github cilium/tetragon v1.7.0
on GitHub

6 hours ago

total: 738 commits, prs: 253 pr commits: 738

Upgrade notes

Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.
See the Stack Traces documentation for stack trace migration.

Helm Values

  • Change the default server-address of the agent to from localhost:54321 to /var/run/tetragon/tetragon.sock.
    This socket is also available for root users under the same path on the node. Update this address in all third-party programs that connect to the agent.

Events (protobuf API)

  • The legacy stacktrace-tree API has been removed: GetStackTraceTree gRPC,
    tetra stacktrace-tree CLI command, and related types (GetStackTraceTreeRequest,
    GetStackTraceTreeResponse, stack.proto). Use TracingPolicy with
    kernelStackTrace and userStackTrace in the Post action to get stack traces
    in ProcessKprobe events. See the Stack Traces documentation and examples/tracingpolicy/stack_traces.yaml.
  • The already-deprecated EnableTracingPolicy and DisableTracingPolicy gRPC
    methods have been actually enforced to return an error when used. For now, enable-deprecated-tracingpolicy-grpc
    option has been introduced to restore the old behavior. The next release will remove the deprecated methods.

Metrics

  • Kprobe and uprobe merge metrics have been consolidated.
    The following metrics were removed:
    • tetragon_generic_kprobe_merge_errors_total
    • tetragon_generic_kprobe_merge_ok_total
      They are replaced by tetragon_generic_kprobe_merge_total which includes a status label with values ok or error.
      The new metric also includes labels curr_type, prev_type (either enter or exit), curr_fn, and prev_fn.

Changes

Major changes

Bugfixes

  • Fix memory leaks in process and event caches (#4255) by @mtardy
  • feat: allow LSM funcs to be overridden on SLE (#4158) by @holyspectral
  • helm: Handle tetragon.enabled value properly (#4285) by @michi-covalent
  • bug: Avoid overwritten slogLeveler (#4287) by @sayboras
  • Fix LSM sensor failing to load with --enable-cgidmap due to tg_cgtracker_map size mismatch (#4391) by @ariosmon
  • fix(pkg/sensors): fixed ret{k,u}probe_calls map builder invocation. (#4397) by @FedeDP
  • elf: handle spaces found in arm64 stapsdt (#4426) by @andrewstrohman
  • fix(pkg/sensors): fixed {k,u}retprobe args merge helper. (#4494) by @FedeDP
  • uprobe: add support for monitor mode and stats (#4662) by @kkourt
  • fix(grpc/exec): fix RefDec in exit's eventcache path (#4593) by @dwindsor
  • logger: do not ignore time-stamped formats (#4667) by @kkourt
  • fix(pkg/sensors): skip nested ptr detection for indexed array access. (#4519) by @FedeDP
  • add set action stats (#4762) by @kkourt
  • helm: fix rthooks container resources not being applied (#4766) by @PhilipSchmid
  • tetragon: policies can now be loaded even if kptr_restrict is equal to 2 (#4765) by @FedeDP
  • bpf: Fix mnt_namespace RHEL7 fallback writing to wrong field (#4785) by @sayboras
  • Fix tetragon_overhead_program_seconds_total metric to correctly report seconds instead of nanoseconds (#4830) by @danilovid
  • fix(bpf): define _MULTI_KPROBE macro when needed. (#4849) by @FedeDP
  • Fix a infinite loop when using range notation with math.MaxUint64 as upper bound (#4848) by @3u13r
  • pkg/tetragoninfo: read previously ignored value returned by errors.Join in encode configuration function. (#4901) by @mtardy
  • pkg/policyfilter: copy Pod labels to avoid mutations (#4916) by @mtardy
  • fix: handle matchBinaries NotIn when execve_map misses process (#4641) (#4654) by @mann-ds
    • fix: handle matchBinaries NotIn when execve_map misses process (#4641)
    • bpf: zero stale pkey and flags in event_find_curr_probe
    • tests: add matchBinaries NotIn tests for perfring and early-exec cases
  • Add tetragon_process_cache_early_deletions_total metric to improve observability of process cache GC early deletions. (#4884) by @lbcristaldo

Minor changes

  • pkg/sensors: reduce socktrack map memory footprint (#4211) by @kyledong-suse
  • new(pkg/elf): add usdt_args_arm64 impl. (#4203) by @FedeDP
  • new(bpf,pkg,docs): use tracefs instead of debugfs. (#4252) by @FedeDP
  • Add uretprobe support for uprobes, like kprobes, which means supports for return, returnArg and args.returnCopy. (#4193) by @FedeDP
  • tetragon: support (u)int8/16 selectors (#4171) by @andrewstrohman
  • tetragon: arm fixes (#4290) by @olsajiri
  • uprobe: support for resolve: (#4286) by @andrewstrohman
  • uprobe: support match args (#4296) by @andrewstrohman
  • tetragon: Display error when usdt probe is not found in binary (#4313) by @olsajiri
  • new: retprobes events cache size option (#4266) by @FedeDP
  • tetragon: kprobe/uprobe registers data retrieval (#4267) by @olsajiri
  • tester-progs: make clean should remove libs too (#4361) by @andrewstrohman
  • new: monitor only mode (#4316) by @FedeDP
  • tetragon: assorted fixes (#4376) by @olsajiri
  • metrics: new node_name label (#4382) by @AritraDey-Dev
  • new(cmd/tetra): add explain command for standalone CRD documentation (#4362) by @AritraDey-Dev
  • tetragon: unloader fixes (#4400) by @olsajiri
  • tetragon/windows: Case insensitive Windows Paths for processes (#4423) by @ExceptionalHandler
    *
    • Tetragon on Windows now reports Windows process image_paths in lowercase only
  • Add a separate configuration option for enabling ancestors for ProcessLoader events (#4421) by @t0x01
  • pkg/btf : Add resolution of array (#4409) by @tdaudi
  • support uprobe register override on arm64 (#4443) by @andrewstrohman
  • tetragon: assorted fixes (#4390) by @olsajiri
  • tetragon: split process event tail call (#4439) by @olsajiri
  • procevents: Fix container enrichment for plain Docker containers by supporting additional cgroup path patterns (e.g., /docker/). (#4503) by @puwun
  • fix data source pt_regs resolve on arm64 (#4499) by @andrewstrohman
  • Added tetragon_debug_events_total metric to separate non-critical issues from actual errors. (#4416) by @AritraDey-Dev
  • selectors: minor fixes (#4526) by @kkourt
  • api/ops: Add missing MSG_OP_GENERIC_USDT to OpCodeStrings (#4543) by @sayboras
  • tetragon: remove v6.12 variant and introduce config variables (#4524) by @olsajiri
  • tetragon: add support to preload user strings (#4489) by @olsajiri
  • Add regex support for namespace filtering in export allow/deny lists (#4554) by @AritraDey-Dev
  • bpf: break up arg filter tail call to increase instruction budget (#4527) by @andrewstrohman
  • tetragon: add current_task resolve support for uprobes (#4551) by @olsajiri
  • fix: Change kernel config detection failure to info level (#4545) by @dangome3
  • cgroup: Check cgroup level with tracking level (#4540) by @sayboras
  • process cache: add a metric for capacity evictions (#4574) by @kkourt
  • fix(pkg/sensors): uprobe and usdt sensors configure cgtracker map (#4576) by @FedeDP
  • tetragon: Do not process stack data when it's not present (#4575) by @olsajiri
  • tetragon: Do proper error path cleanup in uprobeAttachExtra (#4604) by @olsajiri
  • Fix issue with returnCopy (#4608) by @andrewstrohman
  • tetragon: add support for substring operators (#4393) by @olsajiri
  • gRPC info (#4583) by @kkourt
  • Enable uprobe preload arg reading for "args" config and for arm64 (#4546) by @andrewstrohman
  • fix data source pt_regs + resolve (#4638) by @andrewstrohman
  • Added support for all selectors (like argument matching) in uprobe policies. (#4565) by @AritraDey-Dev
  • bpf: use the correct index for pt_regs config (#4642) by @andrewstrohman
  • docs: add missing index field to data section examples (#4640) by @dangome3
  • Revert "fix(pkg/sensors): fixed {k,u}retprobe args merge helper." (#4633) by @andrewstrohman
  • Adds process cache and execve map dumps to tetra bugtool generated tarball (#4610) by @dangome3
  • Enable sleep-able USDT argument reading (#4606) by @andrewstrohman
  • tetragon: assorted fixes (#4635) by @olsajiri
  • Revert "ci: Fix package e2e tests GHA" (#4686) by @andrewstrohman
  • add uprobe preload + resolve test (#4666) by @andrewstrohman
  • handle resolve of NULL pointers (#4327) by @andrewstrohman
  • helm: rename clusterrolebinding template to .yaml (#4631) by @shuv-amp
  • uprobe: fix metadata marking of preload arg (#4694) by @andrewstrohman
  • Add FileType and NotFileType selectors to filter events by file type (e.g., pipes, sockets, or regular files). (#4609) by @AritraDey-Dev
  • selectors: add selectors macros syntactic sugar (#4548) by @kobrineli
  • tetragon: string related fixes (#4692) by @olsajiri
  • feat : Add support to resolve attributes in kernel modules (#4569) by @tdaudi
  • tetragon: Fix substring filter to match all possible spec values (#4703) by @olsajiri
  • bpf: improve arg index masking (#4607) by @andrewstrohman
  • Bugtool now supports collecting extra files registered by the daemon at startup via a separate JSON manifest file. (#4704) by @will-isovalent
  • Introduces WaitCRDsWithResync function with cache pre-check, configurable resync period, cancel context aware, and eliminates SharedIndexInformer race conditions by avoiding RemoveInformer calls. (#4706) by @shpalani
  • Fixed NotEqual operator for integer matchArgs with multiple values (#4624) by @AritraDey-Dev
  • Document kernel compatibility issue for security_path_truncate on kernels 6.2+ and add compact encoder support for security_file_truncate. (#4679) by @AritraDey-Dev
  • tetragon: tracing tests cleanup (#4742) by @olsajiri
  • celbpf: support multi-kprobes (#4717) by @kkourt
  • Removed legacy stacktrace-tree API. Use TracingPolicy with kernelStackTrace/userStackTrace for stack traces. (#4749) by @proxymoroniic
  • new: log-file option (#4378) by @FedeDP
  • new: event log grpc service (#4508) by @FedeDP
  • Makefile: don't rely on PWD (#4737) by @andrewstrohman
  • bpf: add error metrics for stale override/offload map entries (#4787) by @sayboras
  • updates google.golang.org/grpc to v1.79.3 (#4777) by @dangome3
  • bpf: enable __builtin_memcmp() macro definition (#4786) by @sayboras
  • feat: Extract uprobe target names and offsets from stripped go binaries (#4721) by @dwindsor
  • cel: add uprobe support and make filter not match if arg could not be read (#4728) by @andrewstrohman
  • Add global --max-recv-size flag to tetra CLI to configure the maximum gRPC receive message size (default 10MB, up from 4MB). (#4798) by @will-isovalent
  • Add support for security_bpf_map_create (Linux 6.9+) in the compact encoder and example policies to replace the renamed security_bpf_map_alloc hook. (#4752) by @hayama17
  • tetragon: Remove the bpf_kfunc tag check from detectKfunc (#4809) by @olsajiri
  • Added pre-validation for tracepoints and LSM hooks to reject invalid TracingPolicies before BPF resources are created. (#4708) by @AritraDey-Dev
  • consolidate kprobe and uprobe merge logic and metrics into a unified format. (#4757) by @AritraDey-Dev
  • tetragon: Load properly on kernels without module support (#4834) by @olsajiri
  • tracingpolicy: specify limit for MatchBinaries in a single selector in the CRD (#4850) by @kkourt
  • tetragon/windows: Fix process_exit event on Windows (#4859) by @ExceptionalHandler
  • tetragon: Fail properly in OffsetFromAddr function (#4866) by @olsajiri
  • Revert "tetragon/windows: Fix process_exit event on Windows" (#4865) by @ExceptionalHandler
  • Expose Tetragon Agent over UNIX domain socket instead of localhost (#4882) by @3u13r
  • hubble-fgs/windows: Fix process_exit event on Windows (#4880) by @ExceptionalHandler
  • tracing: add policy information when logging errors in event parsing (#4890) by @kkourt
  • uprobe-test-1: have libs relative to binary (#4881) by @kkourt
  • Fix null spec.{pod, container, host}Selectors (#4889) by @tpapagian
  • fix : add enum support for resolve (#4800) by @tdaudi
  • Handle NULL pointers for string args (#4863) by @andrewstrohman
  • Load programs that reference kfuncs when an external BTF file is used. (#4895) by @andrewstrohman
  • refactor: Replace ebpf.Map with program.Map for policy filter (#4501) by @sayboras
  • Simplify workload selectors (#4917) by @tpapagian
  • celbpf: remove arg indirection (#4908) by @andrewstrohman
  • feat: add support for AF_UNIX socket path via sockaddr_un (#3980) by @AshishNaware
      • Added decoding support for sockaddr_un in security_socket_connect events.
      • Tetragon can now extract and emit UNIX socket paths from AF_UNIX addresses.
      • Supports observability into socket-based interactions like containerd.sock and docker.sock.
      • Selectors support Family and Equal, NotEqual, Prefix, NotPrefix on the path
      • Requires linux 5.11+
  • usdt: configure sensor's selector maps (#4927) by @andrewstrohman
  • helm/tetragon: expose tetragon.sock to host (#4922) by @3u13r
  • ReturnArgAction now only accepts TrackSock/UntrackSock for kprobe return args; unsupported values like Post are rejected to prevent silent no-ops. (#4601) by @shuv-amp

CI changes

  • workflows: fix release image display digest step (#4233) by @mtardy
  • fix(pkg/btf): fix FindBTFStruct to return first found btf type in case of multiple matches (#4264) by @FedeDP
  • link-checkers: ignore certificate related issues (#4295) by @mtardy
  • tetragon: enable loader test (#4320) by @olsajiri
  • workflows: run static checks on every PR without exceptions (#4326) by @mtardy
  • Makefile.cli: make CLI compilation parallelizable (#4317) by @mtardy
  • fix(pkg/testutils): fix flakiness in progs::TestExec. (#4344) by @FedeDP
  • selectors: skip TestNamespaceValueStr on EACCES (#4355) by @kkourt
  • tetragon/windows: Upgrade CI to use efw 1.0.0-rc1 (#4356) by @ExceptionalHandler
  • tests:pkg/sensors: Use JsonTestExpect() for negative tests (#4352) by @GGh41th
  • renovate: allow to update k8s related deps (#4468) by @mtardy
  • ci: Add LTS 6.18 kernel image version in vmtests.yml (#4495) by @sayboras
  • tetragon: Fix TestMatchBinariesFollowChildrenUpdate test (#4496) by @olsajiri
  • docs: Exclude nakryiko.com from automated link checker to prevent false positives (#4510) by @puwun
  • Refactor and cleanup Windows CI (#4520) by @ygvalent
  • vmtests: Migrate logrus to slog (#4538) by @sayboras
  • ci: Add check to ensure errmetrics file IDs are in sync (#4561) by @sayboras
  • #4658 (#4658) by @sayboras
  • ci/e2e: Fallback to load images from registry (#4657) by @sayboras
  • ci: bump RHEL8 version to RHEL 8.10 (#4655) by @sayboras
  • chore: Remove TestFastK8S in skip (#4567) by @sayboras
  • policytest: new testing framework for Tetragon (#4639) by @kkourt
  • parameters for policytests (#4756) by @kkourt
  • renovate: Bump golang to 1.25 for all stable versions (#4788) by @sayboras
  • build(renovate): enable shell executor for post-upgrade commands (#4804) by @dangome3
  • cleanup(ci): avoid x-compilation in packages-e2e-tests CI. (#4858) by @FedeDP
  • chore(ci): try to improve reliability of windows smoke tests. (#4891) by @FedeDP
  • ci: remove azure apt mirrors (#4894) by @dangome3

Documentation changes

  • docs: update sysdump command from old cilium-cli to cilium (#4240) by @AritraDey-Dev
  • Docs: Correct Network Monitoring event details (#4214) by @AritraDey-Dev
  • docs: improve the contributor guide submit a pull request section (#4246) by @mtardy
  • chore: add users.md file for tetragon adopters (#4276) by @paularah
  • fix(docs): correct apiVersion and kind casing in TracingPolicy examples (#4288) by @littlejo
  • docs: Enhance kernel configuration FAQ with 'tetra probe config' guidance (#4248) by @AritraDey-Dev
  • Chore: Remove Kubecon NA 2025 banner (#4341) by @thisisobate
  • Add Reddit to USERS.md (#4368) by @xmulligan
  • docs: Update runtime-hooks installation instructions (#4386) by @dangome3
  • docs: add FAQ entry for kernel lockdown and improve warning message (#4381) by @dangome3
  • Reflect support for the followChildren NotIn operator in documentation (#4441) by @t0x01
  • Correction of cgroup-rate mentioned limitations (#4457) by @avi028
  • docs: document socket tracking limitations including LRU map overflow risks and socket sharing behavior (#4521) by @puwun
  • docs: add a snippet for details on installing Tetragon on Talos Linux v1.12.0+ (#4547) by @BobyMCbobs
  • docs: Fix outdated TracingPolicy selector limitations (Max Selectors: 8 -> 5, Max MatchArg Values: 1 -> 4) (#4549) by @puwun
  • docs: add kernel version-specific selector limitations (#4553) by @puwun
  • [docs]: Add section on matchBinaries behavior with shebang scripts (#4577) by @ariosmon
  • Chore: Add KubeCon EU 2026 to Announcement banner (#4585) by @thisisobate
  • docs: add namespace access monitoring use case (#4588) by @puwun
  • docs: document argument types for kprobes and tracepoints (#4626) by @puwun
  • docs: add warning about hooking to syscalls (#4767) by @ferozsalam
  • Chore: Remove KubeCon EU 2026 Banner (#4831) by @thisisobate

Dependency updates

  • chore(deps): update docker.io/golangci/golangci-lint docker tag to v2.6.0 (main) (#4275) by @cilium-renovate[bot]
  • chore(deps): update docker.io/golangci/golangci-lint docker tag to v2.8.0 (main) (#4492) by @cilium-renovate[bot]
  • chore(deps): update all github action dependencies (main) (#4486) by @cilium-renovate[bot]
  • chore(deps): update all lvh-images main (main) (patch) (#4648) by @cilium-renovate[bot]
  • deps: Update github.com/cilium/ebpf to v0.21.0 (#4790) by @tpapagian

Misc changes

Other changes

  • Add support for running tracing policies on kind clusters (#4668) by @dangome3
Check out latest releases or
releases around cilium/tetragon v1.7.0

Don't miss a new tetragon release

NewReleases is sending notifications on new releases.

Get notifications