourt
- workflows: fix usage of untrusted input in check links (#3029) by @mtardy
- workflows: use GitHub arm64 runners instead of actuated (#3034) by @mtardy
- workflows: simplify build image CI (#3031) by @mtardy
- Renovate: Extend Helm files coverage (#3077) by @lambdanis
- Fixes and QoF improvements on renovate config (#3132) by @mtardy
- workflows: only run cron jobs on main repo (#3139) by @mtardy
- digestcheck: take a list of files as input (#3145) by @mtardy
Documentation changes:
- docs: fix typo (#2889) by @lucasfcnunes
- docs: Fix broken links (#2922) by @mozillazg
- Improve rthooks docs (#2932) by @kkourt
- Fix typo in execution.md (#2998) by @Golim
- doc: Removed old matchBinaries limitation (#3064) by @PhilipSchmid
- tetragon: Add docs for tetragon performance stats (#3062) by @olsajiri
- [docs] Fix typo (#3083) by @tpapagian
- Small reorg of example policies (#3095) by @lambdanis
- feat: develop Tetragon Enterprise page (#3103) by @annaindistress
- docs: use label match in SERVICECIDR command for KinD (#3216) by @tiswanso
Dependency updates:
- deps: upgrade to Cilium 1.17.0-pre.cdf10116cea (#2911) by @mtardy
- chore(deps): update all lvh-images main (main) (patch) (#2615) by @cilium-renovate[bot]
- fix(deps): update module github.com/containerd/containerd to v2 (main) (#3092) by @cilium-renovate[bot]
- chore(deps): update docker.io/golangci/golangci-lint docker tag to v1.62.0 (main) (#3101) by @cilium-renovate[bot]
- fix(deps): update all go dependencies main (main) (minor) (#3154) by @cilium-renovate[bot]
- fix(deps): update all go dependencies main (main) (patch) (#3176) by @cilium-renovate[bot]
Misc Changes:
- prepare for v1.3 development (#2879) by @kkourt
- helm: Remove tcp-stats-sample-segs flag from ConfigMap (#2893) by @lambdanis
- Add memory-related information to bugtool. (#2880) by @mtardy
- Add support to dump processCache (#2246) by @tpapagian
- tetra: various dump processcache cmd improvements (#2917) by @mtardy
- chore(docs): rename killer to enforcer (#2887) by @mozillazg
- Remove deprecated
tetragonOperator.skipCRDCreation
from the operator config map and set "false" when.Values.crds.installMethod
isoperator
(#2907) by @BonySmoke - Convert probe_read to probe_read_kernel to avoid possible runtime faults with probe_read on some architectures. (#2925) by @jrfastab
- Minor cleanup of Helm Makefile (#2897) by @lambdanis
- observer: Collect ring buffer metrics only once. The metrics values don't change, but we avoid keeping independent counters in the Observer struct. (#2888) by @mozillazg
- Make eventCache number of retries and delay between them tunable. (#2928) by @tpapagian
- helm: Set rthooks.podSecurityContext to empty by default (#2931) by @michi-covalent
- [jsonchecker] Remove const from parameters (#2936) by @tpapagian
- podinfo: add a deleted pod cache (#2930) by @kkourt
- Memory optimizations: remove BTF and kallsyms caches (#2937) by @tpapagian
- Add --exclude-execve-map-processes in tetra dump processcache command. (#2949) by @tpapagian
- tetra: add a new debug maps command and move dump under debug (#2959) by @mtardy
- Examples: Add TCP listen example tracing policy (#2929) by @kevsecurity
- Makefile: run vendor in contrib/tetragon-rthooks on protogen (#2918) by @mtardy
- tetra: add a JSON output format in debug map command and run it in bugtool (#2963) by @mtardy
- helm: Added dedicated persistent enforcement flag (#2977) by @PhilipSchmid
- Fix metrics collection in case of duplicate policy names (#3006) by @lambdanis
- renovate: add v1.2 (#3012) by @kkourt
- Export the Notifier interface (#3023) by @michi-covalent
- Centralize the logic to set node name (#3024) by @michi-covalent
- bpf: enforcer cleanup fix. (#3030) by @kkourt
- rthooks: Fix rootDir in createRuntime hook (#3057) by @tpapagian
- policyfilter: do not mark as beta anymore (#3056) by @kkourt
- bpf: remove unused const PossibleCPUSysfsPath (#3059) by @tklauser
- update rthooks image to v0.4 (#3058) by @tpapagian
- Add upgrade note for export-file-perm change (#3075) by @lambdanis
- enforcer: add policynamespace to sensor (#3076) by @kkourt
- Switch to Go 1.23+ stdlib
maps
/slices
packages (#3080) by @tklauser - enforcement policy examples (#3094) by @kkourt
- base sensor extensions (#3131) by @kkourt
- bpf: remove unused fields in msg_k8s (#3127) by @kkourt
- cgrouprate: refactor code for registering into base (#3146) by @kkourt
- ProcessCache: Make GC interval configurable (#3130) by @kevsecurity
- release: Fix checkout to the correct branch before tagging (#3169) by @tpapagian
- fix(#3148) Update fork-tester.c replace systemd pid with parent process pid (#3149) by @ScriptSathi
- ProcessCache: Disable interval test in VM (#3179) by @kevsecurity
- [sensors] Add optional PostLoadHook (#3181) by @tpapagian
- minikube script for nested cgroups (#3173) by @kkourt
- BPF error metrics (#3205) by @kkourt
- refactor errmetrics code (#3212) by @kkourt
- Aggregate overhead metrics in userspace before reporting (#3217) by @lambdanis
- Prepare for v1.3.0 release (#3219) by @kkourt