Is there an existing issue for this?
Is your feature request related to a problem?
Today, you can use tetra tracingpolicy to load a policy; but you can also install new policies through CRD.
The problem is: given a policy has been installed via k8s, do we allow tetra tracingpolicy ... to modify it?
Also, this is a future-proofing request, since new tracingpolicy sources can be added later on and amplify the issue.
Describe the feature you would like
My proposal is for tetragon Sensors Manager to track the "source" of a tracingpolicy.
Describe your proposed solution
Let's add a new source (or domain) string to the Sensors Manager collectionKey structure.
My proposal is to update the code to:
- set the source to
tetra-cli for policies registered via tetra / initial command line argument (--tracing-policy)
- set the source to
k8s for both TracingPolicyNamespaced and normal (ie: non-Namespaced) TracingPolicy pushed via CRD
- add a cli switch to
tetra tracingpolicy like: --force to enforce the override for any source (ie: if you always invoke tetra tracingpolicy --force ... , the behavior will be exactly the current one)
At that point, Sensors Manager will differentiate between all of these policies that will be effectively managed specifically for each source, and each source can only operate on its policies, unless the user knowingly enforces the old behavior via tetra tracingpolict --force cli flag.
Code of Conduct
Is there an existing issue for this?
Is your feature request related to a problem?
Today, you can use
tetra tracingpolicyto load a policy; but you can also install new policies through CRD.The problem is: given a policy has been installed via k8s, do we allow
tetra tracingpolicy ...to modify it?Also, this is a future-proofing request, since new tracingpolicy sources can be added later on and amplify the issue.
Describe the feature you would like
My proposal is for tetragon Sensors Manager to track the "source" of a tracingpolicy.
Describe your proposed solution
Let's add a new
source(ordomain) string to the Sensors Manager collectionKey structure.My proposal is to update the code to:
tetra-clifor policies registered via tetra / initial command line argument (--tracing-policy)k8sfor bothTracingPolicyNamespacedand normal (ie: non-Namespaced)TracingPolicypushed via CRDtetra tracingpolicylike:--forceto enforce the override for any source (ie: if you always invoketetra tracingpolicy --force ..., the behavior will be exactly the current one)At that point, Sensors Manager will differentiate between all of these policies that will be effectively managed specifically for each source, and each source can only operate on its policies, unless the user knowingly enforces the old behavior via
tetra tracingpolict --forcecli flag.Code of Conduct