Release v1.1.0 release · cilium/tetragon

Release notes

v1.1.0 release is here! Please consider upgrading. This edition adds some notable features including user space stack traces, the enforcer sensor to easily deny system calls, metrics improvements, and numerous other fixes and improvements. Before upgrading please review deprecated fields and metric updates to check for any changes here that may impact your upgrade.

As always huge thanks to all the contributors, especially the new contributors. Also we appreciate all the bug reports, features requests and feedback from the users. Keep it coming this helps everyone everything from reading docs and just hearing user stories is great. Reach out and file an issue or ping @jrfastab if you have any feedback.

Additionally I wanted to thank @dwindsor, @vparla and their colleagues for detailed bug reports (#2069) and identifying multiple issues that the team was able to fix/improve in this release. 🚀 See the commit list below for details.

Events API and Metrics Changes:

API: Remove deprecated pod.labels field. Use pod.pod_labels instead. (#1848) by @michi-covalent
Fix metrics related to monitoring BPF maps and userspace caches. Remove tetragon_map_drops_total (it was duplicating tetragon_errors_total{type="process_cache_evicted"}). Remove tetragon_map_in_use_gauge{map="eventcache"} (event cache is not a BPF map). Replace tetragon_map_in_use_gauge{map="processLru"} with tetragon_process_cache_size (process cache is not a BPF map). (#1950) by @sadath-12
Metrics with known labels values are initialized to 0 on startup. (#2162) by @lambdanis

This helps to ensure stable resources usage and metrics queries. This also involves changes in several metrics labels:
- error_type label on tetragon_handler_errors_total metric is either "unknown_opcode" or "event_handler_failed" instead of the Go type of the error
- event_type label on tetragon_event_cache*_errors_total metrics is one of the values defined in Tetragon API (tetragon.EventType) instead of the Go type of the event
- error label on tetragon_event_cache_errors_total metric is "nil_process_pid"
- error label is removed from tetragon_policyfilter_metrics_total metric
Metrics for map and cache sizes are improved: (#2291) by @lambdanis
- tetragon_map_in_use_gauge metric is renamed to tetragon_map_entries and doesn't have total label anymore
- New tetragon_map_capacity metric exposes the BPF maps capacity
- New tetragon_event_cache_entries metric measures the event cache size
- New tetragon_process_cache_size metric measures the process cache size
- New tetragon_process_cache_capacity metric exposes the process cache capacity

Tracing Policy API Changes:

TracingPolicy: Replace symbol field (string) with symbols (array of strings) in uprobe spec. If using policies with uprobes, you need to replace the symbol field. (#1975) by @olsajiri
TracingPolicy: Rename killer to enforcer. If using policies with killers, you need to replace killers with enforcers and action: NotifyKiller with NotifyEnforcer. (#2117) by @olsajiri
Support user mode stacktraces in events. To enable this feature, set userStackTrace: true in the policy Post action. (#2175) by @anfedotoff

To distinguish different stacktraces, kernel stacktraces are now enabled with kernelStackTrace policy field (renamed from stackTrace), and posted in kernel_stack_trace event field (renamed from stack_trace).

New Contributors

@lmb made their first contribution in #1734
@PhilipSchmid made their first contribution in #1780
@hungran made their first contribution in #1797
@sadath-12 made their first contribution in #1915
@ioandr made their first contribution in #1965
@rpahli made their first contribution in #2006
@aohoyd made their first contribution in #1931
@christian-2 made their first contribution in #2038
@h3x-eilidh made their first contribution in #2059
@dwindsor made their first contribution in #1986
@next-ramses made their first contribution in #2084
@sfc-gh-gshe made their first contribution in #2144
@janvi01 made their first contribution in #2115
@Jianlin-lv made their first contribution in #2222
@f1ko made their first contribution in #2258
@yukinakanaka made their first contribution in #2310
@anfedotoff made their first contribution in #2175
@strongjz made their first contribution in #2316
@BonySmoke made their first contribution in #2231
@zazathomas made their first contribution in #2318
@alexeysofin made their first contribution in #2262
@Trung-DV made their first contribution in #2354

Major Changes:

Tetragon oci hook setup (#1842) by @kkourt
tetragon: detect execve of anonymous binaries (#499) by @tixxdz
Introduce an export filter type for process capabilities. (#2107) by @willfindlay
Introduce redaction filters for censoring sensitive string data in process events. (#2243) by @willfindlay
tracing: add multi-link uprobe support (#1914) by @olsajiri
policyfilter: add a containerSelector that allows filtering policies by container name (#2231) by @BonySmoke

Bugfixes:

Fix a segmentation fault related to filtering out pid information with field filters (#1700) by @willfindlay
Fix a number of segmentation faults related to field filters. (#1712) by @willfindlay
pkg/option: add metrics-label-filter flags (#1678) by @Jack-R-lantern
Do not add a new entry in the execve_map during clone events that we cannot find our parent. Additionally, return early on kernel threads. (#1708) by @tpapagian
Rework the matchBinaries selector implementation (#1731) by @mtardy
Fix a few bugs related to field filter configuration and significantly improve performance of field filters. (#1763) by @willfindlay
Fix a few bugs related to field filter configuration and significantly improve performance of field filters. (#1762) by @willfindlay
Fix an issue that caused Tetragon to hang when it encounters an error early on in its init phase. (#1770) by @willfindlay
Adds validation for sock and skb types (#1807) by @kevsecurity
Fixes prefix and postfix matching for strings longer than the prefix or postfix maximum length (#1806) by @kevsecurity
helm: Fix templating securityContext and tolerations (#1837) by @lambdanis
pkg/kernels: Fix large patch numbers (#1870) by @tpapagian
Fix a regression related to field filters that could cause top-level information to be missing from events. (#1882) by @willfindlay
bpf: unit tests and fixes for prepend_name function (#1902) by @mtardy
metrics: Do not return when we cannot find a _stats map (#1949) by @tpapagian
bpf: read and copy proc exe at execve for matchBinaries (#1926) by @mtardy
Dockerfile: bump bpftool revision to 7.3.0 (#1972) by @mtardy
Fix a hang when the event exporter fails to start. (#2119) by @willfindlay
tetra: avoid panic in the decoder (#2116) by @kkourt
Set events node_name field to the hostname in the standalone (non-k8s) mode. (#2123) by @lambdanis
policyfilter: fix issue in container fs scanning under cri-o (#2188) by @kkourt
metrics: Remove pod from the queue after deleting metrics (#2287) by @lambdanis
helm: Fix name and selector in operator ServiceMonitor (#2371) by @lambdanis

Minor Changes:

Add a metric to provide missed events per type (#1674) by @tpapagian
tetragon: factor kprobes (#1685) by @olsajiri
tetragon: namespace checks (#1627) by @tixxdz
tetragon: save tetragon pid into pidfile (#1743) by @tixxdz
operator: Don't log an error if the PodInfo resource already exists. (#1777) by @michi-covalent
Increases the character limit for prefix matches from 128 to 256. (#1779) by @kevsecurity
tetragon: Assorted fixes (#1781) by @olsajiri
policylibrary: add a catch all for setuid root and suid execution (#1706) by @tixxdz
tetragon: get rid of some programs (#1783) by @olsajiri
Misc Helm updates (#1814) by @lambdanis
Helm: Added various configuration options for the Tetragon Operator Deployment (#1817) by @PhilipSchmid
Add Prefix and NotPrefix operators to matchBinaries (#1732) by @mtardy
Add a Kubernetes service exposing Tetragon Operator metrics. Make the operator metrics port configurable via Helm values and change the default to 2113. (#1797) by @hungran
helm: add servicemonitor for operator (#1836) by @hungran
tetragon: Detect large program with feature check (#1833) by @olsajiri
tetragon: Add LT/GT oerator checks (#1863) by @olsajiri
tetragon: Add support to match 32 bit syscalls (#1816) by @olsajiri
tetragon: Move return filter to kernel (#1773) by @olsajiri
tetragon: Detect and use disassociate_ctty as exit probe if needed (#1853) by @olsajiri
tetragon: Use cilium/ebpf detection (#1904) by @olsajiri
tetragon: Small filter fixes (#1891) by @olsajiri
api:events: add message field to inform users what is happening (#1940) by @tixxdz
tetragon: detect if binary execution raised process privileges (#1786) by @tixxdz
Add rateLimitScope to control what rateLimit applies to. (#1962) by @kevsecurity
Update tetragon_errors_total metric to not count event cache retries and errors. Add tetragon_event_cache_retries_total and tetragon_event_cache_parent_info_errors_total metrics. (#1923) by @sadath-12
tetra: Add event filter based on tracing policy name (#1867) by @ioandr
killer sensor: add fmod_ret support (#1953) by @kkourt
tetragon: run Tetragon without access to CRD (#1931) by @aohoyd
helm: Add tetragonOperator.enabled flag to the chart (#2004) by @aohoyd
tetragon: Add support for uprobe arguments (#1978) by @olsajiri
tetra: add a probe command to probe BPF features (#2017) by @mtardy
tetragon: Harden loader sensor (#2024) by @olsajiri
bugtool: fetch gops pprof heap (#2007) by @tixxdz
tetragon: Add support to use security_ functions in killer (#2002) by @olsajiri
validation: improve error message when failing to load a TracingPolicy (#2031) by @christian-2
policylibrary: consolidate privileges raising operations into privileges-raise.yaml single policy (#1957) by @tixxdz
Extend string matching to strings of length 4096 characters (increased from 144 characters). (#2069) by @kevsecurity
tetragon: Factor uprobe sensor setup (#2085) by @olsajiri
Rename tetragon_policyflter_metrics_total metric to tetragon_policyfilter_metrics_total (fix a typo). (#2096) by @mtardy
tetragon: extract linux_binprm member using CO:RE (#1986) by @dwindsor
killer: assorted fixes (#2058) by @olsajiri
policy pod-label filters: allow for namespace filtering using k8s:io.kubernetes.pod.namespace (#1952) by @sadath-12
Parse kthreads during /proc scanning (#2089) by @tpapagian
pkg/sensors: expose policy status through metrics and tetra (#2090) by @mtardy
Fail with an error when the event exporter fails to start. (#2127) by @willfindlay
tetragon:trivial: create run dir early to avoid errors (#2148) by @tixxdz
tetragon:tarball: docker oci tarball fix (#2161) by @tixxdz
Add support for data_loc char buffers. (#2168) by @kevsecurity
Allow for the operator to forcefully update CRDs regardless of the version (#2023) by @aohoyd
Provide minimal support for struct net_device (#2196) by @kevsecurity
Tracing: add support for file permissions (#2222) by @Jianlin-lv
tetragon: assorted fixes (#2264) by @olsajiri
tetragon: log current security context if any at startup (#2149) by @tixxdz
tracing-policies: support tags to categorize events (#2008) by @tixxdz
cves: add detection of XZ backdoor in OpenSSH (#2276) by @tixxdz
tracingpolicy: comment message field for older versions support (#2281) by @tixxdz
tetragon: store caps during fork (#2275) by @tixxdz
Filter out bash kubernetes healthchecks (#2262) by @alexeysofin
Add export metrics (#2340) by @chancez
Support installing CRDs as part of Tetragon Helm chart by setting crds.installMethod=helm value. tetragonOperator.skipCRDCreation value is deprecated - if set to true, use crds.installMethod=none instead. (#2375) by @lambdanis

CI Changes:

renovate: let renovate update gops in Dockerfile (#1713) by @mtardy
renovate: enable stable support for v1.0 and fixes (#1742) by @mtardy
Avoid requiring the latest Go toolchain patch version to build (#1748) by @mtardy
renovate: try to fix Go updates for stable branches (#1752) by @mtardy
renovate: fix allowed version for Go upgrades in 1.0 branch (#1756) by @mtardy
renovate: add digest in Golang Docker image in Makefile.cli (#1758) by @mtardy
e2e: wait for tracing policy fixes (#1740) by @kkourt
fork-tester: remove connect to 8.8.8.8 (#1811) by @kkourt
e2e: Fix logger in e2e tests (#1785) by @tpapagian
ci: replace buildjet arm64 runners with actuated ones (#1682) by @mtardy
workflows: add independent go-version for setup-go actions (#1852) by @mtardy
workflow: fix PR link checker to check local branch links (#1865) by @mtardy
ci: fix tetragon go test ci job (#1890) by @tixxdz
workflows/vmtests: delete artifacts if run was successful (#1925) by @mtardy
Revert "chore(deps): update all github action artifacts to v4" (#1942) by @mtardy
workflows: bump bom version for race condition fix (#1944) by @mtardy
killer sensor: improve testing (#1948) by @kkourt
Tracepoint tests: Fix comm signedness and length check (#1963) by @kevsecurity
workflows: add apt-get update before installs (#1970) by @mtardy
ci: cross compile the arm tarball for tests (#1958) by @tixxdz
feat: validate crd versions (#1919) by @sadath-12
workflows: use defined actions/checkout version in validate-crd.yaml (#2045) by @mtardy
workflows: fix validate CRD by fetching all git repo history (#2066) by @mtardy
renovate: include all Dockerfiles, even the one with prefix (#2108) by @mtardy
renovate: match all Makefiles (#2126) by @willfindlay
renovate: allow auto-merge kernel bumps on LVH (#2140) by @mtardy
ci: only check docs on PR to main (#2154) by @willfindlay
ci: Add rhel8 kernel in vmtests (#2184) by @tpapagian
workflows: check only updated docs links in PRs (#2259) by @mtardy
ci/static-checks: ensure no binary files are checked in (#2174) by @willfindlay
Makefile: fix a missing 'vendor' target in oci-hook (#2283) by @mtardy
validate-crd: use SHAs for diff (#2319) by @kkourt
e2e: fix bugs + dump operator logs (#2266) by @willfindlay
helm: use renovate to update dockerfiles in the Makefile (#2350) by @mtardy
contrib: use renovate to update yq image (#2352) by @mtardy
renovate: run the Makefile after upgrading image deps (#2364) by @mtardy
Tetragon e2e Test: Run e2e tests in parallel on multiple runners (#2354) by @Trung-DV
ci: Skip checkpatch for Renovate PRs (#2386) by @lambdanis

Documentation changes:

docs: update tetragon.io title (#1709) by @hacktivist123
docs: remove mention of obsolete map_linux.go (#1734) by @lmb
Added some additional resources (#1754) by @saintdle
chore: site description update (#1760) by @hacktivist123
doc: Clarified Docker Desktop on MacOS FAQ (#1780) by @PhilipSchmid
Update install-k8s.md (#1753) by @lizrice
Add recent resources to docs + fix godoc (#1784) by @lambdanis
docs: bump Docsy to v0.8.0, enable search, enhance highlighting, simplify theme customizations and more fixes (#1829) by @mtardy
docs: add privacy-aware GoatCounter analytics (#1873) by @mtardy
docs: improve tetragon option reference page (#1932) by @mtardy
Improve rate limit documentation (#1961) by @kevsecurity
docs: fix typos, fix k8s install guide for zsh and update Cilium SW demo (#1965) by @ioandr
docs: fix invalid site param in hugo.toml (#1973) by @mtardy
doc: added uprobe info (#1945) by @sadath-12
docs: improve contribution guide and add a running test page (#1980) by @mtardy
docs: welcome all contributions and add a docs contrib guide (#1990) by @mtardy
docs: fix property naming (#2006) by @rpahli
docs: link checker config for docs contributor guide (#2000) by @mtardy
Fix typo on TracingPolicy Selectors Stack Traces documentation (#2059) by @h3x-eilidh
docs: remove tutorials section and move its content under appropriate sections (#2097) by @mtardy
README: remove the link to the tutorials in docs (#2104) by @mtardy
docs:policylibrary: more examples on privileges escalation and execution (#2067) by @tixxdz
Update enforcement.md (#2084) by @next-ramses
docs: tetragon troubleshoot improve (#2115) by @janvi01
docs: Privileged execution - use nginx instead of test-pod image (#2125) by @janvi01
docs: getting-started k8s fix kind create a cluster (#2158) by @mtardy
Generate metrics reference docs (#2164) by @lambdanis
README: add a link to the community call (#2179) by @mtardy
docs: add FAQ entry about kernel config and tetra probe (#2191) by @mtardy
docs: Fix cosign instructions (#2232) by @lambdanis
documentation: more detailed description re FollowFD/UnfollowFD (#2228) by @christian-2
docs: document export filters and fieldfilters (#2249) by @willfindlay
docs: fix contribution-guide docker run (#2310) by @yukinakanaka
docs: update demo app url (#2311) by @yukinakanaka
Update bug out tar file (#2316) by @strongjz
Update events.md (#2318) by @zazathomas
docs: fix filename-access example (#2335) by @yukinakanaka
docs: explicitly state which regex flavour is used for redaction (#2377) by @f1ko
docs: update the latest version from the docs with renovate (#2353) by @mtardy

Misc Changes:

starting 1.1 development (#1699) by @kkourt
pkg/bench: disable BPF stats collection at the end of execution (#1735) by @lmb
Replace the use of viper.bind flags with variables binding (#1119) by @Jack-R-lantern
Makefile: also use JOBS for test-compile (#1730) by @kkourt
Add arm64 support for the tarball via cross-compilation on amd64. (#1805) by @mtardy
helm: Don't mount /var/lib/tetragon/metadata (#1818) by @lambdanis
linters: add gosimple and fix corresponding alerts (#1813) by @mtardy
tracingpolicy: add a stack traces example (#1838) by @mtardy
linters: add makezero and fix a related bug (#1832) by @mtardy
Move Helm chart into tetragon directory (#1845) by @lambdanis
linters: add dupword detecting stutters in comments and strings (#1843) by @mtardy
testutils: Fix RepoRootPath when Tetragon is vendored (#1871) by @tpapagian
helm: Add extensions templates (#1846) by @lambdanis
Rename a function in e2e test helpers. (#1915) by @sadath-12
Improve local k8s developer experience (#1920) by @sadath-12
Introduce install/kubernetes/Makefile (#1930) by @sadath-12
chore: unloadpolicy after load (#1916) by @sadath-12
Add masOS compatibility for 'sed' usage in scripts (#1827) by @PhilipSchmid
bpf/exec: Move call to read_exe to tail call (#1982) by @tpapagian
crd: Fix type mismatch warning (#1979) by @tpapagian
gitattributes: add to the list of generated files (#1987) by @mtardy
metrics: Do not process the same map multiple times (#1996) by @tpapagian
Revert "testutils: Fix RepoRootPath when Tetragon is vendored" (#2012) by @tpapagian
fix: fill the missing type in tracingpolicy example (#1917) by @sadath-12
Perf: Remove extra copies of data from ring buffer (#2009) by @kevsecurity
api:proto: rename Inode to InodeProperties (#2026) by @tixxdz
Git-ignore drop-privileges along with other binaries (#2038) by @christian-2
Update github.com/opencontainers/runc to v1.1.12 (#2046) by @tpapagian
bpf: document how to use read_exe() (#2064) by @tixxdz
tests: add debug message to TestProcessSetCap (#2072) by @tixxdz
tetragon: Harden TestMatchCloneThreadsIDs test (#2075) by @olsajiri
chore: Sync bpf_tracing.h (#2091) by @tpapagian
tetragon: Remove superfluous MapDir (#2106) by @olsajiri
makefile: containerize CRD generation and rename codegen and generate targets (#2131) by @willfindlay
Remove unused PodInfo utility functions (#2144) by @sfc-gh-gshe
cmd/tetra: remove tp_state_ prefix in state in tp list (#2153) by @mtardy
tetragon: Move enforcer-tester to .gitignore (#2166) by @olsajiri
tetragon: Assorted sensor fixes (#2145) by @olsajiri
watcher: Don't create service and podInfo informers (#2167) by @lambdanis
pkg/k8s: fix use of deprecated scripts (#2180) by @mtardy
tetragon-oci-hook: improve logging (#2186) by @kkourt
Add error checking to program loading with respect to probe type. (#2135) by @kevsecurity
tetragon: Remove superfluous switch in HandleMessage callbacks (#2178) by @olsajiri
tetragon: update bpf func mappings and add dynptr_, timer, ring* (#2205) by @jrfastab
make: fix make crds and generate targets (#2215) by @tixxdz
Makefile: run tests as root without building as root (#2211) by @mtardy
tetragon: update bpf func reserve mapping for proper return value (#2217) by @jrfastab
examples: Remove ".yaml" suffix from privileges-setuid-root (#2227) by @lambdanis
bpf: read_call_arg, copy_path once (#2239) by @kkourt
e2e tests minor patches (#2225) by @kkourt
e2e: check policy state (#2229) by @kkourt
tetragon: Implement bpf.GetNumPossibleCPUs through cilium/ebpf library (#2244) by @olsajiri
OCI hooks: add container name and QoL updates (#2248) by @kkourt
observer: remove unused field (#2260) by @kkourt
Makefile: add native build support for arm64 MacOS (#2258) by @f1ko
fixes for policystatemetrics (#2285) by @kkourt
tetragon: cleanup pfilter.h to make it readable (#2288) by @jrfastab
jsonchecker: reset state of the export file (#2289) by @kkourt
fix policyfilter metrics (#2282) by @kkourt
BTF validation fixes (#2312) by @kkourt
Change the behaviour of redaction filters to fix a critical bug and improve performance. (#2322) by @willfindlay
tetragon: fix redaction filters log message (#2325) by @willfindlay
metrics: Refactor metrics label filter logic (#2321) by @lambdanis
Makefile: Do not use $(MAKE) when calling make with docker run (#2341) by @chancez
k8s: Fix CRDs Go code generation (#2339) by @lambdanis
tetra: no longer show singular getevents cmd flags as deprecated (#2348) by @mtardy
metrics: Refactor metrics label filter logic (#2373) by @lambdanis
Dockerfile: Remove syntax annotation (#2385) by @lambdanis
metrics: Return a copy of LabelFilter in WithEnabledLabels(nil) (#2378) by @lambdanis
Prepare for v1.1.0 release (#2392) by @kkourt

All changes

Add a metric to provide missed events per type by @tpapagian in #1674
server: fix another segfault related to field filters by @willfindlay in #1700
docs: update tetragon.io title by @hacktivist123 in #1709
chore(deps): update go by @cilium-renovate in #1711
chore(deps): update docker.io/golangci/golangci-lint docker tag to v1.55.2 by @cilium-renovate in #1714
fix(deps): update module golang.org/x/time to v0.4.0 by @cilium-renovate in #1721
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20231106.012832 by @cilium-renovate in #1715
renovate: let renovate update gops in Dockerfile by @mtardy in #1713
fix(deps): update module github.com/bombsimon/logrusr/v4 to v4.1.0 by @cilium-renovate in #1716
fix(deps): update module github.com/spf13/cobra to v1.8.0 by @cilium-renovate in #1718
fix(deps): update module golang.org/x/sync to v0.5.0 by @cilium-renovate in #1719
chore(deps): update dependency google/gops to v0.3.28 by @cilium-renovate in #1722
fix(deps): update module github.com/cilium/cilium to v1.15.0-pre.2 by @cilium-renovate in #1724
fix(deps): update module github.com/cilium/cilium to v1.15.0-pre.2 by @cilium-renovate in #1723
filters/fields: do a deep copy before filtering by @willfindlay in #1712
pkg/option: add metrics-label-filter flags by @Jack-R-lantern in #1678
fix(deps): update module github.com/opencontainers/runc to v1.1.10 by @cilium-renovate in #1725
Fix missing parent issue in clone events by @tpapagian in #1708
tetragon: factor kprobes by @olsajiri in #1685
chore(deps): update go to v1.21.4 (patch) by @cilium-renovate in #1733
docs: remove mention of obsolete map_linux.go by @lmb in #1734
pkg/bench: disable BPF stats collection at the end of execution by @lmb in #1735
chore(deps): pin docker/dockerfile docker tag to e2a8561 by @cilium-renovate in #1736
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20231113.012843 by @cilium-renovate in #1737
tetragon: namespace checks by @tixxdz in #1627
fix(deps): update module github.com/cilium/ebpf to v0.12.3 by @cilium-renovate in #1738
fix(deps): update module github.com/google/cel-go to v0.18.2 by @cilium-renovate in #1739
renovate: enable stable support for v1.0 and fixes by @mtardy in #1742
fix(deps): update golang.org/x/sys digest to 11eadc0 (main) by @cilium-renovate in #1744
Avoid requiring the latest Go toolchain patch version to build by @mtardy in #1748
fix(deps): update module github.com/fatih/color to v1.16.0 (main) by @cilium-renovate in #1749
renovate: try to fix Go updates for stable branches by @mtardy in #1752
Added some additional resources by @saintdle in #1754
renovate: fix allowed version for Go upgrades in 1.0 branch by @mtardy in #1756
renovate: add digest in Golang Docker image in Makefile.cli by @mtardy in #1758
Rework the matchBinaries selector implementation by @mtardy in #1731
Replace the use of viper.bind flags with variables binding by @Jack-R-lantern in #1119
Makefile: also use JOBS for test-compile by @kkourt in #1730
chore: site description update by @hacktivist123 in #1760
fieldfilters: fix case conversion and improve performance by @willfindlay in #1762
e2e: wait for tracing policy fixes by @kkourt in #1740
tetragon: save tetragon pid into pidfile by @tixxdz in #1743
chore(deps): update docker/dockerfile docker tag to v1.6 (main) by @cilium-renovate in #1745
fix(deps): update kubernetes packages to v0.28.4 (main) (patch) by @cilium-renovate in #1768
tetragon: fix hang on error in tetragonExecute by @willfindlay in #1770
chore(deps): update docker.io/library/golang:1.21.4 docker digest to 57bf74a (main) by @cilium-renovate in #1766
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20231120.012927 (main) by @cilium-renovate in #1767
podinfo: Handle an expected error gracefully by @michi-covalent in #1777
fix(deps): update golang.org/x/sys digest to 13b15b7 (main) by @cilium-renovate in #1772
fix(deps): update module github.com/containerd/containerd to v1.7.9 (main) by @cilium-renovate in #1769
doc: Clarified Docker Desktop on MacOS FAQ by @PhilipSchmid in #1780
String: Increase prefix size from 128 to 256 chars by @kevsecurity in #1779
tetragon: Assorted fixes by @olsajiri in #1781
Update install-k8s.md by @lizrice in #1753
chore(deps): update dependency ubuntu to v22 (main) by @cilium-renovate in #1793
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20231123.012848 (main) by @cilium-renovate in #1791
chore(deps): update all github action dependencies (main) by @cilium-renovate in #1790
chore(deps): update docker.io/library/golang:1.21.4 docker digest to 9baee0e (main) by @cilium-renovate in #1789
policylibrary: add a catch all for setuid root and suid execution by @tixxdz in #1706
fix(deps): update github.com/cilium/little-vm-helper digest to 96de861 (main) by @cilium-renovate in #1794
chore(deps): update actions/setup-node action to v4 (main) by @cilium-renovate in #1792
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #1795
Add recent resources to docs + fix godoc by @lambdanis in #1784
Arg validation: Add mappings for sock and skb by @kevsecurity in #1807
tetragon: get rid of some programs by @olsajiri in #1783
Make tarball target work with arm64 cross-compilation and simplify Makefile/Dockerfile by @mtardy in #1805
fix(deps): update module golang.org/x/time to v0.5.0 (main) by @cilium-renovate in #1809
fork-tester: remove connect to 8.8.8.8 by @kkourt in #1811
fix(deps): update module golang.org/x/sys to v0.15.0 (main) by @cilium-renovate in #1808
e2e: Fix logger in e2e tests by @tpapagian in #1785
fix(deps): update github.com/cilium/little-vm-helper digest to de55dde (main) by @cilium-renovate in #1798
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20231128.012937 (main) by @cilium-renovate in #1799
String matching: match long strings by @kevsecurity in #1806
Misc Helm updates by @lambdanis in #1814
helm: Don't mount /var/lib/tetragon/metadata by @lambdanis in #1818
chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (main) by @cilium-renovate in #1822
chore(deps): update docker.io/library/golang:1.21.4-alpine docker digest to 8a15263 (main) by @cilium-renovate in #1821
chore(deps): update docker.io/library/golang:1.21.4-alpine docker digest to 70afe55 (main) by @cilium-renovate in #1823
Helm: Added various configuration options for the Tetragon Operator Deployment by @PhilipSchmid in #1817
ci: replace buildjet arm64 runners with actuated ones by @mtardy in #1682
Add Prefix and NotPrefix operators to matchBinaries by @mtardy in #1732
linters: add gosimple and fix corresponding alerts by @mtardy in #1813
fix(deps): update all go dependencies main (main) (patch) by @cilium-renovate in #1828
fix(deps): update module github.com/go-openapi/strfmt to v0.21.8 (main) by @cilium-renovate in #1831
helm: adding optional to expose tetragon-operator metrics by @hungran in #1797
tracingpolicy: add a stack traces example by @mtardy in #1838
docs: bump Docsy to v0.8.0, enable search, enhance highlighting, simplify theme customizations and more fixes by @mtardy in #1829
helm: Fix templating securityContext and tolerations by @lambdanis in #1837
linters: add makezero and fix a related bug by @mtardy in #1832
deps: bump github.com/cilium/cilium to v1.15.0-pre.3 by @mtardy in #1844
helm: add servicemonitor for operator by @hungran in #1836
chore(deps): update docker.io/library/golang docker tag to v1.21.5 (main) by @cilium-renovate in #1850
workflows: add independent go-version for setup-go actions by @mtardy in #1852
Remove pod.labels field by @michi-covalent in #1848
Move Helm chart into tetragon directory by @lambdanis in #1845
fix(deps): update module github.com/spf13/viper to v1.18.0 (main) by @cilium-renovate in #1862
chore(deps): update quay.io/cilium/hubble-export-stdout docker tag to v1.0.4 (main) by @cilium-renovate in #1859
chore(deps): update docker.io/library/alpine docker tag to v3.19.0 (main) by @cilium-renovate in #1861
fix(deps): update module github.com/go-openapi/strfmt to v0.21.9 (main) by @cilium-renovate in #1860
linters: add dupword detecting stutters in comments and strings by @mtardy in #1843
tetragon: Detect large program with feature check by @olsajiri in #1833
tetragon: Add LT/GT oerator checks by @olsajiri in #1863
workflow: fix PR link checker to check local branch links by @mtardy in #1865
fix(deps): update all go dependencies main (main) (patch) by @cilium-renovate in #1834
fix(deps): update kubernetes packages to v0.29.0-rc.2 (main) (patch) by @cilium-renovate in #1866
chore(deps): update go (main) by @cilium-renovate in #1868
Tetragon oci hook setup by @kkourt in #1842
pkg/kernels: Fix large patch numbers by @tpapagian in #1870
tetragon: Add support to match 32 bit syscalls by @olsajiri in #1816
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #1824
testutils: Fix RepoRootPath when Tetragon is vendored by @tpapagian in #1871
fix(deps): update module github.com/containers/common to v0.57.1 (main) by @cilium-renovate in #1874
tetragon: Move return filter to kernel by @olsajiri in #1773
fix(deps): update module github.com/google/uuid to v1.5.0 (main) by @cilium-renovate in #1875
fieldfilters: fix regression with missing top-level info and add test by @willfindlay in #1882
chore(deps): update all github action dependencies to v4 (main) (major) by @cilium-renovate in #1876
docs: add privacy-aware GoatCounter analytics by @mtardy in #1873
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20231215.012940 (main) by @cilium-renovate in #1887
chore(deps): update actions/setup-go action to v5 (main) by @cilium-renovate in #1878
chore(deps): update all github action dependencies to v3 (main) (major) by @cilium-renovate in #1877
chore(deps): update docker.io/library/golang:1.21.5 docker digest to 2ff79bc (main) by @cilium-renovate in #1886
helm: Add extensions templates by @lambdanis in #1846
ci: fix tetragon go test ci job by @tixxdz in #1890
fix(deps): update module github.com/cilium/cilium to v1.15.0-rc.0 (main) by @cilium-renovate in #1893
fix(deps): update module github.com/cilium/cilium to v1.15.0-rc.0 (main) by @cilium-renovate in #1892
fix(deps): update module google.golang.org/grpc to v1.60.0 (main) by @cilium-renovate in #1897
fix(deps): update module google.golang.org/grpc to v1.60.0 (main) by @cilium-renovate in #1896
fix(deps): update module github.com/go-openapi/strfmt to v0.21.10 (main) by @cilium-renovate in #1899
fix(deps): update kubernetes packages to v0.29.0 (main) (patch) by @cilium-renovate in #1889
chore(deps): update helm chart to v1.0.1 (main) (patch) by @cilium-renovate in #1888
tetragon: Detect and use disassociate_ctty as exit probe if needed by @olsajiri in #1853
workflows/vmtests: delete artifacts if run was successful by @mtardy in #1925
fix(deps): update module google.golang.org/grpc to v1.60.1 (main) by @cilium-renovate in #1908
fix(deps): update module github.com/go-openapi/strfmt to v0.22.0 (main) by @cilium-renovate in #1922
fix(deps): update all oci hook go dependencies main (main) (patch) by @cilium-renovate in #1909
chore(deps): update go (main) by @cilium-renovate in #1906
fix(deps): update module github.com/spf13/viper to v1.18.2 (main) by @cilium-renovate in #1903
fix(deps): update module google.golang.org/protobuf to v1.32.0 (main) by @cilium-renovate in #1912
bpf: unit tests and fixes for prepend_name function by @mtardy in #1902
chore: rename TracingPolicy function by @sadath-12 in #1915
chore(deps): update all github action dependencies (main) by @cilium-renovate in #1937
chore(deps): update actions/upload-pages-artifact action to v3 (main) by @cilium-renovate in #1939
chore(deps): update actions/deploy-pages action to v4 (main) by @cilium-renovate in #1938
docs: improve tetragon option reference page by @mtardy in #1932
Improve local k8s developer experience by @sadath-12 in #1920
tetragon: Use cilium/ebpf detection by @olsajiri in #1904
Revert "chore(deps): update all github action artifacts to v4" by @mtardy in #1942
fix(deps): update module github.com/prometheus/client_golang to v1.18.0 (main) by @cilium-renovate in #1934
Introduce install/kubernetes/Makefile by @sadath-12 in #1930
workflows: bump bom version for race condition fix by @mtardy in #1944
tetragon: Small filter fixes by @olsajiri in #1891
api:events: add message field to inform users what is happening by @tixxdz in #1940
metrics: Do not return when we cannot find a _stats map by @tpapagian in #1949
fix(deps): update module golang.org/x/sync to v0.6.0 (main) by @cilium-renovate in #1935
killer sensor: improve testing by @kkourt in #1948
chore: unloadpolicy after load by @sadath-12 in #1916
tetragon: detect if binary execution raised process privileges by @tixxdz in #1786
fix(deps): update module golang.org/x/sys to v0.16.0 (main) by @cilium-renovate in #1936
Add masOS compatibility for 'sed' usage in scripts by @PhilipSchmid in #1827
Docs: improve rate limit documentation by @kevsecurity in #1961
Tracepoint tests: Fix comm signedness and length check by @kevsecurity in #1963
Actions: add rateLimitScope by @kevsecurity in #1962
bpf: read and copy proc exe at execve for matchBinaries by @mtardy in #1926
workflows: add apt-get update before installs by @mtardy in #1970
ci: cross compile the arm tarball for tests by @tixxdz in #1958
chore(deps): update go to v1.21.6 (main) (patch) by @cilium-renovate in #1967
fix(deps): update module github.com/containerd/containerd to v1.7.12 (main) by @cilium-renovate in #1971
docs: fix typos, fix k8s install guide for zsh and update Cilium SW demo by @ioandr in #1965
Dockerfile: bump bpftool revision to 7.3.0 by @mtardy in #1972
docs: fix invalid site param in hugo.toml by @mtardy in #1973
doc: added uprobe info by @sadath-12 in #1945
handling metrics correctly by @sadath-12 in #1923
Allow event filtering based on tracing policy by @ioandr in #1867
tetragon: Change uprobe spec by @olsajiri in #1975
bpf/exec: Move call to read_exe to tail call by @tpapagian in #1982
chore(deps): update dependency kubernetes-sigs/bom to v0.6.0 (main) by @cilium-renovate in #1968
docs: improve contribution guide and add a running test page by @mtardy in #1980
crd: Fix type mismatch warning by @tpapagian in #1979
gitattributes: add to the list of generated files by @mtardy in #1987
killer sensor: add support for fmod_ret by @kkourt in #1953
docs: welcome all contributions and add a docs contrib guide by @mtardy in #1990
chore(deps): update docker.io/library/golang:1.21.6 docker digest to 5f5d61d (main) by @cilium-renovate in #1988
chore(deps): update all github action dependencies to v4 (main) (major) by @cilium-renovate in #1992
fix(deps): update kubernetes packages to v0.29.1 (main) (patch) by @cilium-renovate in #1994
metrics: Do not process the same map multiple times by @tpapagian in #1996
chore(deps): update helm chart to v1.0.2 (main) (patch) by @cilium-renovate in #1993
fix(deps): update module github.com/cilium/cilium to v1.15.0-rc.1 (main) by @cilium-renovate in #1999
fix(deps): update module github.com/containers/common to v0.57.2 (main) by @cilium-renovate in #2001
fix(deps): update module github.com/google/cel-go to v0.19.0 (main) by @cilium-renovate in #2003
docs: fix property naming by @rpahli in #2006
docs: link checker config for docs contributor guide by @mtardy in #2000
tetragon: run Tetragon without access to CRD by @aohoyd in #1931
Revert "testutils: Fix RepoRootPath when Tetragon is vendored" by @tpapagian in #2012
chore(deps): update go (main) by @cilium-renovate in #2016
helm: Add tetragonOperator.enabled flag to the chart by @aohoyd in #2004
fix(deps): update module github.com/cilium/cilium to v1.15.0-rc.1 (main) by @cilium-renovate in #1998
tetragon: Add support for uprobe arguments by @olsajiri in #1978
tetragon: detect execve of anonymous binaries by @tixxdz in #499
fix(deps): update module google.golang.org/grpc to v1.61.0 (main) by @cilium-renovate in #2019
fix: fill the missing type in tracingpolicy example by @sadath-12 in #1917
fix(deps): update module google.golang.org/grpc to v1.61.0 (main) by @cilium-renovate in #2020
Perf: Remove extra copies of data from ring buffer by @kevsecurity in #2009
tetra: add a probe command to probe BPF features by @mtardy in #2017
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #1907
fix(deps): update module github.com/cilium/little-vm-helper to v0.0.14 (main) by @cilium-renovate in #2025
fix(deps): update module github.com/google/uuid to v1.6.0 (main) by @cilium-renovate in #2018
api:proto: rename Inode to InodeProperties by @tixxdz in #2026
tetragon: Harden loader sensor by @olsajiri in #2024
chore(deps): update quay.io/lvh-images/kernel-images docker tag to v6.6-20240125.104921 (main) by @cilium-renovate in #2029
bugtool: fetch gops pprof heap by @tixxdz in #2007
fix(deps): update module github.com/cilium/little-vm-helper to v0.0.15 (main) by @cilium-renovate in #2027
chore(deps): update docker.io/library/alpine docker tag to v3.19.1 (main) by @cilium-renovate in #2034
tetragon: Add support to use security_ functions in killer by @olsajiri in #2002
chore(deps): update docker.io/library/golang:1.21.6-alpine docker digest to a6a7f1f (main) by @cilium-renovate in #2033
chore(deps): update renovatebot/github-action action to v40 (main) by @cilium-renovate in #2042
chore(deps): update peter-evans/create-issue-from-file action to v5 (main) by @cilium-renovate in #2041
chore(deps): update dorny/paths-filter action to v3 (main) by @cilium-renovate in #2040
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2035
Git-ignore drop-privileges along with other binaries by @christian-2 in #2038
golangci-lint: remove Dockerfile.golangci-lint and update renovate config by @mtardy in #2044
Revert "update module github.com/cilium/little-vm-helper to v0.0.15" by @mtardy in #2043
feat: validate crd versions by @sadath-12 in #1919
validation: improve error message when failing to load a TracingPolicy by @christian-2 in #2031
Update github.com/opencontainers/runc to v1.1.12 by @tpapagian in #2046
Fix typo on TracingPolicy Selectors Stack Traces documentation by @h3x-eilidh in #2059
workflows: use defined actions/checkout version in validate-crd.yaml by @mtardy in #2045
policylibrary: consolidate privileges raising operations into privileges-raise.yaml single policy by @tixxdz in #1957
fix(deps): update module github.com/containers/common to v0.57.4 (main) by @cilium-renovate in #2056
fix(deps): update all go dependencies main (main) (patch) by @cilium-renovate in #2054
bpf: document how to use read_exe() by @tixxdz in #2064
workflows: fix validate CRD by fetching all git repo history by @mtardy in #2066
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2053
fix(deps): update module github.com/cilium/cilium to v1.15.0 (main) by @cilium-renovate in #2055
chore(deps): update docker.io/library/golang:1.21.6 docker digest to 7b575fe (main) by @cilium-renovate in #2052
tests: add debug message to TestProcessSetCap by @tixxdz in #2072
String: Support longer exact match strings by @kevsecurity in #2069
chore(deps): update go to v1.21.7 (main) (patch) by @cilium-renovate in #2078
fix(deps): update module sigs.k8s.io/controller-runtime to v0.16.4 (main) by @cilium-renovate in #2079
fix(deps): update module golang.org/x/sys to v0.17.0 (main) by @cilium-renovate in #2081
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2077
tetragon: Harden TestMatchCloneThreadsIDs test by @olsajiri in #2075
tetragon: Factor uprobe sensor setup by @olsajiri in #2085
chore(deps): update go to v1.22.0 (main) (minor) by @cilium-renovate in #2070
chore(deps): update docker.io/golangci/golangci-lint docker tag to v1.56.1 (main) by @cilium-renovate in #2080
chore(deps): update golangci/golangci-lint-action action to v4 (main) by @cilium-renovate in #2095
fix(deps): update module github.com/opencontainers/runtime-spec to v1.2.0 (main) by @cilium-renovate in #2094
fix(deps): update module google.golang.org/grpc to v1.61.1 (main) by @cilium-renovate in #2098
fix(deps): update module google.golang.org/grpc to v1.61.1 (main) by @cilium-renovate in #2099
pkg/metrics: fix a typo in policyfilter_metrics_total by @mtardy in #2096
docs: remove tutorials section and move its content under appropriate sections by @mtardy in #2097
fix(deps): update module github.com/cilium/cilium to v1.15.1 (main) by @cilium-renovate in #2103
chore(deps): update all github action dependencies (main) by @cilium-renovate in #2102
fix(deps): update kubernetes packages to v0.29.2 (main) (patch) by @cilium-renovate in #2105
README: remove the link to the tutorials in docs by @mtardy in #2104
docs:policylibrary: more examples on privileges escalation and execution by @tixxdz in #2067
renovate: include all Dockerfiles, even the one with prefix by @mtardy in #2108
tetragon: extract linux_binprm member using CO:RE by @dwindsor in #1986
killer: assorted fixes by @olsajiri in #2058
chore(deps): update docker.io/golangci/golangci-lint docker tag to v1.56.2 (main) by @cilium-renovate in #2112
fix(deps): update module github.com/cilium/ebpf to v0.13.0 (main) by @cilium-renovate in #2109
chore(deps): update docker.io/library/golang:1.22.0 docker digest to 7b297d9 (main) by @cilium-renovate in #2111
fix(deps): update module sigs.k8s.io/controller-runtime to v0.16.5 (main) by @cilium-renovate in #2100
chore: Sync bpf_tracing.h by @tpapagian in #2091
fix(deps): update module github.com/google/cel-go to v0.20.0 (main) by @cilium-renovate in #2113
chore(deps): update all github action dependencies to v3 (main) (major) by @cilium-renovate in #2118
exporter: fix hang when exporter fails to start by @willfindlay in #2119
Update enforcement.md by @next-ramses in #2084
fix(deps): update module github.com/prometheus/client_model to v0.6.0 (main) by @cilium-renovate in #2121
tetra: avoid panic in the decoder by @kkourt in #2116
policyfilter: add a label that allows to filter based on namespaces by @sadath-12 in #1952
Parse kthreads during /proc scanning by @tpapagian in #2089
renovate: match all Makefiles by @willfindlay in #2126
Set node_name to hostname if NODE_NAME envvar is not found by @lambdanis in #2123
tetragon: Remove superfluous MapDir by @olsajiri in #2106
pkg/sensors: expose policy status through metrics and tetra by @mtardy in #2090
exporter: return err when exporter fails to start by @willfindlay in #2127
makefile: containerize CRD generation and rename codegen and generate targets by @willfindlay in #2131
fix(deps): update module github.com/cilium/ebpf to v0.13.2 (main) by @cilium-renovate in #2138
fix(deps): update module google.golang.org/grpc to v1.62.0 (main) by @cilium-renovate in #2139
renovate: allow auto-merge kernel bumps on LVH by @mtardy in #2140
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2088
fix(deps): update module google.golang.org/grpc to v1.62.0 (main) by @cilium-renovate in #2141
tetragon: Rename killer to enforcer by @olsajiri in #2117
tetragon:trivial: create run dir early to avoid errors by @tixxdz in #2148
ci: only check docs on PR to main by @willfindlay in #2154
Remove unused PodInfo utility functions by @sfc-gh-gshe in #2144
cmd/tetra: remove tp_state_ prefix in state in tp list by @mtardy in #2153
docs: tetragon troubleshoot improve by @janvi01 in #2115
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20240228.012524 (main) by @cilium-renovate in #2147
tetragon:tarball: docker oci tarball fix by @tixxdz in #2161
filters: implement capability filters by @willfindlay in #2107
docs: Privileged execution - use nginx instead of test-pod image by @janvi01 in #2125
tetragon: Move enforcer-tester to .gitignore by @olsajiri in #2166
tetragon: Assorted sensor fixes by @olsajiri in #2145
Tracepoints: Add support for data_loc params and sock and skb types by @kevsecurity in #2168
docs: getting-started k8s fix kind create a cluster by @mtardy in #2158
fix(deps): update module github.com/prometheus/client_golang to v1.19.0 (main) by @cilium-renovate in #2170
fix(deps): update module github.com/go-openapi/strfmt to v0.22.1 (main) by @cilium-renovate in #2169
watcher: Don't create service and podInfo informers by @lambdanis in #2167
metrics: Improve monitoring BPF maps and userspace caches by @sadath-12 in #1950
fix(deps): update module github.com/stretchr/testify to v1.9.0 (main) by @cilium-renovate in #2173
Initialize metrics with labels by @lambdanis in #2162
Generate metrics reference docs by @lambdanis in #2164
README: add a link to the community call by @mtardy in #2179
pkg/k8s: fix use of deprecated scripts by @mtardy in #2180
operator: Add flag to forcefully update CRDs by @aohoyd in #2023
fix(deps): update module github.com/go-openapi/strfmt to v0.22.2 (main) by @cilium-renovate in #2182
fix(deps): update module golang.org/x/sys to v0.18.0 (main) by @cilium-renovate in #2183
ci: Add rhel8 kernel in vmtests by @tpapagian in #2184
tetragon-oci-hook: improve logging by @kkourt in #2186
policyfilter fix by @kkourt in #2188
chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (main) by @cilium-renovate in #2189
chore(deps): update go to v1.22.1 (main) (patch) by @cilium-renovate in #2192
Loading: Check if probe type is registered by @kevsecurity in #2135
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2181
docs: add FAQ entry about kernel config and tetra probe by @mtardy in #2191
Tracing: add (minimal) net_device type by @kevsecurity in #2196
tetragon: Remove superfluous switch in HandleMessage callbacks by @olsajiri in #2178
fix(deps): update all oci hook go dependencies main (main) (patch) by @cilium-renovate in #2198
fix(deps): update module github.com/alecthomas/kong to v0.9.0 (main) by @cilium-renovate in #2201
tetragon: update bpf func mappings and add dynptr_, timer, ring* by @jrfastab in #2205
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20240309.012251 (main) by @cilium-renovate in #2197
fix(deps): update module github.com/go-openapi/strfmt to v0.23.0 (main) by @cilium-renovate in #2208
fix(deps): update module github.com/containers/common to v0.58.0 (main) by @cilium-renovate in #2202
chore(deps): update docker/dockerfile docker tag to v1.7 (main) by @cilium-renovate in #2200
fix(deps): update all go dependencies main (main) (patch) by @cilium-renovate in #2193
make: fix make crds and generate targets by @tixxdz in #2215
Makefile: run tests as root without building as root by @mtardy in #2211
fix(deps): update module github.com/containerd/containerd to v1.7.14 (main) by @cilium-renovate in #2212
fix(deps): update module github.com/cilium/cilium to v1.15.2 (main) by @cilium-renovate in #2221
tetragon: update bpf func reserve mapping for proper return value by @jrfastab in #2217
chore(deps): update docker.io/library/golang:1.22.1 docker digest to 0b55ab8 (main) by @cilium-renovate in #2219
examples: Remove ".yaml" suffix from privileges-setuid-root by @lambdanis in #2227
docs: Fix cosign instructions by @lambdanis in #2232
fix(deps): update kubernetes packages to v0.29.3 (main) (patch) by @cilium-renovate in #2236
bpf: read_call_arg, copy_path once by @kkourt in #2239
e2e tests minor patches by @kkourt in #2225
Tracing: add support for file permissions by @Jianlin-lv in #2222
documentation: more detailed description re FollowFD/UnfollowFD by @christian-2 in #2228
e2e: check policy state by @kkourt in #2229
chore(deps): update docker.io/golangci/golangci-lint docker tag to v1.57.1 (main) by @cilium-renovate in #2245
chore(deps): update module github.com/docker/docker to v25.0.5+incompatible [security] (main) by @cilium-renovate in #2242
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20240322.012512 (main) by @cilium-renovate in #2224
chore(deps): update docker.io/library/golang:1.22.1-alpine docker digest to 0466223 (main) by @cilium-renovate in #2235
fix(deps): update module github.com/mennanov/fieldmask-utils to v1.1.2 (main) by @cilium-renovate in #2220
tetragon: Implement bpf.GetNumPossibleCPUs through cilium/ebpf library by @olsajiri in #2244
docs: document export filters and fieldfilters by @willfindlay in #2249
OCI hooks: add container name and QoL updates by @kkourt in #2248
workflows: check only updated docs links in PRs by @mtardy in #2259
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2252
observer: remove unused field by @kkourt in #2260
tetragon: assorted fixes by @olsajiri in #2264
tetragon: log current security context if any at startup by @tixxdz in #2149
tracing-policies: support tags to categorize events by @tixxdz in #2008
implement redaction filters by @willfindlay in #2243
chore(deps): update docker.io/golangci/golangci-lint docker tag to v1.57.2 (main) by @cilium-renovate in #2270
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2269
fix(deps): update module github.com/cilium/cilium to v1.15.3 [security] (main) by @cilium-renovate in #2268
fix(deps): update module github.com/cilium/ebpf to v0.14.0 (main) by @cilium-renovate in #2273
ci/static-checks: ensure no binary files are checked in by @willfindlay in #2174
cves: add detection of XZ backdoor in OpenSSH by @tixxdz in #2276
tetragon: Add uprobe multi support by @olsajiri in #1914
fix(deps): update all go dependencies main (main) (patch) by @cilium-renovate in #2271
fix(deps): update module github.com/containers/common to v0.58.1 (main) by @cilium-renovate in #2272
Makefile: add native build support for arm64 MacOS by @f1ko in #2258
chore(deps): update all github action dependencies to v5 (main) (major) by @cilium-renovate in #2278
chore(deps): update peaceiris/actions-hugo action to v3 (main) by @cilium-renovate in #2279
tracingpolicy: comment message field for older versions support by @tixxdz in #2281
fixes for policystatemetrics by @kkourt in #2285
Makefile: fix a missing 'vendor' target in oci-hook by @mtardy in #2283
tetragon: cleanup pfilter.h to make it readable by @jrfastab in #2288
jsonchecker: reset state of the export file by @kkourt in #2289
tetragon: store caps during fork by @tixxdz in #2275
metrics: Remove pod from the queue after deleting metrics by @lambdanis in #2287
chore(deps): update go to v1.22.2 (main) (patch) by @cilium-renovate in #2296
chore(deps): update module golang.org/x/net to v0.23.0 [security] (main) by @cilium-renovate in #2295
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2274
fix(deps): update module golang.org/x/sync to v0.7.0 (main) by @cilium-renovate in #2301
fix(deps): update module google.golang.org/grpc to v1.62.2 (main) by @cilium-renovate in #2303
fix(deps): update all go dependencies main (main) (patch) by @cilium-renovate in #2302
fix policyfilter metrics by @kkourt in #2282
docs: fix contribution-guide docker run by @yukinakanaka in #2310
fix(deps): update module github.com/containerd/containerd to v1.7.15 (main) by @cilium-renovate in #2308
fix(deps): update module golang.org/x/sys to v0.19.0 (main) by @cilium-renovate in #2304
BTF validation fixes by @kkourt in #2312
docs: update demo app url by @yukinakanaka in #2311
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2313
chore(deps): update softprops/action-gh-release action to v2 (main) by @cilium-renovate in #2280
Support user mode stacktraces in events by @anfedotoff in #2175
Update bug out tar file by @strongjz in #2316
chore(deps): update helm chart to v1.0.3 (main) (patch) by @cilium-renovate in #2317
policyfilter: Apply Policy Only to Specific Containers in a Pod by @BonySmoke in #2231
validate-crd: use SHAs for diff by @kkourt in #2319
Update events.md by @zazathomas in #2318
e2e: fix bugs + dump operator logs by @willfindlay in #2266
fix(deps): update module google.golang.org/grpc to v1.63.2 (main) by @cilium-renovate in #2305
filters/redaction: fix crash related to redaction filters and improve performance by @willfindlay in #2322
Improve metrics for map and cache sizes by @lambdanis in #2291
tetragon: fix redaction filters log message by @willfindlay in #2325
fix(deps): update module github.com/prometheus/procfs to v0.13.0 (main) by @cilium-renovate in #2315
chore(deps): update docker.io/library/golang:1.22.2 docker digest to 450e382 (main) by @cilium-renovate in #2327
fix(deps): update module github.com/cilium/cilium to v1.15.4 (main) by @cilium-renovate in #2330
Filter out bash kubernetes healthchecks by @alexeysofin in #2262
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2328
metrics: Refactor metrics label filter logic by @lambdanis in #2321
Makefile: Do not use $(MAKE) when calling make with docker run by @chancez in #2341
fix(deps): update kubernetes packages to v0.29.4 (main) (patch) by @cilium-renovate in #2344
k8s: Fix CRDs Go code generation by @lambdanis in #2339
chore(deps): update all lvh-images main (main) (patch) by @cilium-renovate in #2346
fix(deps): update module github.com/prometheus/procfs to v0.14.0 (main) by @cilium-renovate in #2351
docs: fix filename-access example by @yukinakanaka in #2335
fix(deps): update module github.com/containers/common to v0.58.2 (main) by @cilium-renovate in #2347
helm: use renovate to update dockerfiles in the Makefile by @mtardy in #2350
contrib: use renovate to update yq image by @mtardy in #2352
fix(deps): update module github.com/cilium/ebpf to v0.15.0 (main) by @cilium-renovate in #2357
renovate: run the Makefile after upgrading image deps by @mtardy in #2364
chore(deps): update helm chart (main) (minor) by @cilium-renovate in #2368
chore(deps): update docker.io/mikefarah/yq docker tag to v4.43.1 (main) by @cilium-renovate in #2367
tetra: no longer show singular getevents cmd flags as deprecated by @mtardy in #2348
Tetragon e2e Test: Run e2e tests in parallel on multiple runners by @Trung-DV in #2354
Add export metrics by @chancez in #2340
helm: Fix name and selector in operator ServiceMonitor by @lambdanis in #2371
helm: Add an option to install CRDs by @lambdanis in #2375
metrics: Refactor metrics label filter logic by @lambdanis in #2373
docs: explicitly state which regex flavour is used for redaction by @f1ko in #2377
docs: update the latest version from the docs with renovate by @mtardy in #2353
fix(deps): update all go dependencies main (main) (patch) by @cilium-renovate in #2383
chore(deps): update quay.io/cilium/tetragon docker tag to v1.0.3 (main) by @cilium-renovate in #2384
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20240426.012726 (main) by @cilium-renovate in #2356
chore(deps): update docker.io/library/golang:1.22.2 docker digest to d5302d4 (main) by @cilium-renovate in #2379
Dockerfile: Remove syntax annotation by @lambdanis in #2385
ci: Skip checkpatch for Renovate PRs by @lambdanis in #2386
metrics: Return a copy of LabelFilter in WithEnabledLabels(nil) by @lambdanis in #2378
chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20240429.012831 (main) by @cilium-renovate in #2388
fix(deps): update module k8s.io/kube-openapi to v0.0.0-20240423202451-8948a665c108 (main) by @cilium-renovate in #2390
Prepare for v1.1.0 release by @kkourt in #2392

Full Changelog: v1.1.0-pre.0...v1.1.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v1.1.0 release