Release v1.3.0

Please update the description with the actual release notes and publish the release.
See the release issue for instructions.

If this release was created from a test tag, please delete it.

v1.3.0

total: 364 commits, prs: 130 pr commits: 364

Upgrade notes

Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.

• Behavior of export-file-perm flag (and corresponding Helm value tetragon.exportFilePerm) changed. In case the export file exists, but has different permissions than specified in the option, Tetragon will change the file permissions on the next log rotation. In older versions, log rotation preserved permissions of the existing file. Before upgrading check if permissions of the existing export file match the option (600 by default), and set the agent flag or Helm value to the desired value if needed.

Events (protobuf API)

New events for syscall64 type

Previous versions of Tetragon did not distinguish between different ABIs when using the syscall64 type
because the output was just a size_arg with the id. When executing the getcpu syscall, for example, the JSON
for 64- and 32-bits would be:

"args":[{"size_arg":"309"}]
"args":[{"size_arg":"318"}]

Note that id 318 for x86_64 is a different syscall: getrandom so we cannot distinguish between a getrandom syscall on x86_64
and a getcpu call on 32-bit (i386). To address this issue, the output of syscall64 was changed to a SyscallId object that
also includes the ABI. So the JSON for 64- and 32-bits getcpu now is:

"args":[{"syscall_id":{"id":309,"abi":"x64"}}]
"args":[{"syscall_id":{"id":318,"abi":"i386"}}]

Users that want to maintain the old behavior can use the --enable-compatibility-syscall64-size-type flag for this version.
The flag will be removed in v1.4.

Metrics

• tetragon_ratelimit_dropped_total metric is renamed to tetragon_export_ratelimit_events_dropped_total

Major Changes:

• IMA hashes in LSM events (#2818) by @anfedotoff
• tetragon: add support for associating pod information when nested cgroups are used (#3170) by @kkourt

Bugfixes:

• Fix clone event eventcache retry handler when missing pod info. (#2899) by @tpapagian
• pkg/sensors: fix memory use of unloaded sensors (#3021) by @mtardy
• tetragon: fix the process exit signal when core dumped (#3039) by @justin0u0
• tetragon: improve how we handle cgroupv1 and cgroupv2 (#3053) by @tixxdz
• [metrics] Fix overhead_program metrics for return probes (#3074) by @tpapagian
• exec: fix tracking of matchBinary children (#3186) by @kkourt

Minor Changes:

• Refactor & rename ratelimit metrics (#2890) by @lambdanis

• bpf: improve the bpffs layout of tetragon objects (#2128) by @olsajiri

• tetragon: Assorted fixes (#2906) by @olsajiri

• tetragon: assorted fixes (#2926) by @olsajiri

• tracing: support 32-bit ARM (aarch32) syscalls (#2898) by @kkourt

• tetragon: Fix map PinPath setup in case the map is shared (#2944) by @olsajiri

• Added metrics for LRU data cache (#2908) by @AshishNaware

• tetragon: Factor grpc exec events test (#2952) by @olsajiri

• bpf: support all operators (including Mask) for the syscall64 type (#2948) by @kkourt

• tetragon: Add map ownership (#2945) by @olsajiri

• tracingpolicy: add BPF operations support (#2943) by @tixxdz

• Add an "enabled" switch to enable/disable the gops server via the Helm chart. It is now disabled by default. (#2961) by @XelK

• Enabled tetra bash autocompletion in the Tetragon image (#2965) by @PhilipSchmid

• tetragon: sensor cleanup fixes (#2968) by @olsajiri

• tracing: include ABI information for syscall64 type (#2986) by @kkourt

• tetra: Add debug progs command (#2967) by @olsajiri

• Expose BPF map kernel memory use by tracing policy via the gRPC API and the metrics. Use tetra tp list to see the breakdown of BPF map memory use by policy or look for the tetragon_tracingpolicy_kernel_memory_bytes metric. (#2984) by @mtardy

• tetragon: Use namespace in sensor policy directory (#2987) by @olsajiri

• tetragon: Unpin map only if you are owner (#3004) by @olsajiri

• enforcer: add tetragon_enforcer_missed_notifications_total metric (#2994) by @kkourt

• ci:github: retry Test Tetragon on failure (#3001) by @tixxdz

• Add an optional cluster_name field to GetEventsResponse (#3025) by @michi-covalent

• tetragon: Make sure lsm programs return bounded value (#3032) by @olsajiri

• tetragon: Fix TestCopyFd test on new v5.10 kernels (#3037) by @olsajiri

• metrics: add version to build information (#3035) by @kkourt

• Remove --expose-kernel-addresses and --pprof-addr flags (#3042) by @michi-covalent

• Remove --enable-process-ancestors flag (#3043) by @michi-covalent

• tetra: fix --policy-names to apply all event types (#3044) by @justin0u0

• api: add bpf program types (#2997) by @tixxdz

• tetragon: Fix TestExitSignal test (#3055) by @olsajiri

• helm: Add part-of and component labels (#3052) by @lambdanis

• tetragon: Add overhead metrics (#3040) by @olsajiri

• tetragon: Load base sensor via sensor manager (#3045) by @olsajiri

• crd: Added shortnames and catagory for Tetragon CRDs (#3065) by @PhilipSchmid

• tetragon: Move procevents.GetRunningProcs call from base sensor load (#3097) by @olsajiri

• Add Common Expression Language filter (#3098) by @michi-covalent

• tetragon: un/pin fixes (#3079) by @olsajiri

• tetragon: Allow multiple symbol instances in kprobe spec (#3121) by @olsajiri

• tetragon: Unflake the TestGeneratedExecEvents test (#3141) by @olsajiri

• tetragon: Setup tailcalls directly in bpf programs (#3002) by @olsajiri

• Implement new regex filter type for parent process arguments. (#3155) by @will-isovalent

• tetragon: update bpf makefile (#3159) by @olsajiri

• sensors: reduce logging information by not emitting one line per map/prog being loaded by default (#3174) by @kkourt

• cgtracker: add policyfilter support (#3180) by @kkourt

• tetragon: Remove not needed rule commands (#3197) by @olsajiri

• • Introduce the in_init_tree flag for process events which indicates whether a process spawned from its container's init process tree (#3209) by @will-isovalent

  • Introduce a container_id export filter

  • Introduce an in_init_tree export filter

• tetragon: setup to let match binary names use args as well (#3210) by @jrfastab

• • add IP and CIDR helpers to CEL filters (#3211) by @will-isovalent

CI Changes:

• renovate: run make vendor on any Go update (#2909) by @mtardy
• CI: Improved lint Helm CI workflow (#2971) by @PhilipSchmid
• vmtests: use ubuntu-latest (#2985) by @kkourt
• vmtests: install dhclient (#3005) by @kkourt
• workflows: fix usage of untrusted input in check links (#3029) by @mtardy
• workflows: use GitHub arm64 runners instead of actuated (#3034) by @mtardy
• workflows: simplify build image CI (#3031) by @mtardy
• Renovate: Extend Helm files coverage (#3077) by @lambdanis
• Fixes and QoF improvements on renovate config (#3132) by @mtardy
• workflows: only run cron jobs on main repo (#3139) by @mtardy
• digestcheck: take a list of files as input (#3145) by @mtardy

**Documentatio...

Release v1.2.1

Changes from v1.2.0 to v1.2.1

Bugfixes:

• [backport/v1.2][bugfix] Fix clone event caching due to missing pod info
• [v1.2] helm: Remove deprecated tetragon.skipCRDCreation value

Minor Changes:

• tetragon: make eventCache number of retries and delays tunable.
• tetragon: pod association: add a cache for deleted pods
• Implement new regex filter type for parent process arguments.

Misc Changes:

• Prepare for v1.2.0 release
• helm: Set rthooks.podSecurityContext to empty by default
• chore: update containers/common
• [v1.2 backport] Memory optimizations: remove BTF and kallsyms caches
• [backport/v1.2] Add support to dump processLRU
• [backport/v1.2] Add support to exclude valid processes from dump processCache
• Backports/v1.2: tetragon: probe_read usage may cause issues with newer kernels
• Prepare for v1.2.1 release

What's Changed

• [backport/v1.2][bugfix] Fix clone event caching due to missing pod info by @tpapagian in #2903
• [v1.2] helm: Remove deprecated tetragon.skipCRDCreation value by @lambdanis in #2924
• helm: Set rthooks.podSecurityContext to empty by default by @michi-covalent in #2934
• v1.2 backports by @kkourt in #2958
• chore: update containers/common by @kkourt in #3008
• chore(deps): update docker.io/library/golang:1.22.6 docker digest to a632201 (v1.2) by @cilium-renovate in #3015
• fix(deps): update module github.com/containers/common to v0.60.4 [security] (v1.2) by @cilium-renovate in #3014
• chore(deps): update go to v1.22.8 (v1.2) (patch) by @cilium-renovate in #3017
• chore(deps): update docker.io/library/alpine docker tag to v3.20.3 (v1.2) by @cilium-renovate in #3016
• chore(deps): update docker.io/library/golang:1.22.8 docker digest to 0ca97f4 (v1.2) by @cilium-renovate in #3022
• fix(deps): update module github.com/cilium/cilium to v1.15.10 [security] (v1.2) by @cilium-renovate in #3028
• [v1.2 backport] Memory optimizations: remove BTF and kallsyms caches by @mtardy in #3036
• [backport/v1.2] Add support to dump processLRU by @tpapagian in #3038
• [backport/v1.2] Add support to exclude valid processes from dump processCache by @tpapagian in #3104
• Backports/v1.2: tetragon: probe_read usage may cause issues with newer kernels by @kevsecurity in #3105
• chore(deps): update docker.io/library/alpine:3.20.3 docker digest to 1e42bbe (v1.2) by @cilium-renovate in #3137
• chore(deps): update go to v1.22.9 (v1.2) (patch) by @cilium-renovate in #3138
• backports/v1.2: filters: implement parent_arguments_regex by @will-isovalent in #3157
• Prepare for v1.2.1 release by @tpapagian in #3168

Full Changelog: v1.2.0...v1.2.1

v1.2.0

v1.2.0 Releases notes

Upgrade notes

Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.

Helm Values

• Tetragon container now uses the gRPC liveness probe by default. To continue using "tetra status" for liveness probe,
  specify tetragon.livenessProbe Helm value. For example:

tetragon:
  livenessProbe:
     timeoutSeconds: 60
     exec:
       command:
       - tetra
       - status
       - --server-address
       - "54321"
       - --retries
       - "5"

• Deprecated tetragonOperator.skipCRDCreation Helm value is removed. Use crds.installMethod=none instead.

• tetragon.ociHookSetup Helm value is deprecated. Use tetragon.rthooks instead.

Events (protobuf API)

• Sensor managing methods have been deprecated:
  • ListSensors
  • EnableSensor
  • DisableSensor
  • RemoveSensor

Metrics

• tetragon_policyfilter_metrics_total metric is renamed to tetragon_policyfilter_operations_total, and its op
  label is renamed to operation.
• tetragon_missed_events_total metric is renamed to tetragon_bpf_missed_events_total.
• Metrics related to ring buffer and events queue are renamed:
  • tetragon_ringbuf_perf_event_errors_total -> tetragon_observer_ringbuf_errors_total
  • tetragon_ringbuf_perf_event_received_total -> tetragon_observer_ringbuf_events_received_total
  • tetragon_ringbuf_perf_event_lost_total -> tetragon_observer_ringbuf_events_lost_total
  • tetragon_ringbuf_queue_received_total -> tetragon_observer_ringbuf_queue_events_received_total
  • tetragon_ringbuf_queue_lost_total -> tetragon_observer_ringbuf_queue_events_lost_total
• tetragon_errors_total{type="process_cache_evicted"} metric is replaced by tetragon_process_cache_evicted_total.
• tetragon_errors_total{type=~"process_cache_miss_on_get|process_cache_miss_on_remove"} metrics are replaced by
  tetragon_process_cache_misses_total{operation=~"get|remove"}.
• tetragon_event_cache_<entry_type>_errors_total metrics are replaced by
  tetragon_event_cache_fetch_failures_total{entry_type="<entry_type>"}.
• tetragon_event_cache_accesses_total metric is renamed to tetragon_event_cache_inserts_total.
• tetragon_event_cache_retries_total metric is renamed to tetragon_event_cache_fetch_retries_total.
• tetragon_errors_total{type="event_missing_process_info"} metric is replaced by
  tetragon_events_missing_process_info_total.
• tetragon_errors_total{type="handler_error"} metric is removed. Use tetragon_handler_errors_total instead.

Major Changes:

• feat: Username for process_exec events (#2369) by @anfedotoff
• tetragon: Allow persistent enforcement during tetragon restart (#2600) by @olsajiri
• LSM sensor (#2566) by @anfedotoff

Bugfixes:

• bpf: use CORE for execve hook (#2399) by @kkourt
• Don't create PodInfo if the pod is being deleted (#2431) by @michi-covalent
• tetragon: allow namespaced and non-namespaced policies to have the same name (#2337) by @joshuajorel
• operator: Don't start metrics server if Helm value tetragonOperator.prometheus.enabled is set to false. (#2484) by @yukinakanaka
• enforcer: fix issue when using multiple calls with fmod_ret (#2524) by @kkourt
• Reduce the kernel memory footprint (accounted by the cgroup memory controller) of the stack trace feature when unused. (#2546) by @mtardy
• Reduce the kernel memory footprint (accounted by the cgroup memory controller) of the ratelimit feature when unused (around ~10MB per kprobe). (#2551) by @mtardy
• Reduce the kernel memory footprint (accounted by the cgroup memory controller) of the fdinstall feature when unused (around ~11MB per kprobe). (#2563) by @mtardy
• Do not increase the reference count when we cannot find a parent in kthreads. (#2620) by @tpapagian
• Reduce the kernel memory footprint (accounted by the cgroup v2 memory controller) of the override feature when unused (around ~3MB per kprobe). (#2692) by @mtardy
• Fix a bug related to the matchBinaries Prefix operator by increasing the buffer size used by our dentry walk. Now the matchBinaries Prefix operator can correctly trigger a match on any path above 255 chars. (#2764) by @mtardy
• Fix a bug where the tetra getevents command would timeout even if the connection was successful. (#2765) by @mtardy
• Fix missing cases in the compact encoder for tetra. (#2819) by @willfindlay
• add support for pod association via cgroup id (#2776) by @kkourt
• Allow disabling gRPC either by selecting 'enabled:false' in the helm chart or by passing an empty address to the agent (#2826) by @kkourt
• Fix tetragon_process_cache_size metric (#2827) by @lambdanis

Minor Changes:

• proc: set auid to -1 for generated kernel pid 0 (#2400) by @tixxdz
• Wait for Tetragon's images exist before run test (#2401) by @Trung-DV
• tetragon: Add cgroup rate support (#2177) by @olsajiri
• oci-hook: allow users to set a list of namespace exceptions and define default (#2404) by @f1ko
• test: fix TestTraceKernelModule test (#2433) by @tixxdz
• tetragon: Add inline function macro (#2452) by @olsajiri
• helm: Add tetragon.livenessProbe value (#2469) by @michi-covalent
• tetragon: Use static funcs in few places (#2453) by @olsajiri
• btf: print original error returned by ebpf btf.TypeByName() (#2458) by @tixxdz
• tetragon: cache username lookups (#2448) by @tixxdz
• helm: Remove deprecated tetragon.skipCRDCreation value (#2498) by @lambdanis
• btf: take first entry on multiple btf validation (#2488) by @tixxdz
• tetragon: Add LoadProgramOpts function (#2489) by @olsajiri
• tetragon: Remove bpf_globals object (#2521) by @olsajiri
• sensors: allow reporting policy status when loading/unloading sensors (#2506) by @kkourt
• tetragon: Limit max entries of cgroup_rate_map when it's not used (#2555) by @olsajiri
• tetragon: Factor the maps max entries setup (#2565) by @olsajiri
• tetragon:username: use login name instead of display name (#2585) by @tixxdz
• process:bpf: report euid as the process.uid (#2575) by @tixxdz
• Implement an export filter to target parent process binary name. (#2607) by @willfindlay
• tetragon: fail if --username-metadata receives invalid value (#2596) by @tixxdz
• tetragon: resolve uid to username for exec events from /proc fs (#2588) by @tixxdz
• cmd: Move metrics-docs out of tetra and refactor it (#2611) by @lambdanis
• Reorg to factor mac entries setup and add a max entries test (#2587) by @olsajiri
• tetragon: Add debug interface to track cgroups to workload/ns mappings (#2540) by @jrfastab
• rthooks: support NRI (#2608) by @kkourt
• helm, doc: Added debug Helm flag for the agent (#2622) by @PhilipSchmid
• deprecate sensors gRPC API (#2630) by @kkourt
• helm: Don't give operator permissions to create CRDs if not needed (#2326) by @itsCheithanya
• store thread leader namespaces at fork and reduce false positives (#2695) by @tixxdz
• tetragon: make resolving uid to username work with a processapi struct (#2705) by @tixxdz
• tetra: LSM events compact print support (#2703) by @anfedotoff
• tetragon: only allow single instance to run on a node (#2747) by @inliquid
• tetragon: Factor loader tailcall setup (#2719) by @olsajiri
• tracing: introduce FollowChildren attribute in MatchBinaries selector (#2720) by @kkourt
• Add missed probes metrics (#1941) by @olsajiri
• tetragon_policyfilter_metrics_total metric is renamed to tetragon_policyfilter_operations_total, and its op label is renamed to operation. (#2784) by @lambdanis
• tetragon: persistent monitoring fixes (https://github.com/cilium/t...

Release v1.1.2

Upgrade notes for version v1.1.2

Helm

The default livenessProbe was changed to use a gRPC liveness probe instead of the tetra status
command.

Users can migrate to the old behavior by using a helm configuration such as:

   tetragon:
      livenessProbe:
         timeoutSeconds: 60
         exec:
           command:
           - tetra
           - status
           - --server-address
           - "54321"
           - --retries

Summary of changes

Bugfixes:

• Don't create PodInfo if the pod is being deleted
• [v1.1] backport: bpf: use CORE for execve hook
• enforcer: fix issue when using multiple calls with fmod_ret

Minor Changes:

• backports:1.1:tests: fix trace module testing
• backports:1.1: uid username resolution support
• helm: Add tetragon.livenessProbe value
• backport:v1.1: btf: take first entry on multiple function matches

Misc Changes:

• Prepare for v1.1.0 release
• Use gRPC-based liveness probe instead of tetra status.
• [v1.1] Introduce upgrade notes
• Prepare for v1.1.1 release
• [v1.1] Makefile: exclude api tags from version
• v1.1: misc updates relating to release process
• Prepare for v1.1.2 release

All PRs

• fix(deps): update module k8s.io/kube-openapi to v0.0.0-20240430033511-f0e62f92d13f (v1.1) by @cilium-renovate in #2398
• chore(deps): update dependency go to v1.22.2 (v1.1) by @cilium-renovate in #2394
• chore(deps): update quay.io/lvh-images/kernel-images docker tag to bpf-next-20240501.013106 (v1.1) by @cilium-renovate in #2408
• fix(deps): update module google.golang.org/protobuf to v1.34.1 (v1.1) by @cilium-renovate in #2411
• fix(deps): update module github.com/sryoya/protorand to v0.0.0-20240429201223-e7440656b2a4 (v1.1) by @cilium-renovate in #2410
• Don't create PodInfo if the pod is being deleted by @michi-covalent in #2435
• backports:1.1:tests: fix trace module testing by @tixxdz in #2437
• backports:1.1: uid username resolution support by @tixxdz in #2447
• chore(deps): update docker.io/library/alpine docker tag to v3.20.0 (v1.1) by @cilium-renovate in #2466
• helm: Add tetragon.livenessProbe value by @michi-covalent in #2471
• [v1.1] backport: bpf: use CORE for execve hook by @kkourt in #2468
• [backport/v1.1] Use gRPC-based liveness probe instead of tetra status by @tpapagian in #2480
• [v1.1] Introduce upgrade notes by @lambdanis in #2499
• backport:v1.1: btf: take first entry on multiple function matches by @tixxdz in #2504
• chore(deps): update go to v1.22.4 (v1.1) (patch) by @cilium-renovate in #2513
• [v1.1] enforcer backport by @kkourt in #2528
• Prepare for v1.1.1 release by @kkourt in #2535
• [v1.1] Makefile: exclude api tags from version by @kkourt in #2539
• v1.1: misc updates relating to release process by @kkourt in #2537
• Prepare for v1.1.2 release by @kkourt in #2543

Full Changelog: v1.1.0...v1.1.2

v1.1.0

Release notes

v1.1.0 release is here! Please consider upgrading. This edition adds some notable features including user space stack traces, the enforcer sensor to easily deny system calls, metrics improvements, and numerous other fixes and improvements. Before upgrading please review deprecated fields and metric updates to check for any changes here that may impact your upgrade.

As always huge thanks to all the contributors, especially the new contributors. Also we appreciate all the bug reports, features requests and feedback from the users. Keep it coming this helps everyone everything from reading docs and just hearing user stories is great. Reach out and file an issue or ping @jrfastab if you have any feedback.

Additionally I wanted to thank @dwindsor, @vparla and their colleagues for detailed bug reports (#2069) and identifying multiple issues that the team was able to fix/improve in this release. 🚀 See the commit list below for details.

Upgrade notes

Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.

Helm Values

• tetragonOperator.skipCRDCreation value is deprecated and will be removed. Use crds.installMethod=none instead.

TracingPolicy (k8s CRD)

• The symbol field (string) in uprobe spec is replaced with symbols (array of strings). If using policies with uprobes, you need to replace the symbol field. (#1975) by @olsajiri
• Killer is renamed to enforcer. If using policies with killers, you need to replace killers with enforcers and action: NotifyKiller with action: NotifyEnforcer. (#2117) by @olsajiri
• To distinguish different stacktraces, kernel stacktraces are now enabled with kernelStackTrace policy field (renamed from stackTrace).

Events (protobuf API)

• Deprecated pod.labels field is removed. Use pod.pod_labels instead. (#1848) by @michi-covalent
• To distinguish different stacktraces, kernel stacktraces are now posted in kernel_stack_trace event field (renamed from stack_trace).

Metrics

• Metrics related to monitoring BPF maps and userspace caches are fixed: (#1950) by @sadath-12
  • tetragon_map_drops_total is removed (it was duplicating tetragon_errors_total{type="process_cache_evicted"})
  • tetragon_map_in_use_gauge{map="eventcache"} is removed (event cache is not a BPF map)
  • tetragon_map_in_use_gauge{map="processLru"} is replaced with tetragon_process_cache_size (process cache is not a BPF map)
• Metrics with known labels values are initialized to 0 on startup. (#2162) by @lambdanis
  This helps to ensure stable resources usage and metrics queries. This also involves changes in several metrics labels:
  • error_type label on tetragon_handler_errors_total metric is either "unknown_opcode" or "event_handler_failed" instead of the Go type of the error
  • event_type label on tetragon_event_cache*_errors_total metrics is one of the values defined in Tetragon API (tetragon.EventType) instead of the Go type of the event
  • error label on tetragon_event_cache_errors_total metric is "nil_process_pid"
  • error label is removed from tetragon_policyfilter_metrics_total metric
• Metrics for map and cache sizes are improved: (#2291) by @lambdanis
  • tetragon_map_in_use_gauge metric is renamed to tetragon_map_entries and doesn't have total label anymore
  • New tetragon_map_capacity metric exposes the BPF maps capacity
  • New tetragon_event_cache_entries metric measures the event cache size
  • New tetragon_process_cache_size metric measures the process cache size
  • New tetragon_process_cache_capacity metric exposes the process cache capacity

New Contributors

• @lmb made their first contribution in #1734
• @PhilipSchmid made their first contribution in #1780
• @hungran made their first contribution in #1797
• @sadath-12 made their first contribution in #1915
• @ioandr made their first contribution in #1965
• @rpahli made their first contribution in #2006
• @aohoyd made their first contribution in #1931
• @christian-2 made their first contribution in #2038
• @h3x-eilidh made their first contribution in #2059
• @dwindsor made their first contribution in #1986
• @next-ramses made their first contribution in #2084
• @sfc-gh-gshe made their first contribution in #2144
• @janvi01 made their first contribution in #2115
• @Jianlin-lv made their first contribution in #2222
• @f1ko made their first contribution in #2258
• @yukinakanaka made their first contribution in #2310
• @anfedotoff made their first contribution in #2175
• @strongjz made their first contribution in #2316
• @BonySmoke made their first contribution in #2231
• @zazathomas made their first contribution in #2318
• @alexeysofin made their first contribution in #2262
• @Trung-DV made their first contribution in #2354

Major Changes:

• Tetragon oci hook setup (#1842) by @kkourt
• tetragon: detect execve of anonymous binaries (#499) by @tixxdz
• Introduce an export filter type for process capabilities. (#2107) by @willfindlay
• Introduce redaction filters for censoring sensitive string data in process events. (#2243) by @willfindlay
• tracing: add multi-link uprobe support (#1914) by @olsajiri
• policyfilter: add a containerSelector that allows filtering policies by container name (#2231) by @BonySmoke
• Support user mode stacktraces in events. To enable this feature, set userStackTrace: true in the policy Post action. (#2175) by @anfedotoff

Bugfixes:

• Fix a segmentation fault related to filtering out pid information with field filters (#1700) by @willfindlay
• Fix a number of segmentation faults related to field filters. (#1712) by @willfindlay
• pkg/option: add metrics-label-filter flags (#1678) by @Jack-R-lantern
• Do not add a new entry in the execve_map during clone events that we cannot find our parent. Additionally, return early on kernel threads. (#1708) by @tpapagian
• Rework the matchBinaries selector implementation (#1731) by @mtardy
• Fix a few bugs related to field filter configuration and significantly improve performance of field filters. (#1763) by @willfindlay
• Fix a few bugs related to field filter configuration and significantly improve performance of field filters. (#1762) by @willfindlay
• Fix an issue that caused Tetragon to hang when it encounters an error early on in its init phase. (#1770) by @willfindlay
• Adds validation for sock and skb types (#1807) by @kevsecurity
• Fixes prefix and postfix matching for strings longer than the prefix or postfix maximum length (#1806) by @kevsecurity
• helm: Fix templating securityContext and tolerations (#1837) by @lambdanis
• pkg/kernels: Fix large patch numbers (#1870) by @tpapagian
• Fix a regression related to field filters that could cause top-level information to be missing from events. (#1882) by @willfindlay
• bpf: unit tests and fixes for prepend_name function (#1902) by @mtardy
• metrics: Do not return when we cannot find a _stats map (#1949) by @tpapagian
• bpf: read and copy proc exe at execve for matchBinaries (#1926) by @mtardy
• Dockerfile: bump bpftool revision to 7.3.0 (#1972) by @mtardy
• Fix a hang when the event exporter fails to start. (#2119) by @willfindlay
• tetra: avoid panic in the decoder (#2116) by @kkourt
• Set events node_name field to the hostname in the standalone (non-k8s) mode. (#2123) by @lambdanis
• policyfilter: fix issue in container fs scanning under cri-o (#2188) by @kkourt
• metrics: Remove pod from the queue after deleting metrics (#2287) by @lambdanis
• helm: Fix name and selector in operator ServiceMonitor (https://github.com/cilium/...

v1.0.3

What's Changed

• chore(deps): update go (v1.0) by @cilium-renovate in #2021
• chore(deps): update docker.io/library/golang:1.21.6-alpine docker digest to a6a7f1f (v1.0) by @cilium-renovate in #2036
• backport/v1.0/: bugtool gops pprofheap by @tixxdz in #2037
• chore(deps): update docker.io/library/alpine docker tag to v3.19.1 (v1.0) by @cilium-renovate in #2039
• chore(deps): update docker.io/library/golang:1.21.6 docker digest to 7b575fe (v1.0) by @cilium-renovate in #2057
• chore(deps): update go to v1.21.7 (v1.0) (patch) by @cilium-renovate in #2071
• chore(deps): update go (v1.0) by @cilium-renovate in #2082
• chore(deps): update docker.io/library/golang:1.21.7 docker digest to 549dd88 (v1.0) by @cilium-renovate in #2114
• fix(deps): update module github.com/opencontainers/runc to v1.1.12 [security] (v1.0) by @cilium-renovate in #2120
• backports/v1.0/2131 by @willfindlay in #2136
• chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (v1.0) by @cilium-renovate in #2190
• chore(deps): update go to v1.21.8 (v1.0) (patch) by @cilium-renovate in #2194
• chore(deps): update docker.io/library/golang docker tag to v1.21.8 (v1.0) by @cilium-renovate in #2203
• chore(deps): update docker.io/library/golang:1.21.8 docker digest to 8560736 (v1.0) by @cilium-renovate in #2216
• chore(deps): update docker.io/library/golang:1.21.8-alpine docker digest to d7c6083 (v1.0) by @cilium-renovate in #2238
• backports/willfindlay/1.0/redaction filters by @willfindlay in #2267
• chore(deps): update go to v1.21.9 (v1.0) (patch) by @cilium-renovate in #2298
• chore(deps): update module golang.org/x/net to v0.23.0 [security] (v1.0) by @cilium-renovate in #2297
• chore(deps): update docker.io/library/golang docker tag to v1.21.9 (v1.0) by @cilium-renovate in #2307
• Backport #2144 and #2167 to v1.0 branch by @michi-covalent in #2292
• backports/1.0: exporter: fix hang when exporter fails to start by @willfindlay in #2314
• Prepare for v1.0.3 release by @mtardy in #2254

Full Changelog: v1.0.2...v1.0.3

v1.0.2

What's Changed

• chore(deps): update docker.io/library/golang:1.21.5 docker digest to 2ff79bc (v1.0) by @cilium-renovate in #1898
• fix(deps): update module github.com/containerd/containerd to v1.7.11 [security] (v1.0) by @cilium-renovate in #1905
• chore(deps): update go (v1.0) by @cilium-renovate in #1913
• chore(deps): update docker.io/library/golang docker tag to v1.21.6 (v1.0) by @cilium-renovate in #1969
• v1.0 backport: bpf: fix bugs in the prepend_name function by @mtardy in #1956
• chore(deps): update dependency go to v1.21.6 (v1.0) by @cilium-renovate in #1977
• chore(deps): update docker.io/library/golang:1.21.6 docker digest to 5f5d61d (v1.0) by @cilium-renovate in #1989
• tetragon: prepare for v1.0.2 release by @jrfastab in #1991

Full Changelog: v1.0.1...v1.0.2

v1.0.1

Release info

OSS PRs

Bugfixes:

• Fix a regression related to field filters that could cause top-level information to be missing from events.
• Fix a number of segmentation Add mappings for sock and skb types (bug fix).
• Fix a few bugs related to field filter configuration and significantly improve performance of field filters.
• backports/v1.0: helm: Fix templating securityContext and tolerations

Minor Changes:

• backports/v1.0: Add a metric to provide per-event missed events

Dependency updates:

• chore(deps): update docker.io/library/golang docker tag to v1.21.5 (v1.0)
• chore(deps): update go (v1.0)
• chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (v1.0)
• chore(deps): update docker.io/library/golang:1.21.4 docker digest to 9baee0e (v1.0)
• chore(deps): update go to v1.21.4 (v1.0) (patch)
• chore(deps): update docker.io/library/golang docker tag to v1.21.4 (v1.0)
• chore(deps): update docker.io/library/alpine docker tag to v3.19.0 (v1.0)
• chore(deps): update docker.io/library/golang:1.21.4-alpine docker digest to 70afe55 (v1.0)

What's Changed

• backports/v1.0: Add a metric to provide per-event missed events by @tpapagian in #1702
• filters/fields: do a deep copy before filtering by @willfindlay in #1726
• chore(deps): update go to v1.21.4 (v1.0) (patch) by @cilium-renovate in #1747
• chore(deps): update docker.io/library/golang docker tag to v1.21.4 (v1.0) by @cilium-renovate in #1757
• Backports/v1.0/1762 by @willfindlay in #1763
• chore(deps): update docker.io/library/golang:1.21.4 docker digest to 9baee0e (v1.0) by @cilium-renovate in #1746
• chore(deps): update docker.io/library/alpine docker tag to v3.18.5 (v1.0) by @cilium-renovate in #1826
• chore(deps): update docker.io/library/golang:1.21.4-alpine docker digest to 70afe55 (v1.0) by @cilium-renovate in #1825
• Backports/v1.0/string match fixes by @kevsecurity in #1819
• backports/v1.0: helm: Fix templating securityContext and tolerations by @lambdanis in #1841
• chore(deps): update docker.io/library/golang docker tag to v1.21.5 (v1.0) by @cilium-renovate in #1851
• chore(deps): update docker.io/library/alpine docker tag to v3.19.0 (v1.0) by @cilium-renovate in #1864
• chore(deps): update go (v1.0) by @cilium-renovate in #1869
• backports/v1.0: fieldfilters: fix regression with missing top-level info and add test by @willfindlay in #1883
• Prepare for v1.0.1 release by @kkourt in #1885

Full Changelog: v1.0.0...v1.0.1

v1.0.0

Changes

Breaking Changes:

• export: switch to default permissions on exported JSON to 0600. (#1575) by @tixxdz

Major Changes:

• tetragon: build arm64 tarball (#1484) by @tixxdz
• tetragon:process_exec: display uids/gids credentials and detect privileged execution (#1296) by @tixxdz
• Add a new kernel stack traces alpha feature to kprobes events. (#1429) by @mtardy
• api: add a policy_name field to kprobe, tracepoint and uprobe events (#1574) by @mtardy
• tetragon: Add killer sensor (#1205) by @olsajiri
• helm: Set the feature that implements Namespaced policies and Pod label filters on by default (#1647) by @kkourt

Bugfixes:

• Use a message copy to apply fieldFilters in exec events (#1432) by @tpapagian
• bpf: fix verification error in bpf_execve_event (#1454) by @kkourt
• Add complete k8s object validation and defaults on standalone (#1521) by @mtardy
• tetragon: fix crash in kprobe validation (#1551) by @olsajiri
• bugfix: Use shared string maps in kprobe-multi (#1582) by @tpapagian
• bpf: fix policyfilter issue for existing processes (#1590) by @kkourt
• Fixes a regression on enable/disable sensors that would prevent a sensor from being enabled. (#1562) by @mtardy
• helm: Fix selector labels for the operator deployment (#1644) by @michi-covalent

Minor Changes:

• pkg/metrics: add common go&gRPC prometheus metrics (#1416) by @Jack-R-lantern
• tetragon: Adding lists documentation (#1401) by @olsajiri
• tetragon-oci-hook: fix issue for containerd (#1375) by @kkourt
• tetragon: Add buffer between perf reader and events processing code (#593) by @olsajiri
• helm: update livenessProbe to retry 5 times before failing (#1407) by @willfindlay
• Convert string and char_buf matches to hash look ups (#1408) by @kevsecurity
• tetragon: Add metric to report rate limited events (#1453) by @jrfastab
• tetragon: trace kernel modules operations (#1390) by @tixxdz
• helm: Allow multiple installations of the Tetragon Helm chart (#1400) by @ashishkurmi
• Controller for the Pod Info Custom Resource (#1410) by @prateek041
• doc: add arm64 tarball install (#1496) by @tixxdz
• tetragon: improve how we handle TIDs and GetProcessCopy() (#1256) by @tixxdz
• Add IPv6 support to BPF rate limit (#1458) by @kevsecurity
• cmd: Remove deprecated --config-file flag (#1498) by @lambdanis
• metrics: report metric errors when caching pids (#1502) by @tixxdz
• tracing: check for empty returnArg (#1515) by @kkourt
• tetragon: Hook exit sensor on acct_process (#1509) by @olsajiri
• metrics: Add metrics label filter configuration (#1444) by @nap32
• tetragon: Several observer related cleanups (#1525) by @olsajiri
• Collect tetragon_map_in_use_gauge and tetragon_map_errors_total metrics directly from BPF maps at the scrape time. Expose the tetragon_map_errors_total metrics as a counter instead of a gauge. (#1510) by @lambdanis
• tetragon: Remove sensors on exit not programs (#1514) by @olsajiri
• imagePullPolicy for the operator deployment can be set in tetragonOperator.image.pullPolicy Helm value and defaults to IfNotPresent. (#1544) by @lambdanis
• Implement the ability to filter on event types in the getevents CLI. (#1549) by @darox
• bpf: read the task real parent (#1559) by @tixxdz
• Expose an interface for defining metrics with configurable labels. (#1548) by @lambdanis
• tetragon: Allow to specify rb-* size options with size suffix (#1593) by @olsajiri
• ci:tarball-release: remove unnecessary step about installing go (#1601) by @tixxdz
• ci: add login-action to docker hub (#1602) by @tixxdz
• tetragon: Add helper scripts for stats benchmarks (#1583) by @olsajiri
• systemd fixes (#1636) by @tixxdz
• helm: add service monitor scrape interval config (#1638) by @Jack-R-lantern
• doc: update tetragon daemon flags (#1662) by @tixxdz
• tetragon: Cleanup tgids array before another round of events iteration (#1581) by @olsajiri
• Introduce startup logic to check userspace and BPF struct alignment, and exit with an error message if we detect a mismatch. (#1650) by @willfindlay
• tetragon: Add support to pass options through spec (#1626) by @olsajiri
• helm: add PROCESS_TRACEPOINT to exported events (#1684) by @kkourt

CI Changes:

• CODEOWNERS: multiple fixes and move file in .github (#1449) by @mtardy
• renovate: add release-note/dependency label to PRs (#1435) by @mtardy
• renovate: rename correctly the lvh image name in config (#1474) by @mtardy
• lvh: allow renovate to update kernel images instead of using main (#1470) by @mtardy
• renovate: add both lvh-images/kind and kernel-images (#1476) by @mtardy
• Dockerfile.clang: Don't pin clang patch version (#1530) by @michi-covalent
• renovate: Monitor kubernetes-sigs/bom (#1526) by @michi-covalent
• packages-e2e-tests: Don't fail fast (#1532) by @michi-covalent
• Fix build-images-releases.yml (#1542) by @michi-covalent
• Use 'go install' to install bom (#1534) by @michi-covalent
• setup-go: Get Go version from go.mod (#1536) by @michi-covalent
• build-images-releases.yml: Fix indentation (#1543) by @michi-covalent
• event checker: Don't use the word "failure" for pending checks (#1550) by @michi-covalent
• Renovate: Ignore digest updates for k8s dependencies (#1557) by @lambdanis
• vendor: Pick up github.com/cilium/cilium v1.15.0-pre.1 (#1553) by @michi-covalent
• renovate: fix renovate upgrade of Go toolchain (#1579) by @mtardy
• renovate: fix the way we manually install Go inside the runner (#1584) by @mtardy
• renovate: enable automerge for pin/pinDigest and patch (#1587) by @mtardy
• ci: minor refactor to build-images job (#1611) by @willfindlay
• Add veristat in the CI (#1610) by @mtardy
• gh/vmtests: add 6.1 kernel (#1628) by @kkourt
• ci: fix CI for external contributors (#1649) by @willfindlay
• vmtests: bump timeout and start multiple job for builds (#1671) by @mtardy
• gh: update cosign installer (#1687) by @kkourt
• gh: use cosign sign -y (#1689) by @kkourt
• ci: check docs links fixes and configuration (#1692) by @mtardy

Documentation changes:

• docs: document kernel version and requirement (#1443) by @tixxdz
• docs: fix link in README and remove unreliable link to busybox (#1463) by @mtardy
• docs(tracing-policy) - Grammar and punctuation (#1480) by @jbiggley
• docs: fixes anchor links (#1516) by @prosazhin
• Doc: Tetragon metrics (#1495) by @prateek041
• tetragon: docs, copy Cilium style k8s install (#1561) by @jrfastab
• docs: Fix links to policy YAML files (#1614) by @michi-covalent
• tetragon: docs, minor updates to metrics ...

v1.0.0-rc.2

Note for maintainers:: Please update the description with the actual release notes (see RELEASE.md for instructions).