tetragon: Unable to use any other operator except "Equal", "NotEqual", "Prefix", "Postfix" in "matchArgs" selector

What happened?

I’m trying to apply a TracingPolicy that will trace socket events only for a specific destination port. According to the doc there are various operator types supported for the “matchArgs” selector that can help me to do it. However, each time I get the next error: The TracingPolicy "tetragon-network-telemetry" is invalid: spec.kprobes[0].selectors[0].matchArgs[0].operator: Unsupported value: "DPort": supported values: "Equal", "NotEqual", "Prefix", "Postfix" Here is a policy example:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "tetragon-network-telemetry"
spec:
  kprobes:
  - call: "tcp_connect"
    syscall: false
    args:
     - index: 0
       type: "sock"
    selectors:
    - matchArgs:
      - index: 0
        operator: "DPort"
        values:
        - "9919"
  - call: "tcp_close"
    syscall: false
    args:
     - index: 0
       type: "sock"

What is the reason it’s prohibited to use the “DPort” operator here? It seems like the “sock” struct has all the required data available: doc Is it a bug? Or probably I’m just missing something here.

Tetragon Version

0.10.0

Kernel Version

OS: Ubuntu 20.04.6 LTS Kern: 5.15.60 Container-runtime: containerd://1.6.21

Kubernetes Version

Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.16", GitCommit:"51e33fadff13065ae5518db94e84598293965939", GitTreeState:"clean", BuildDate:"2023-07-19T12:19:24Z", GoVersion:"go1.20.6", Compiler:"gc", Platform:"linux/amd64"}

Bugtool

No response

Relevant log output

TracingPolicy "tetragon-network-telemetry" is invalid: spec.kprobes[0].selectors[0].matchArgs[0].operator: Unsupported value: "DPort": supported values: "Equal", "NotEqual", "Prefix", "Postfix"

Anything else?

No response

About this issue

  • Original URL
  • State: open
  • Created 10 months ago
  • Reactions: 2
  • Comments: 19 (8 by maintainers)

Most upvoted comments

So I had to remove the CRDs manually in order to overcome it.

@vladimirkus When you recreated CRDs, did you use the ones from Tetragon 0.11, not 0.10? The error you’re getting suggests you might be using CRDs from 0.10 - this version has support for DPort, but not NotDPort operator.

Upgrading to 0.11.0 requires recreating CRDs indeed. In the next release it should be fine, however, 0.11 has reset the CRD version to match the Tetragon minor version, effectively decreasing it (the previous value was a historical artefact).

🤦🏼

Thanks @lambdanis, that explains it! I’ve updated the Release notes to indicate this: https://github.com/cilium/tetragon/releases/tag/v0.11.0.

I can see two options moving forward.

  1. have a check for version 1.3.4, and delete the CRD. We would have to remove the check before we release 1.3.4 though.
  2. Leave things as they are. We could ask users to manually delete the CRDs. Having a flag for the operator to always update the CRDs (regardless the version) would be useful in this scenario, but always for things like downgrades.

I’d opt for approach (2).

+2
kkourt on Sep 11, 2023
Read more comments on GitHub
← hubble: Unable to load UI. `Error: getaddrinfo EAI_AGAIN`
ChoETL: ChoETL CSVWriter is not handling double quotes correctly. →