v1.2.0
v1.2.0 Releases notes
Upgrade notes
Read the upgrade notes carefully before upgrading Tetragon.
Depending on your setup, changes listed here might require a manual intervention.
Helm Values
- Tetragon container now uses the gRPC liveness probe by default. To continue using "tetra status" for liveness probe,
specifytetragon.livenessProbe
Helm value. For example:
tetragon:
livenessProbe:
timeoutSeconds: 60
exec:
command:
- tetra
- status
- --server-address
- "54321"
- --retries
- "5"
-
Deprecated
tetragonOperator.skipCRDCreation
Helm value is removed. Usecrds.installMethod=none
instead. -
tetragon.ociHookSetup
Helm value is deprecated. Usetetragon.rthooks
instead.
Events (protobuf API)
- Sensor managing methods have been deprecated:
ListSensors
EnableSensor
DisableSensor
RemoveSensor
Metrics
tetragon_policyfilter_metrics_total
metric is renamed totetragon_policyfilter_operations_total
, and itsop
label is renamed tooperation
.tetragon_missed_events_total
metric is renamed totetragon_bpf_missed_events_total
.- Metrics related to ring buffer and events queue are renamed:
tetragon_ringbuf_perf_event_errors_total
->tetragon_observer_ringbuf_errors_total
tetragon_ringbuf_perf_event_received_total
->tetragon_observer_ringbuf_events_received_total
tetragon_ringbuf_perf_event_lost_total
->tetragon_observer_ringbuf_events_lost_total
tetragon_ringbuf_queue_received_total
->tetragon_observer_ringbuf_queue_events_received_total
tetragon_ringbuf_queue_lost_total
->tetragon_observer_ringbuf_queue_events_lost_total
tetragon_errors_total{type="process_cache_evicted"}
metric is replaced bytetragon_process_cache_evicted_total
.tetragon_errors_total{type=~"process_cache_miss_on_get|process_cache_miss_on_remove"}
metrics are replaced by
tetragon_process_cache_misses_total{operation=~"get|remove"}
.tetragon_event_cache_<entry_type>_errors_total
metrics are replaced by
tetragon_event_cache_fetch_failures_total{entry_type="<entry_type>"}
.tetragon_event_cache_accesses_total
metric is renamed totetragon_event_cache_inserts_total
.tetragon_event_cache_retries_total
metric is renamed totetragon_event_cache_fetch_retries_total
.tetragon_errors_total{type="event_missing_process_info"}
metric is replaced by
tetragon_events_missing_process_info_total
.tetragon_errors_total{type="handler_error"}
metric is removed. Usetetragon_handler_errors_total
instead.
Major Changes:
- feat: Username for process_exec events (#2369) by @anfedotoff
- tetragon: Allow persistent enforcement during tetragon restart (#2600) by @olsajiri
- LSM sensor (#2566) by @anfedotoff
Bugfixes:
- bpf: use CORE for execve hook (#2399) by @kkourt
- Don't create PodInfo if the pod is being deleted (#2431) by @michi-covalent
- tetragon: allow namespaced and non-namespaced policies to have the same name (#2337) by @joshuajorel
- operator: Don't start metrics server if Helm value
tetragonOperator.prometheus.enabled
is set to false. (#2484) by @yukinakanaka - enforcer: fix issue when using multiple calls with fmod_ret (#2524) by @kkourt
- Reduce the kernel memory footprint (accounted by the cgroup memory controller) of the stack trace feature when unused. (#2546) by @mtardy
- Reduce the kernel memory footprint (accounted by the cgroup memory controller) of the ratelimit feature when unused (around ~10MB per kprobe). (#2551) by @mtardy
- Reduce the kernel memory footprint (accounted by the cgroup memory controller) of the fdinstall feature when unused (around ~11MB per kprobe). (#2563) by @mtardy
- Do not increase the reference count when we cannot find a parent in kthreads. (#2620) by @tpapagian
- Reduce the kernel memory footprint (accounted by the cgroup v2 memory controller) of the override feature when unused (around ~3MB per kprobe). (#2692) by @mtardy
- Fix a bug related to the matchBinaries Prefix operator by increasing the buffer size used by our dentry walk. Now the matchBinaries Prefix operator can correctly trigger a match on any path above 255 chars. (#2764) by @mtardy
- Fix a bug where the tetra getevents command would timeout even if the connection was successful. (#2765) by @mtardy
- Fix missing cases in the compact encoder for tetra. (#2819) by @willfindlay
- add support for pod association via cgroup id (#2776) by @kkourt
- Allow disabling gRPC either by selecting 'enabled:false' in the helm chart or by passing an empty address to the agent (#2826) by @kkourt
- Fix tetragon_process_cache_size metric (#2827) by @lambdanis
Minor Changes:
- proc: set auid to -1 for generated kernel pid 0 (#2400) by @tixxdz
- Wait for Tetragon's images exist before run test (#2401) by @Trung-DV
- tetragon: Add cgroup rate support (#2177) by @olsajiri
- oci-hook: allow users to set a list of namespace exceptions and define default (#2404) by @f1ko
- test: fix TestTraceKernelModule test (#2433) by @tixxdz
- tetragon: Add inline function macro (#2452) by @olsajiri
- helm: Add tetragon.livenessProbe value (#2469) by @michi-covalent
- tetragon: Use static funcs in few places (#2453) by @olsajiri
- btf: print original error returned by ebpf btf.TypeByName() (#2458) by @tixxdz
- tetragon: cache username lookups (#2448) by @tixxdz
- helm: Remove deprecated tetragon.skipCRDCreation value (#2498) by @lambdanis
- btf: take first entry on multiple btf validation (#2488) by @tixxdz
- tetragon: Add LoadProgramOpts function (#2489) by @olsajiri
- tetragon: Remove bpf_globals object (#2521) by @olsajiri
- sensors: allow reporting policy status when loading/unloading sensors (#2506) by @kkourt
- tetragon: Limit max entries of cgroup_rate_map when it's not used (#2555) by @olsajiri
- tetragon: Factor the maps max entries setup (#2565) by @olsajiri
- tetragon:username: use login name instead of display name (#2585) by @tixxdz
- process:bpf: report euid as the process.uid (#2575) by @tixxdz
- Implement an export filter to target parent process binary name. (#2607) by @willfindlay
- tetragon: fail if --username-metadata receives invalid value (#2596) by @tixxdz
- tetragon: resolve uid to username for exec events from /proc fs (#2588) by @tixxdz
- cmd: Move metrics-docs out of tetra and refactor it (#2611) by @lambdanis
- Reorg to factor mac entries setup and add a max entries test (#2587) by @olsajiri
- tetragon: Add debug interface to track cgroups to workload/ns mappings (#2540) by @jrfastab
- rthooks: support NRI (#2608) by @kkourt
- helm, doc: Added debug Helm flag for the agent (#2622) by @PhilipSchmid
- deprecate sensors gRPC API (#2630) by @kkourt
- helm: Don't give operator permissions to create CRDs if not needed (#2326) by @itsCheithanya
- store thread leader namespaces at fork and reduce false positives (#2695) by @tixxdz
- tetragon: make resolving uid to username work with a processapi struct (#2705) by @tixxdz
- tetra: LSM events compact print support (#2703) by @anfedotoff
- tetragon: only allow single instance to run on a node (#2747) by @inliquid
- tetragon: Factor loader tailcall setup (#2719) by @olsajiri
- tracing: introduce FollowChildren attribute in MatchBinaries selector (#2720) by @kkourt
- Add missed probes metrics (#1941) by @olsajiri
tetragon_policyfilter_metrics_total
metric is renamed totetragon_policyfilter_operations_total
, and itsop
label is renamed tooperation
. (#2784) by @lambdanis- tetragon: persistent monitoring fixes (#2795) by @olsajiri
- Add the Postfix and NotPostfix operators to the matchBinaries selector. (#2689) by @anfedotoff
- metrics: Expose go_sched_latencies_seconds (#2802) by @lambdanis
- tetra: Added dynamic log level change option (#2643) by @PhilipSchmid
- cgidmap: fix initialization bug (#2829) by @kkourt
- helm: Add tetragon_pod label to metrics via ServiceMonitor (#2828) by @lambdanis
- Expose kernel ringbuffer errors in metrics (#2839) by @lambdanis
- Refactor & rename ringbuf metrics (#2833) by @lambdanis
- helm: Support adding extra labels to ServiceMonitors (#2830) by @lambdanis
- metrics: Expose more errors in tetragon_bpf_missed_events_total counter (#2855) by @lambdanis
- Replace process cache evictions and misses metrics (#2857) by @lambdanis
- Refactor and rename eventcache metrics (#2861) by @lambdanis
- Replace missing process info metric (#2863) by @lambdanis
- Remove tetragon_errors_total{type="handler_error"} metric (#2862) by @lambdanis
- tetragon: fixes (#2823) by @olsajiri
CI Changes:
- TestLabelsDemoApp: Replace isovalent/jobs-app by Opentelemetry demo app (#2345) by @Trung-DV
- renovate: add v1.1 in stable branches in config (#2432) by @mtardy
- tetragon: debugging map duplication extending prog/map testers (#2455) by @jrfastab
- Minor improvements to the release process (#2482) by @lambdanis
- vmtests: deduplicating code using LVH library for arm64 support (#2333) by @mtardy
- renovate: switch to get Go version from toolchain directive (#2494) by @mtardy
- renovate: update Go version properly for v1.1 (#2509) by @mtardy
- renovate: fix Go postUpgradeTasks for stable branches (#2514) by @mtardy
- renovate: group all go updates together and fix a rule (#2522) by @mtardy
- docs: ignore some index.html link from link checker (#2526) by @mtardy
- Increase maximum number of tries in WaitForTracingPolicy (#2547) by @tpapagian
- Uninstall Tetragon after each e2e test. (#2541) by @tpapagian
- docs: update docs dev deps for security fixes (#2577) by @mtardy
- policyfiletr K8s test fix (#2629) by @kkourt
- rthook: finish renovate config update due to rename (#2655) by @mtardy
- tests/e2e: clone proto event in rpcchecker (#2688) by @willfindlay
- workflows: fix the PR link checker script for
raw
GitHub links (#2712) by @mtardy - Increase timeout in WaitForTracingPolicy. (#2755) by @tpapagian
- CI: Changed lint Helm CI trigger (#2804) by @PhilipSchmid
- CI: Improved K8s Kubeconformance validation (#2811) by @PhilipSchmid
- CI: Helm lint: Remove pipenv dependency (#2837) by @PhilipSchmid
- fork_test: remove pid export filter (#2831) by @kkourt
- verify.sh: Handle when bpf_verride_return is unavailable (#2838) by @russellb
- CI: Improve/stabilize lint Helm CI workflow (#2847) by @PhilipSchmid
- renovate: add 'make metrics-docs' to post upgrade cmds (#2864) by @mtardy
Documentation changes:
- docs: Metrics configuration guide & FAQ reorg (#2414) by @lambdanis
- docs: Improve contribution guide & PR template (#2483) by @lambdanis
- docs: Fix a link in contribution guide (#2496) by @lambdanis
- Document release notes process & introduce upgrade notes (#2487) by @lambdanis
- chore(deps): update Hugo and Docsy theme to latest versions (#2497) by @mtardy
- feat: update home page design (#2374) by @yasell
- fix: path to og:image (#2505) by @yasell
- updates docs resources section with newer content (#2507) by @paularah
- Rename NotifyKiller to Enforcer in docs (#2518) by @michalzarsm
- docs: fix issues in jq filter examples and broken links (#2567) by @cmppoon
- docs: add more conference videos (#2578) by @lizrice
- docs: update homepage contents (#2508) by @paularah
- feat: update label on hero section on main page (#2644) by @annaindistress
- Improve Helm values docs (#2625) by @lambdanis
- docs: update filename access section of the docs (#2654) by @paularah
- docs: improve k8s filtering docs (#2671) by @paularah
- Fix the
tetra
CLI install directions for Windows (#2683) by @spkane - fix(docs): update getting started instructions (#2681) by @scottslowe
- docs: use different config for development and production (#2711) by @mtardy
- doc: Add docker-buildx to requirements (#2713) by @spbkaizo
- docs: use $POD env variable in multi node cmd (#2726) by @mtardy
- doc: Minor style improvements in troubleshooting docs (#2736) by @PhilipSchmid
- Update Getting Started guide (#2721) by @scottslowe
- doc: use tag variable for docker-based commands (#2750) by @atomic77
- Grammar fix (#2763) by @xmulligan
- doc: update slack channel reference (#2766) by @Huweicai
- docs: fixes on new persistent enforcement and cgroup rate pages (#2760) by @mtardy
- doc:username: remove empty line to not break api doc (#2774) by @tixxdz
- feat: add home page presentation section (#2781) by @yasell
- feat: add banner to community meetings and move tetragon slides (#2801) by @annaindistress
- feat: add Linkedin to the Community Section (#2796) by @annaindistress
- doc: Improved Tetragon metrics guide (#2840) by @PhilipSchmid
- [docs] Fix typo (#2848) by @tpapagian
- docs: Fix the mentioned containerd version (#2851) by @fgiloux
- docs for followChildren true (#2858) by @kkourt
Dependency updates:
- chore(deps): update docker.io/golangci/golangci-lint docker tag to v1.59.0 (main) (#2415) by @cilium-renovate[bot]
- update github.com/cilium/ebpf (#2717) by @lmb
- Update Dockerfiles to build clang-18 images (#2814) by @mtardy
- Upgrade to Cilium 1.16.1 and Kubernetes 1.31.0 (#2820) by @mtardy
- Revert "Upgrade to Cilium 1.16.1 and Kubernetes 1.31.0" (#2849) by @mtardy
- chore(deps): update docker.io/golangci/golangci-lint docker tag to v1.60.3 (main) (#2813) by @cilium-renovate[bot]
Misc Changes:
- Starting 1.2 development. (#2393) by @kkourt
- BTF validation fixes (#2446) by @kkourt
- release_template: also tag API module (#2457) by @kkourt
- Create a Pull Request Template for the project (#2387) by @paularah
- Use gRPC-based liveness probe instead of tetra status. (#2478) by @tpapagian
- tetragon: organize bpf helpers and add a few time related helpers (#2485) by @jrfastab
- tetragon: Remove AllPrograms from uprobe sensor (#2382) by @olsajiri
- Remove Cilium state service cache (#2519) by @michi-covalent
- Use the upstream Hubble packages (#2520) by @michi-covalent
- misc updates relating to release process (#2536) by @kkourt
- Makefile: exclude api tags from version (#2538) by @kkourt
- syscallinfo: fix typo for oldlstat (#2550) by @kkourt
- release_template.md: updates (#2579) by @kkourt
- process: Remove ciliumState package variable (#2581) by @michi-covalent
- pkg/sensors: fix for ratelimit_map wrong path pinning (#2583) by @mtardy
- Move metrics registry and initialization to pkg/metricsconfig (#2610) by @lambdanis
- Remove pkg/{cilium,oldhubble} (#2580) by @michi-covalent
- tetragon-metrics-docs: Move New function to a separate package (#2612) by @lambdanis
- Fix libbpf submodule checkout in bpftool when building the tetragon image. (#2616) by @tpapagian
- bpf: fix missed linux_binprm_type in selector_arg_offset function (#2623) by @anfedotoff
- identifies tetragon pod managing a pod (#2633) by @SandeshAmin
- Enable RewriteConstants for eBPF progs. (#2638) by @tpapagian
- Fix linter warnings in Dockerfiles (#2657) by @lambdanis
- tetragon: small improvement to testing merge sensors (#2658) by @jrfastab
- Cleanup code related to handling kmod BTFs. (#2627) by @tpapagian
- Fix a build issue in tetragon binary. (#2659) by @tpapagian
- rthook images updates (#2663) by @kkourt
- Makefile: Cleanup and generate help from comment (#2669) by @lambdanis
- Makefile: Reduce the amount of vendoring calls (#2670) by @lambdanis
- Improve local k8s developer experience (#2673) by @lambdanis
- contrib/kind: Make install-tetragon.sh script more portable (#2682) by @lambdanis
- tests: replace
panic
witht.Fatal
, upgrade to latest base image for vmtests and fix enforcer tests (#2685) by @kevsecurity - pkg/sensors/tracing: fix LSM open tests (#2698) by @mtardy
- .github: update pull request template (#2697) by @mtardy
- tracing: allow only one of kprobes/tracepoints/lsm (#2708) by @kkourt
- Extend metrics library (#2606) by @lambdanis
- release_template: also push API tag (#2664) by @kkourt
- rthooks: image and helm fixes (#2727) by @kkourt
- proto: Reserve removed field numbers (#2722) by @michi-covalent
- Define health metrics group (#2714) by @lambdanis
- fix(install-tetragon.sh) fix 'kind load docker-image' in kind setup (#2735) by @ScriptSathi
- Remove deprecated gRPC
Dial
calls (#2676) by @mtardy - Add LoadLSMProgramSimple to load LSM programs. (#2751) by @tpapagian
- tetragon: improve systemd deployment detection (#2589) by @tixxdz
- tetragon: extra debug info on nsid mappings (#2757) by @jrfastab
- tetragon: Assorted fixes (#2748) by @olsajiri
- make: update install/k8s when running "make crds" (#2723) by @kkourt
- tetragon: Group missed metrics for policy and attach point (#2782) by @olsajiri
- bpf: fix incorrect inline asm output operands sections (#2773) by @mtardy
- crd: make followChildren optional (#2790) by @kkourt
- rthooks: setup do not copy binary twice (#2793) by @kkourt
- kprobemetrics: Fix collecting missed metrics (#2797) by @lambdanis
- Upgrade to Clang 18 to build BPF programs. (#2777) by @mtardy
- api/ops: Remove MsgOp* constants (#2799) by @lambdanis
- Watcher: fix NODE_NAME if missing (#2824) by @kevsecurity
- helm: add pprof flag setting (#2846) by @mtardy
- helm: use podSecurityContext for rthooks (#2836) by @kkourt
- tetragon: fix deprecated pprof flag compatibility (#2860) by @mtardy
- bpf: Fix perf_event_output_metric on 4.19 (#2868) by @lambdanis
- bpf: Fix perf_event_output_metric again (#2870) by @lambdanis
- rthooks fixes (#2874) by @kkourt
- Make Debug GRPC call generic (#2876) by @tpapagian
- helm: add an rthooks serviceAccount section (#2859) by @kkourt
- Prepare for v1.2.0 release (#2878) by @kkourt