Release notes
Upgrade notes
Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.
Helm Values
- It's now supported to run multiple Tetragon operator replicas simultaneously. Enable it by setting
tetragonOperator.replicas=2andtetragonOperator.failoverLease.enabled=true. tetragonOperator.strategynow sets a defaultrollingUpdatestrategy (maxSurge=1,maxUnavailable=0) to reduce downtime during an upgrade.- The Tetragon operator Deployment now sets a default
podAntiAffinity(preferredDuringSchedulingIgnoredDuringExecution) to improve the Pod distribution (if possible), without enforcing it to avoid being stuck during upgrades on single or two node clusters.
TracingPolicy (k8s CRD)
FollowFD,UnfollowFD, andCopyFDactions are being deprecarted in this (1.4) and are
scheduled for removal in the next (1.5)
Metrics
tetragon_map_errors_totalmetric is replaced bymap_errors_update_totalandmap_errors_delete_total.
Changes
total: 298 commits, prs: 110 pr commits: 298
Major Changes
- feat: include ancestors in process events (#2938) by @t0x01
- Add attribute resolution (#3143) by @ScriptSathi
- policies: add support for setting a monitoring mode in tracing policies (#3393) by @kkourt
- Windows: Build tetragon on Windows (Part -1) (#3445) by @ExceptionalHandler
Bugfixes
- [fix] fix probe_read_str return type (#3236) by @arthur-zhang
- tetragon: avoid the agent from hanging in some corner error conditions (#3321) by @kkourt
- Fix in_init_tree flag for processes started before Tetragon. (#3338) by @will-isovalent
- Fix a bug where unloading programs where detaching them even in the case of unpin false (i.e.) --keep-sensors-on-exit (#3347) by @mtardy
- Fix path truncations in event values for cwd and path/file function arguments. The function responsible for reading dentry was upgraded to 4096 but some users were still using the previous limitation of 256. (#3427) by @mtardy
- Use BTF to access skb_ext (#3439) by @xabrouck
- watcher: Fix K8sWatcher.FindPod (#3409) by @lambdanis
Minor Changes
-
fix: nspid assign is not correct (#3267) by @arthur-zhang
-
bug: fix assign vfsmnt correctly (#3261) by @arthur-zhang
-
[bug] matchPIDs is using first pid only (#3255) by @arthur-zhang
-
tetragon: Fix override program pin for fmodret and kprobe multi (#3298) by @olsajiri
-
doc: note that kernels >= 6.11 require new cgroupv1 configs (#3284) by @tixxdz
-
tetragon: Add map_errors_update_total/map_errors_delete_total metrics (#3346) by @olsajiri
-
Add support for struct socket and struct sockaddr. (#3358) by @kevsecurity
-
tetragon: Add GetExecveEntries function (#3390) by @olsajiri
-
helm: add cri.enabled, cri.socketHostPath, and cgidmap.enables variables (#3382) by @kkourt
metrics: add metrics for cgidmap CRI resolution
-
cgroups: relax deployment detection logic (#3400) by @tixxdz
-
tetragon: Move extract code into separate function (#3416) by @olsajiri
-
gRPC: the deprecated sensors API is now removed. (#3437) by @kkourt
-
helm: Removed default toleration (
operator: Exists) for the operator Deployment (#3442) by @PhilipSchmid -
Remove kernel version check for LSM Resolve flag (#3415) by @ScriptSathi
-
tetragon: Pass argument pointer to extract_arg (#3441) by @olsajiri
-
rthooks: Fix rootDir in createRuntime hook (#3466) by @tpapagian
-
tetra: increase connection timeout to 30s (#3468) by @kkourt
-
tetragon: Add extra bounds check to extract_arg (#3503) by @olsajiri
-
helm: Allow extending clusterroles and operator configmap (#3482) by @lambdanis
-
tracingpolicy: FollowFD, UnfollowFD, and CopyFD actions are deprecarted (#3491) by @kkourt
-
pkg/bpf: mount securityfs to check lsm bpf (#3512) by @anfedotoff
-
operator: Support running multiple operator replicas simultaneously (#3443) by @PhilipSchmid
CI Changes
- [CI] Fix virt-customize issue in vmtests (#3232) by @tpapagian
- ci: remove buildjet runners and use GitHub arm64 runners (#3280) by @mtardy
- renovate: disable digest update on Dockerfiles (#3285) by @mtardy
- renovate: fix for config change 70ad4e7 (#3286) by @mtardy
- renovate: remove matchBaseBranches on main for grouping rules (#3324) by @mtardy
- renovate: update various versions in source code (#3342) by @mtardy
- CI: build tetragon on every commit of a PR (#3354) by @mtardy
- renovate: Group cel-go together with k8s dependencies (#3383) by @lambdanis
- workflows: only run build every commit on pull request event (#3386) by @mtardy
- renovate: more robust parser for Go version in go.mod (#3401) by @mtardy
- Various renovate config tunings (#3420) by @mtardy
- fix bug in e2e tests and update its dependencies (#3421) by @mtardy
- workflow: fix a bug in build every commit (#3449) by @mtardy
- chore: added verifier tests (#3433) by @AshishNaware
- renovate config: automerge more (#3505) by @mtardy
- ci: Refactor linters, formatters and generators checks (#3509) by @lambdanis
- api: Copy API reference into docs (#3525) by @lambdanis
Documentation changes
- docs: Add dev setup instructions for Apple silicon Macs (#3231) by @michi-covalent
- docs: local dev with Apple Silicon small fixes (#3237) by @mtardy
- docs: remove redundance CLI command in tracing policy example (#3256) by @arthur-zhang
- docs: enhancements to the troubleshooting section (#3238) by @mtardy
- fix: correcting the script path for minikube installation steps in do… (#3111) by @d-cryptic
- Add link to Kubecon NA 2024 talk discussing Tetragon (#3303) by @daxmc99
- fix: Troubleshooting documentation for System dump (#3325) by @z63d
- docs: fix typo referencing kube-system as kubesystem (#3334) by @z63d
- docs: fix the Example jq filter in Observability Policies (#3367) by @z63d
- fix: returnArg index of TracingPolicy is not specified (#3388) by @z63d
- docs: fix tracing policy options (#3470) by @z63d
- docs: Remove incorrect event types from field filter docs examples. (#3489) by @will-isovalent
- docs: fix typo (#3528) by @jetlime
Dependency updates
- fix(deps): update module github.com/cilium/ebpf to v0.17.1 (main) (#3206) by @cilium-renovate[bot]
- fix(deps): update module google.golang.org/grpc to v1.70.0 (main) (#3330) by @cilium-renovate[bot]
- chore(deps): update all github action dependencies (main) (#3387) by @cilium-renovate[bot]
- chore(deps): update docker.io/golangci/golangci-lint docker tag to v1.64.5 (main) (#3398) by @cilium-renovate[bot]
Misc Changes
- start v1.4 development (#3226) by @kkourt
- fix: improve error handling for tracing policies directory access (#3289) by @arthur-zhang
- Add tetra policyfilter listpolicies command (#3122) by @tpapagian
- tetragon: add get_current_task_btf (#3305) by @jrfastab
- bpf: declare maps with __type for key and value (#3307) by @mtardy
- clang-format: use ignore file (#3322) by @kkourt
- Create an AUTHORS file for tetragon (#3319) by @kkourt
- tetra/debug: Clone GetDebugResponse entries (#3343) by @tpapagian
- Add the ability to get process cache entries (#3348) by @tpapagian
- pkg/sensors: pin link in TracingAttach (#3352) by @mtardy
- vmtests: disable TestFastK8s (#3356) by @kkourt
- gitattributes: auto resolve merge conflicts for generated files (#3366) by @will-isovalent
- api: build using buf (#3368) by @will-isovalent
- Refactor CRD defaulting and validation as generic (#3403) by @lambdanis
- buf fixes (#3417) by @kkourt
- ci: fixes for buf workflow (#3418) by @will-isovalent
- api/Makefile: make it work for worktrees (#3419) by @kkourt
- pkg/bpf: remove redundant check from HasLSMPrograms (#3422) by @anfedotoff
- filters: Minor CEL refactoring (#3426) by @lambdanis
- watcher: Refactor K8sWatcher to reuse config and factories (#3413) by @lambdanis
- Revert "pkg/bpf: remove redundant check from HasLSMPrograms" (#3456) by @ScriptSathi
- syscallmetrics: use syscall type (#3462) by @kkourt
- bpf: verification fixes (#3460) by @kkourt
- tetra: add a --reconnect option to getevents command (#3438) by @kkourt
- install/kubernetes: fix typo (#3499) by @kkourt
- main: Split k8s watchers into process metadata and policy (#3524) by @lambdanis
- bpf: Fix complexity issue in selectors (#3523) by @tpapagian
- Prepare for v1.4.0 release (#3545) by @kkourt
