diff --git a/docs/content/en/docs/concepts/tracing-policy/k8s-filtering.md b/docs/content/en/docs/concepts/tracing-policy/k8s-filtering.md index 7f4d0dbdd24..f8e65ee24a3 100644 --- a/docs/content/en/docs/concepts/tracing-policy/k8s-filtering.md +++ b/docs/content/en/docs/concepts/tracing-policy/k8s-filtering.md @@ -17,10 +17,15 @@ action the Tetragon agent should perform when the specified situation occurs. Th is generating an event, but there are others (e.g., returning an error without executing a function, or killing the corresponding process). -Here we discuss how to apply tracing policies only on a subset of pods running on the system via -two mechanisms: namespaced policies, and pod-label filters. Tetragon implements both mechanisms -in-kernel via eBPF. This is important for both observability and enforcement use-cases. For -observability, copying only the relevant events from kernel- to user-space reduces overhead. For +Here we discuss how to apply tracing policies only on a subset of pods running on the system via +the followings mechanisms: +- namespaced policies +- pod-label filters +- container field filters + +Tetragon implements these mechanisms in-kernel via eBPF. This is important for both observability +and enforcement use-cases. +For observability, copying only the relevant events from kernel- to user-space reduces overhead. For enforcement, performing the enforcement action in the kernel avoids the race-condition of doing it in user-space. For example, let us consider the case where we want to block an application from performing a system call. Performing the filtering in-kernel means that the application will never @@ -328,7 +333,7 @@ kubectl exec -it lseek-pod -c sidecar -- python3 Traceback (most recent call last): File "", line 1, in OSError: [Errno 9] Bad file descriptor - >>> +>>> ``` But containers matching the name `main` will: @@ -339,5 +344,5 @@ kubectl exec -it lseek-pod -c main -- python3 ``` >>> import os >>> os.lseek(-1, 0, 0) -Killed +command terminated with exit code 137 ```