TracingPolicy

cilium.io / v1alpha1

apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object required

spec object required

Tracing policy specification.

containerSelector object

ContainerSelector selects containers that this policy applies to. A map of container fields will be constructed in the same way as a map of labels. The name of the field represents the label "key", and the value of the field - label "value". Currently, only the "name" field is supported.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

enum: In, NotIn, Exists, DoesNotExist

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

enforcers []object

A enforcer spec.

calls []string required

Calls where enforcer is executed in

kprobes []object

A list of kprobe specs.

args []object

A list of function arguments to include in the trace output.

btfType string

Type of original argument. This is currenlty only used in UsdtSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.

index integer required

Position of the argument.

format: int32

minimum: 0

label string

Label to output in the JSON

maxData boolean

Read maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

resolve string

Resolve the path to a specific attribute

returnCopy boolean

This field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

sizeArgIndex integer

Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

format: int32

minimum: 0

source string

Source of the data, if missing the default if function arguments

type string required

Argument type.

enum:

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, ...

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog

call string required

Name of the function to apply the kprobe spec to.

data []object

A list of data to include in the trace output.

btfType string

Type of original argument. This is currenlty only used in UsdtSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.

index integer required

Position of the argument.

format: int32

minimum: 0

label string

Label to output in the JSON

maxData boolean

resolve string

Resolve the path to a specific attribute

returnCopy boolean

sizeArgIndex integer

Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

format: int32

minimum: 0

source string

Source of the data, if missing the default if function arguments

type string required

Argument type.

enum:

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, ...

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog

ignore object

Conditions for ignoring this kprobe

callNotFound boolean

Ignores calls that are not present in the system

message string

A short message of 256 characters max that will be included in the event output to inform users what is going on.

return boolean

Indicates whether to collect return value of the traced function.

returnArg object

A return argument to include in the trace output.

btfType string

Type of original argument. This is currenlty only used in UsdtSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.

index integer required

Position of the argument.

format: int32

minimum: 0

label string

Label to output in the JSON

maxData boolean

resolve string

Resolve the path to a specific attribute

returnCopy boolean

sizeArgIndex integer

Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

format: int32

minimum: 0

source string

Source of the data, if missing the default if function arguments

type string required

Argument type.

enum:

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, ...

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog

returnArgAction string

An action to perform on the return argument. Available actions are: Post;TrackSock;UntrackSock

selectors []object

Selectors to apply before producing trace output. Selectors are ORed and short-circuited.

matchActions []object

A list of actions to execute when this selector matches

action string required

Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

enum:

Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set

argError integer

error value for override action

format: int32

argFd integer

An arg index for the fd for fdInstall action

format: int32

argFqdn string

A FQDN to lookup for the dnsLookup action

argIndex integer

An arg index for the set action

format: int32

argName integer

An arg index for the filename for fdInstall action

format: int32

argRegs []string

An arg value for the regs action

argSig integer

A signal number for signal action

format: int32

argSock integer

An arg index for the sock for trackSock and untrackSock actions

format: int32

argUrl string

A URL for the getUrl action

argValue integer

An arg value for the set action

format: int32

imaHash boolean

Enable collection of file hashes from integrity subsystem. Only valid with the post action.

kernelStackTrace boolean

Enable kernel stack trace export. Only valid with the post action.

rateLimit string

A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.

rateLimitScope string

The scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.

userStackTrace boolean

Enable user stack trace export. Only valid with the post action.

matchArgs []object

A list of argument filters. MatchArgs are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

matchBinaries []object

A list of binary exec name filters.

followChildren boolean

In addition to binaries, match children processes of specified binaries.

operator string required

Filter operation.

enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix

values []string required

Value to compare the argument against.

matchCapabilities []object

A list of capabilities and IDs

isNamespaceCapability boolean

Indicates whether these caps are namespace caps.

operator string required

Namespace selector operator.

enum: In, NotIn

type string

Type of capabilities

enum: Effective, Inheritable, Permitted

values []string required

Capabilities to match.

matchCapabilityChanges []object

IDs for capabilities changes

isNamespaceCapability boolean

Indicates whether these caps are namespace caps.

operator string required

Namespace selector operator.

enum: In, NotIn

type string

Type of capabilities

enum: Effective, Inheritable, Permitted

values []string required

Capabilities to match.

matchData []object

A list of argument filters. MatchData are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

matchNamespaceChanges []object

IDs for namespace changes

operator string required

Namespace selector operator.

enum: In, NotIn

values []string required

Namespace types (e.g., Mnt, Pid) to match.

matchNamespaces []object

A list of namespaces and IDs

namespace string required

Namespace selector name.

enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User

operator string required

Namespace selector operator.

enum: In, NotIn

values []string required

Namespace IDs (or host_ns for host namespace) of namespaces to match.

matchPIDs []object

A list of process ID filters. MatchPIDs are ANDed.

followForks boolean

Matches any descendant processes of the matching PIDs.

isNamespacePID boolean

Indicates whether PIDs are namespace PIDs.

operator string required

PID selector operator.

enum: In, NotIn

values []integer required

Process IDs to match.

matchReturnActions []object

A list of actions to execute when MatchReturnArgs selector matches

action string required

Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

enum:

Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set

argError integer

error value for override action

format: int32

argFd integer

An arg index for the fd for fdInstall action

format: int32

argFqdn string

A FQDN to lookup for the dnsLookup action

argIndex integer

An arg index for the set action

format: int32

argName integer

An arg index for the filename for fdInstall action

format: int32

argRegs []string

An arg value for the regs action

argSig integer

A signal number for signal action

format: int32

argSock integer

An arg index for the sock for trackSock and untrackSock actions

format: int32

argUrl string

A URL for the getUrl action

argValue integer

An arg value for the set action

format: int32

imaHash boolean

Enable collection of file hashes from integrity subsystem. Only valid with the post action.

kernelStackTrace boolean

Enable kernel stack trace export. Only valid with the post action.

rateLimit string

A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.

rateLimitScope string

userStackTrace boolean

Enable user stack trace export. Only valid with the post action.

matchReturnArgs []object

A list of argument filters. MatchArgs are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

syscall boolean

Indicates whether the traced function is a syscall.

tags []string

Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.

maxItems: 16

lists []object

A list of list specs.

name string required

Name of the list

pattern string

Pattern for 'generated' lists.

type string

Indicates the type of the list values.

enum: syscalls, generated_syscalls, generated_ftrace

validated boolean

List was validated

values []string

Values of the list

loader boolean

Enable loader events

lsmhooks []object

A list of uprobe specs.

args []object

A list of function arguments to include in the trace output.

btfType string

Type of original argument. This is currenlty only used in UsdtSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.

index integer required

Position of the argument.

format: int32

minimum: 0

label string

Label to output in the JSON

maxData boolean

resolve string

Resolve the path to a specific attribute

returnCopy boolean

sizeArgIndex integer

Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

format: int32

minimum: 0

source string

Source of the data, if missing the default if function arguments

type string required

Argument type.

enum:

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, ...

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog

hook string required

Name of the function to apply the kprobe spec to.

message string

A short message of 256 characters max that will be included in the event output to inform users what is going on.

selectors []object

Selectors to apply before producing trace output. Selectors are ORed.

matchActions []object

A list of actions to execute when this selector matches

action string required

Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

enum:

Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set

argError integer

error value for override action

format: int32

argFd integer

An arg index for the fd for fdInstall action

format: int32

argFqdn string

A FQDN to lookup for the dnsLookup action

argIndex integer

An arg index for the set action

format: int32

argName integer

An arg index for the filename for fdInstall action

format: int32

argRegs []string

An arg value for the regs action

argSig integer

A signal number for signal action

format: int32

argSock integer

An arg index for the sock for trackSock and untrackSock actions

format: int32

argUrl string

A URL for the getUrl action

argValue integer

An arg value for the set action

format: int32

imaHash boolean

Enable collection of file hashes from integrity subsystem. Only valid with the post action.

kernelStackTrace boolean

Enable kernel stack trace export. Only valid with the post action.

rateLimit string

A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.

rateLimitScope string

userStackTrace boolean

Enable user stack trace export. Only valid with the post action.

matchArgs []object

A list of argument filters. MatchArgs are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

matchBinaries []object

A list of binary exec name filters.

followChildren boolean

In addition to binaries, match children processes of specified binaries.

operator string required

Filter operation.

enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix

values []string required

Value to compare the argument against.

matchCapabilities []object

A list of capabilities and IDs

isNamespaceCapability boolean

Indicates whether these caps are namespace caps.

operator string required

Namespace selector operator.

enum: In, NotIn

type string

Type of capabilities

enum: Effective, Inheritable, Permitted

values []string required

Capabilities to match.

matchCapabilityChanges []object

IDs for capabilities changes

isNamespaceCapability boolean

Indicates whether these caps are namespace caps.

operator string required

Namespace selector operator.

enum: In, NotIn

type string

Type of capabilities

enum: Effective, Inheritable, Permitted

values []string required

Capabilities to match.

matchData []object

A list of argument filters. MatchData are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

matchNamespaceChanges []object

IDs for namespace changes

operator string required

Namespace selector operator.

enum: In, NotIn

values []string required

Namespace types (e.g., Mnt, Pid) to match.

matchNamespaces []object

A list of namespaces and IDs

namespace string required

Namespace selector name.

enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User

operator string required

Namespace selector operator.

enum: In, NotIn

values []string required

Namespace IDs (or host_ns for host namespace) of namespaces to match.

matchPIDs []object

A list of process ID filters. MatchPIDs are ANDed.

followForks boolean

Matches any descendant processes of the matching PIDs.

isNamespacePID boolean

Indicates whether PIDs are namespace PIDs.

operator string required

PID selector operator.

enum: In, NotIn

values []integer required

Process IDs to match.

matchReturnActions []object

A list of actions to execute when MatchReturnArgs selector matches

action string required

Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

enum:

Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set

argError integer

error value for override action

format: int32

argFd integer

An arg index for the fd for fdInstall action

format: int32

argFqdn string

A FQDN to lookup for the dnsLookup action

argIndex integer

An arg index for the set action

format: int32

argName integer

An arg index for the filename for fdInstall action

format: int32

argRegs []string

An arg value for the regs action

argSig integer

A signal number for signal action

format: int32

argSock integer

An arg index for the sock for trackSock and untrackSock actions

format: int32

argUrl string

A URL for the getUrl action

argValue integer

An arg value for the set action

format: int32

imaHash boolean

Enable collection of file hashes from integrity subsystem. Only valid with the post action.

kernelStackTrace boolean

Enable kernel stack trace export. Only valid with the post action.

rateLimit string

A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.

rateLimitScope string

userStackTrace boolean

Enable user stack trace export. Only valid with the post action.

matchReturnArgs []object

A list of argument filters. MatchArgs are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

tags []string

Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.

maxItems: 16

options []object

A list of overloaded options

name string required

Name of the option

value string

Value of the option

podSelector object

PodSelector selects pods that this policy applies to

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

enum: In, NotIn, Exists, DoesNotExist

values []string

matchLabels object

tracepoints []object

A list of tracepoint specs.

args []object

A list of function arguments to include in the trace output.

btfType string

Type of original argument. This is currenlty only used in UsdtSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.

index integer required

Position of the argument.

format: int32

minimum: 0

label string

Label to output in the JSON

maxData boolean

resolve string

Resolve the path to a specific attribute

returnCopy boolean

sizeArgIndex integer

Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

format: int32

minimum: 0

source string

Source of the data, if missing the default if function arguments

type string required

Argument type.

enum:

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, ...

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog

event string required

Tracepoint event

message string

A short message of 256 characters max that will be included in the event output to inform users what is going on.

raw boolean

Enable raw tracepoint arguments

selectors []object

Selectors to apply before producing trace output. Selectors are ORed.

matchActions []object

A list of actions to execute when this selector matches

action string required

Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

enum:

Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set

argError integer

error value for override action

format: int32

argFd integer

An arg index for the fd for fdInstall action

format: int32

argFqdn string

A FQDN to lookup for the dnsLookup action

argIndex integer

An arg index for the set action

format: int32

argName integer

An arg index for the filename for fdInstall action

format: int32

argRegs []string

An arg value for the regs action

argSig integer

A signal number for signal action

format: int32

argSock integer

An arg index for the sock for trackSock and untrackSock actions

format: int32

argUrl string

A URL for the getUrl action

argValue integer

An arg value for the set action

format: int32

imaHash boolean

Enable collection of file hashes from integrity subsystem. Only valid with the post action.

kernelStackTrace boolean

Enable kernel stack trace export. Only valid with the post action.

rateLimit string

A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.

rateLimitScope string

userStackTrace boolean

Enable user stack trace export. Only valid with the post action.

matchArgs []object

A list of argument filters. MatchArgs are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

matchBinaries []object

A list of binary exec name filters.

followChildren boolean

In addition to binaries, match children processes of specified binaries.

operator string required

Filter operation.

enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix

values []string required

Value to compare the argument against.

matchCapabilities []object

A list of capabilities and IDs

isNamespaceCapability boolean

Indicates whether these caps are namespace caps.

operator string required

Namespace selector operator.

enum: In, NotIn

type string

Type of capabilities

enum: Effective, Inheritable, Permitted

values []string required

Capabilities to match.

matchCapabilityChanges []object

IDs for capabilities changes

isNamespaceCapability boolean

Indicates whether these caps are namespace caps.

operator string required

Namespace selector operator.

enum: In, NotIn

type string

Type of capabilities

enum: Effective, Inheritable, Permitted

values []string required

Capabilities to match.

matchData []object

A list of argument filters. MatchData are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

matchNamespaceChanges []object

IDs for namespace changes

operator string required

Namespace selector operator.

enum: In, NotIn

values []string required

Namespace types (e.g., Mnt, Pid) to match.

matchNamespaces []object

A list of namespaces and IDs

namespace string required

Namespace selector name.

enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User

operator string required

Namespace selector operator.

enum: In, NotIn

values []string required

Namespace IDs (or host_ns for host namespace) of namespaces to match.

matchPIDs []object

A list of process ID filters. MatchPIDs are ANDed.

followForks boolean

Matches any descendant processes of the matching PIDs.

isNamespacePID boolean

Indicates whether PIDs are namespace PIDs.

operator string required

PID selector operator.

enum: In, NotIn

values []integer required

Process IDs to match.

matchReturnActions []object

A list of actions to execute when MatchReturnArgs selector matches

action string required

Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

enum:

Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set

argError integer

error value for override action

format: int32

argFd integer

An arg index for the fd for fdInstall action

format: int32

argFqdn string

A FQDN to lookup for the dnsLookup action

argIndex integer

An arg index for the set action

format: int32

argName integer

An arg index for the filename for fdInstall action

format: int32

argRegs []string

An arg value for the regs action

argSig integer

A signal number for signal action

format: int32

argSock integer

An arg index for the sock for trackSock and untrackSock actions

format: int32

argUrl string

A URL for the getUrl action

argValue integer

An arg value for the set action

format: int32

imaHash boolean

Enable collection of file hashes from integrity subsystem. Only valid with the post action.

kernelStackTrace boolean

Enable kernel stack trace export. Only valid with the post action.

rateLimit string

A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.

rateLimitScope string

userStackTrace boolean

Enable user stack trace export. Only valid with the post action.

matchReturnArgs []object

A list of argument filters. MatchArgs are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

subsystem string required

Tracepoint subsystem

tags []string

Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.

maxItems: 16

uprobes []object

A list of uprobe specs.

addrs []integer

List of the traced addresses

args []object

A list of function arguments to include in the trace output.

btfType string

Type of original argument. This is currenlty only used in UsdtSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.

index integer required

Position of the argument.

format: int32

minimum: 0

label string

Label to output in the JSON

maxData boolean

resolve string

Resolve the path to a specific attribute

returnCopy boolean

sizeArgIndex integer

Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

format: int32

minimum: 0

source string

Source of the data, if missing the default if function arguments

type string required

Argument type.

enum:

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, ...

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog

message string

A short message of 256 characters max that will be included in the event output to inform users what is going on.

offsets []integer

List of the traced offsets

path string required

Name of the traced binary

refCtrOffsets []integer

List of the traced ref_ctr_offsets

selectors []object

Selectors to apply before producing trace output. Selectors are ORed.

matchActions []object

A list of actions to execute when this selector matches

action string required

Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

enum:

Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set

argError integer

error value for override action

format: int32

argFd integer

An arg index for the fd for fdInstall action

format: int32

argFqdn string

A FQDN to lookup for the dnsLookup action

argIndex integer

An arg index for the set action

format: int32

argName integer

An arg index for the filename for fdInstall action

format: int32

argRegs []string

An arg value for the regs action

argSig integer

A signal number for signal action

format: int32

argSock integer

An arg index for the sock for trackSock and untrackSock actions

format: int32

argUrl string

A URL for the getUrl action

argValue integer

An arg value for the set action

format: int32

imaHash boolean

Enable collection of file hashes from integrity subsystem. Only valid with the post action.

kernelStackTrace boolean

Enable kernel stack trace export. Only valid with the post action.

rateLimit string

A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.

rateLimitScope string

userStackTrace boolean

Enable user stack trace export. Only valid with the post action.

matchArgs []object

A list of argument filters. MatchArgs are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

matchBinaries []object

A list of binary exec name filters.

followChildren boolean

In addition to binaries, match children processes of specified binaries.

operator string required

Filter operation.

enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix

values []string required

Value to compare the argument against.

matchCapabilities []object

A list of capabilities and IDs

isNamespaceCapability boolean

Indicates whether these caps are namespace caps.

operator string required

Namespace selector operator.

enum: In, NotIn

type string

Type of capabilities

enum: Effective, Inheritable, Permitted

values []string required

Capabilities to match.

matchCapabilityChanges []object

IDs for capabilities changes

isNamespaceCapability boolean

Indicates whether these caps are namespace caps.

operator string required

Namespace selector operator.

enum: In, NotIn

type string

Type of capabilities

enum: Effective, Inheritable, Permitted

values []string required

Capabilities to match.

matchData []object

A list of argument filters. MatchData are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

matchNamespaceChanges []object

IDs for namespace changes

operator string required

Namespace selector operator.

enum: In, NotIn

values []string required

Namespace types (e.g., Mnt, Pid) to match.

matchNamespaces []object

A list of namespaces and IDs

namespace string required

Namespace selector name.

enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User

operator string required

Namespace selector operator.

enum: In, NotIn

values []string required

Namespace IDs (or host_ns for host namespace) of namespaces to match.

matchPIDs []object

A list of process ID filters. MatchPIDs are ANDed.

followForks boolean

Matches any descendant processes of the matching PIDs.

isNamespacePID boolean

Indicates whether PIDs are namespace PIDs.

operator string required

PID selector operator.

enum: In, NotIn

values []integer required

Process IDs to match.

matchReturnActions []object

A list of actions to execute when MatchReturnArgs selector matches

action string required

Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

enum:

Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set

argError integer

error value for override action

format: int32

argFd integer

An arg index for the fd for fdInstall action

format: int32

argFqdn string

A FQDN to lookup for the dnsLookup action

argIndex integer

An arg index for the set action

format: int32

argName integer

An arg index for the filename for fdInstall action

format: int32

argRegs []string

An arg value for the regs action

argSig integer

A signal number for signal action

format: int32

argSock integer

An arg index for the sock for trackSock and untrackSock actions

format: int32

argUrl string

A URL for the getUrl action

argValue integer

An arg value for the set action

format: int32

imaHash boolean

Enable collection of file hashes from integrity subsystem. Only valid with the post action.

kernelStackTrace boolean

Enable kernel stack trace export. Only valid with the post action.

rateLimit string

A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.

rateLimitScope string

userStackTrace boolean

Enable user stack trace export. Only valid with the post action.

matchReturnArgs []object

A list of argument filters. MatchArgs are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

symbols []string

List of the traced symbols

tags []string

Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.

maxItems: 16

usdts []object

A list of usdt specs.

args []object

A list of function arguments to include in the trace output.

btfType string

Type of original argument. This is currenlty only used in UsdtSpecs for arguments with the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the type.

index integer required

Position of the argument.

format: int32

minimum: 0

label string

Label to output in the JSON

maxData boolean

resolve string

Resolve the path to a specific attribute

returnCopy boolean

sizeArgIndex integer

Specifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

format: int32

minimum: 0

source string

Source of the data, if missing the default if function arguments

type string required

Argument type.

enum:

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, ...

auto, int, int8, uint8, int16, uint16, uint32, int32, uint64, int64, char_buf, char_iovec, size_t, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog

btfPath string

path for a BTF file for the traced binary

message string

A short message of 256 characters max that will be included in the event output to inform users what is going on.

name string required

Usdt name

path string required

Name of the traced binary

provider string required

Usdt provider name

selectors []object

Selectors to apply before producing trace output. Selectors are ORed.

matchActions []object

A list of actions to execute when this selector matches

action string required

Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

enum:

Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set

argError integer

error value for override action

format: int32

argFd integer

An arg index for the fd for fdInstall action

format: int32

argFqdn string

A FQDN to lookup for the dnsLookup action

argIndex integer

An arg index for the set action

format: int32

argName integer

An arg index for the filename for fdInstall action

format: int32

argRegs []string

An arg value for the regs action

argSig integer

A signal number for signal action

format: int32

argSock integer

An arg index for the sock for trackSock and untrackSock actions

format: int32

argUrl string

A URL for the getUrl action

argValue integer

An arg value for the set action

format: int32

imaHash boolean

Enable collection of file hashes from integrity subsystem. Only valid with the post action.

kernelStackTrace boolean

Enable kernel stack trace export. Only valid with the post action.

rateLimit string

A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.

rateLimitScope string

userStackTrace boolean

Enable user stack trace export. Only valid with the post action.

matchArgs []object

A list of argument filters. MatchArgs are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

matchBinaries []object

A list of binary exec name filters.

followChildren boolean

In addition to binaries, match children processes of specified binaries.

operator string required

Filter operation.

enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix

values []string required

Value to compare the argument against.

matchCapabilities []object

A list of capabilities and IDs

isNamespaceCapability boolean

Indicates whether these caps are namespace caps.

operator string required

Namespace selector operator.

enum: In, NotIn

type string

Type of capabilities

enum: Effective, Inheritable, Permitted

values []string required

Capabilities to match.

matchCapabilityChanges []object

IDs for capabilities changes

isNamespaceCapability boolean

Indicates whether these caps are namespace caps.

operator string required

Namespace selector operator.

enum: In, NotIn

type string

Type of capabilities

enum: Effective, Inheritable, Permitted

values []string required

Capabilities to match.

matchData []object

A list of argument filters. MatchData are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

matchNamespaceChanges []object

IDs for namespace changes

operator string required

Namespace selector operator.

enum: In, NotIn

values []string required

Namespace types (e.g., Mnt, Pid) to match.

matchNamespaces []object

A list of namespaces and IDs

namespace string required

Namespace selector name.

enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User

operator string required

Namespace selector operator.

enum: In, NotIn

values []string required

Namespace IDs (or host_ns for host namespace) of namespaces to match.

matchPIDs []object

A list of process ID filters. MatchPIDs are ANDed.

followForks boolean

Matches any descendant processes of the matching PIDs.

isNamespacePID boolean

Indicates whether PIDs are namespace PIDs.

operator string required

PID selector operator.

enum: In, NotIn

values []integer required

Process IDs to match.

matchReturnActions []object

A list of actions to execute when MatchReturnArgs selector matches

action string required

Action to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

enum:

Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set

argError integer

error value for override action

format: int32

argFd integer

An arg index for the fd for fdInstall action

format: int32

argFqdn string

A FQDN to lookup for the dnsLookup action

argIndex integer

An arg index for the set action

format: int32

argName integer

An arg index for the filename for fdInstall action

format: int32

argRegs []string

An arg value for the regs action

argSig integer

A signal number for signal action

format: int32

argSock integer

An arg index for the sock for trackSock and untrackSock actions

format: int32

argUrl string

A URL for the getUrl action

argValue integer

An arg value for the set action

format: int32

imaHash boolean

Enable collection of file hashes from integrity subsystem. Only valid with the post action.

kernelStackTrace boolean

Enable kernel stack trace export. Only valid with the post action.

rateLimit string

A time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.

rateLimitScope string

userStackTrace boolean

Enable user stack trace export. Only valid with the post action.

matchReturnArgs []object

A list of argument filters. MatchArgs are ANDed.

args []integer

Position of the operator arguments (in spec file) to apply fhe filter to.

index integer

Position of the argument (in function prototype) to apply fhe filter to.

format: int32

minimum: 0

operator string required

Filter operation.

enum:

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv...

Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange

values []string

Value to compare the argument against.

tags []string

Tags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.

maxItems: 16

No matches. Try .spec.containerSelector for an exact path