feat: add tetragon process blog #814
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Paul Arah <[email protected]>
👷 Deploy Preview for cilium processing.
|
✅ Deploy Preview for cilium ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Signed-off-by: Paul Arah <[email protected]>
mtardy
reviewed
Nov 5, 2025
Comment on lines
65
to
69
| - matchArgs: | ||
| - index: 1 | ||
| operator: 'Equal' | ||
| values: | ||
| - '/proc/self/exe' |
Member
There was a problem hiding this comment.
Some important comments here:
- At
fd_installstage in the kernel, symlinks have been resolved, so self will be resolved in the/proc/self/exeto/proc/<actualPID>/exeand not appear as self forfd_install, but even if you can guess the PID, theexething itself is a symlink to the actual path so you can't really match on a symlink usingfd_install, the realpath that you will see infd_installis the actual path of the binary. - If the policy worked, since this is path reference here, at
fd_installstage, while symbolic link or relative path should be resolved, hard link for example will not be detected. This is a caveat tied to path integrity monitoring.
All that to say that your policy can't work with fd_install as the hook point here unfortunately. It has the benefit of having symlink resolved on one side so that /path/to/file is always /path/to/file even if you use /path/to../to/file but this benefits makes it non practicable to match on a symlink itself.
Contributor
Author
There was a problem hiding this comment.
Thanks. I rewrote this. reproduced and tested it too.
spec:
kprobes:
- call: '__x64_sys_openat'
syscall: true
args:
- index: 1
type: string
- index: 2
type: int
selectors:
- matchArgs:
- index: 1
operator: Equal
values:
- '/proc/self/exe'
#Require write access (flags & 3 != 0 → not O_RDONLY)
- index: 2
operator: Mask
values:
- '3'
#Only suspicious when NOT in the host PID namespace
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- 'host_ns'
matchActions:
- action: Sigkill
Comment on lines
103
to
108
| matchParentBinaries: | ||
| - operator: 'In' | ||
| values: | ||
| - '/usr/sbin/nginx' | ||
| - '/usr/bin/node' | ||
| - '/usr/local/bin/python' |
Member
There was a problem hiding this comment.
This thing hasn't landed yet even on master cilium/tetragon#4254, is this okay for you?
Contributor
Author
There was a problem hiding this comment.
rewrote this is using child process visibility
spec:
kprobes:
- call: 'sys_execve'
syscall: true
args:
- index: 0
type: 'string'
selectors:
- matchBinaries:
- operator: 'In'
values:
- '/usr/sbin/nginx'
- '/usr/bin/node'
- '/usr/local/bin/python'
followChildren: true
matchArgs:
- index: 0
operator: 'Equal'
values:
- '/bin/bash'
- '/bin/sh'
matchActions:
- action: Post
Member
I'm not sure why the nutanix commits are in there
|
Co-authored-by: Mahé <[email protected]> Signed-off-by: Paul Arah <[email protected]>
…data (#815) * feat: add Organization schema markup to HTML file for improved SEO and brand visibility Signed-off-by: Peace Sandy <[email protected]> * refactor: move orgSchema to module scope for better performance Signed-off-by: Peace Sandy <[email protected]> --------- Signed-off-by: Peace Sandy <[email protected]>
* docs: add ESnet to adopters page Signed-off-by: ADITYA TIWARI <[email protected]> * docs: add ESnet logo Signed-off-by: ADITYA TIWARI <[email protected]> * docs: add logo to user-community Signed-off-by: ADITYA TIWARI <[email protected]> * fix: add esnet to user community.jsx Signed-off-by: ADITYA TIWARI <[email protected]> * fix: svg resize for proper rendering Signed-off-by: ADITYA TIWARI <[email protected]> --------- Signed-off-by: ADITYA TIWARI <[email protected]>
* fix: add ionx to addopters page and fix svg rendering Signed-off-by: ADITYA TIWARI <[email protected]> * fix: resolution for the svg Signed-off-by: ADITYA TIWARI <[email protected]> * fix: svg alignment Signed-off-by: ADITYA TIWARI <[email protected]> --------- Signed-off-by: ADITYA TIWARI <[email protected]>
Signed-off-by: Paul Arah <[email protected]>
* feat: add ESnet to use-cases service-mao.jsx Signed-off-by: ADITYA TIWARI <[email protected]> * fix: import path for image Signed-off-by: ADITYA TIWARI <[email protected]> * Revise ESnet case study title and description Updated case study details for ESnet to reflect new title and description emphasizing network observability with Hubble. Signed-off-by: ADITYA TIWARI <[email protected]> * Clean up description in service-map.jsx Removed HTML tags from the description text. Signed-off-by: ADITYA TIWARI <[email protected]> * Revise ESnet case study title and description Updated case study details for ESnet, changing the title and description to reflect the use of Cilium and IPv6. Signed-off-by: ADITYA TIWARI <[email protected]> * Update service-map description and quote details Signed-off-by: ADITYA TIWARI <[email protected]> --------- Signed-off-by: ADITYA TIWARI <[email protected]>
Bumps [min-document](https://github.com/Raynos/min-document) from 2.19.0 to 2.19.2. - [Commits](Raynos/min-document@v2.19.0...v2.19.2) --- updated-dependencies: - dependency-name: min-document dependency-version: 2.19.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.14.1 to 3.14.2. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@3.14.1...3.14.2) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add custom anchor IDs for AI references Signed-off-by: Peace Sandy <[email protected]> * Update src/posts/2025-07-01-themed-echo-playlists/index.md Co-authored-by: Bill Mulligan <[email protected]> Signed-off-by: Peace Sandy <[email protected]> * Add custom anchor IDs for AI references Signed-off-by: Peace Sandy <[email protected]> --------- Signed-off-by: Peace Sandy <[email protected]> Signed-off-by: Peace Sandy <[email protected]> Co-authored-by: Bill Mulligan <[email protected]>
Signed-off-by: krmeinders <[email protected]>
…d FAQ schema (#827) Signed-off-by: Peace Sandy <[email protected]>
Signed-off-by: krmeinders <[email protected]>
* Update index.md Signed-off-by: krmeinders <[email protected]> * feat: add ciliumcon eu 2026 Signed-off-by: krmeinders <[email protected]> * Add files via upload Signed-off-by: krmeinders <[email protected]> * Update index.md Signed-off-by: krmeinders <[email protected]> --------- Signed-off-by: krmeinders <[email protected]>
* EU 2023 Signed-off-by: Bill Mulligan <[email protected]> * NA 2023 Signed-off-by: Bill Mulligan <[email protected]> * cilium ebpf day na 2024 Signed-off-by: Bill Mulligan <[email protected]> * Update external URL for CiliumCon Europe 2025 Signed-off-by: Bill Mulligan <[email protected]> --------- Signed-off-by: Bill Mulligan <[email protected]>
Signed-off-by: Paul Arah <[email protected]>
Signed-off-by: Paul Arah <[email protected]>
Signed-off-by: Paul Arah <[email protected]>
Signed-off-by: Paul Arah <[email protected]>
Signed-off-by: Paul Arah <[email protected]>
Contributor
Author
Might've messed up the commit tree. I can push a fix here in this PR or open a seperate PR after we've merged the blog. |
Member
|
Can you fix it here in this PR? It's getting difficult to review |
Member
|
@mtardy can you do one last check before we publish? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.