From 4246e90d32a88f85185938f10d0bc0f76a869445 Mon Sep 17 00:00:00 2001
From: entlein <einentlein@gmail.com>
Date: Tue, 31 May 2022 15:00:42 +0200
Subject: [PATCH] testing a tracing policy

---
 .../templates/manifests/deploy-tetragon.j2    | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/roles/rke2/templates/manifests/deploy-tetragon.j2 b/roles/rke2/templates/manifests/deploy-tetragon.j2
index f131797..907a798 100644
--- a/roles/rke2/templates/manifests/deploy-tetragon.j2
+++ b/roles/rke2/templates/manifests/deploy-tetragon.j2
@@ -12,3 +12,32 @@ spec:
   chart: tetragon
   version: {{ item.value.version | default("v0.8.0") }}
   targetNamespace: kube-system
+
+---
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "sys-pivot-root"
+spec:
+  kprobes:
+  # __x64_sys_pivot_root(const char new root, const char put_old)
+  - call: "__x64_sys_pivot_root"
+    syscall: true
+    args:
+      - index: 0
+        type: "string"
+      - index: 1
+        type: "string"
+    selectors:
+    - matchPIDs:
+      - operator: NotIn
+        followForks: true
+        isNamespacePID: true
+        values:
+        - 1
+      - operator: NotIn
+        followForks: true
+        isNamespacePID: true
+        values:
+        - 0
+
-- 
GitLab