Skip to content

chore: Remove deprecated FD-tracking actions#4700

Draft
ariosmon wants to merge 1 commit intocilium:mainfrom
ariosmon:ariosm/pr/remove-followFD-and-friends-from-BPF
Draft

chore: Remove deprecated FD-tracking actions#4700
ariosmon wants to merge 1 commit intocilium:mainfrom
ariosmon:ariosm/pr/remove-followFD-and-friends-from-BPF

Conversation

@ariosmon
Copy link
Copy Markdown
Contributor

@ariosmon ariosmon commented Feb 26, 2026
edited
Loading

FIXES: #4580

Verified the deprecation logic works via standalone daemon testing. 

Executing a regular tracing-policy with No deprecated fields checking if the is possible to continue working with regular tracing-policy with correct structure.

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "fd-install"
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    args:
    - index: 0
      type: "int"
    - index: 1
      type: "file"
    selectors:
    - matchArgs:
      - index: 1
        operator: "Equal"
        values:
        - "/tmp/tetragon"
      matchActions:
      - action: Sigkill

Output: after adding this command line: sudo ./tetragon --bpf-lib bpf/objs/ --tracing-policy testdata/fd-install-normal.yaml

ariosmon@lima-tetragon-lab:/Users/ariosmon/Documents/github_isovalent/tetragon$ sudo ./tetragon --bpf-lib bpf/objs/ --tracing-policy testdata/fd-install-normal.yaml
[...]
level=info msg="Starting tetragon" version=v1.7.0-pre.0-500-g3726ebd37
level=info msg="config settings" config="map[bpf-dir:tetragon bpf-lib:bpf/objs/ btf: cgroup-rate: cluster-name: config-dir: cpuprofile: cri-endpoint: data-
level=info msg="Loading sensor" name=generic_kprobe
level=info msg="Loading kernel version 6.8.12"
level=info msg="Loaded generic kprobe program: bpf/objs/bpf_generic_kprobe_v61.o -> fd_install"
level=info msg="Loaded sensor successfully" sensor=generic_kprobe
level=info msg="Added TracingPolicy with success" TracingPolicy=testdata/fd-install-normal.yaml metadata.namespace="" metadata.name=fd-install
level=info msg="Perf ring buffer size (bytes)" percpu=68K total=272K
level=info msg="Events queue size (events)" size=63K
level=info msg="Listening for events..."

Create a tracing-policy to test using the tetragon executable directly to check if the compilation is working after removing code

Create a tracing policy: testdata/deprecated-fd-test-policy.yaml and the output exectation is to get Deprecated message like:

level=warn msg="Deprecated field used: 'argFd' is deprecated as of v1.5. This field was used for removed FD-tracking actions." field=argFd
level=warn msg="Deprecated field used: 'argName' is deprecated as of v1.5. This field was used for removed FD-tracking actions." field=argName
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: test-deprecated-fd-tracking
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    args:
    - index: 0
      type: "int"
    - index: 1
      type: "file"
    selectors:
    - matchActions:
      - action: "Post"
        argFd: 1        # DEPRECATED: This should trigger a warning
        argName: 1      # DEPRECATED: This should trigger a warning

Execute the tracing-policy

sudo ./tetragon --bpf-lib bpf/objs/ --tracing-policy testdata/deprecated-fd-test-policy.yaml

Output after executing this command line: sudo ./tetragon --bpf-lib bpf/objs/ --tracing-policy testdata/deprecated-fd-test-policy.yaml

ariosmon@lima-tetragon-lab:/Users/ariosmon/Documents/github_isovalent/tetragon$ sudo ./tetragon --bpf-lib bpf/objs/ --tracing-policy testdata/deprecated-fd-test-policy.yaml
level=info msg="Starting tetragon" version=v1.7.0-pre.0-500-g3726ebd37
[...]
level=warn msg="Deprecated field used: 'argFd' is deprecated as of v1.5. This field was used for removed FD-tracking actions." field=argFd
level=warn msg="Deprecated field used: 'argName' is deprecated as of v1.5. This field was used for removed FD-tracking actions." field=argName
[...]
level=info msg="Perf ring buffer size (bytes)" percpu=68K total=272K
level=info msg="Events queue size (events)" size=63K
level=info msg="Listening for events..."

Some Testing in K8s:

I created a Docker image using development code to test the removing code for: FollowFD and friends from BPF implementation works well

helm install tetragon ./install/kubernetes/tetragon \
  --namespace kube-system \
  --create-namespace \
  --set tetragon.image.override=cilium/tetragon:latest \
  --set tetragon.image.pullPolicy=Never


Output: 

NAME: tetragon
LAST DEPLOYED: Wed Feb 25 21:14:26 2026
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None

Adding the tracing policy:

$ kubectl apply -f - <<EOF
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: test-deprecated-fd-tracking
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    args:
    - index: 0
      type: "int"
    - index: 1
      type: "file"
    selectors:
    - matchActions:
      - action: "Post"
        argFd: 2
        argName: 1
EOF
tracingpolicy.cilium.io/test-deprecated-fd-tracking created

Helm list:

$ helm list
NAME    	NAMESPACE  	REVISION	UPDATED                                	STATUS  	CHART         	APP VERSION
tetragon	kube-system	1       	2026-02-25 21:14:26.783373441 -0500 -05	deployed	tetragon-1.6.0	1.6.0$

Logs:

kubectl logs -n kube-system tetragon-2lnlf -c tetragon --tail=50

[...]
level=info msg="Events queue size (events)" size=63K
level=info msg="Listening for events..."
level=warn msg="Deprecated field used: 'argFd' is deprecated as of v1.5. This field was used for removed FD-tracking actions." field=argFd
level=warn msg="Deprecated field used: 'argName' is deprecated as of v1.5. This field was used for removed FD-tracking actions." field=argName
level=info msg="Added kprobe" return=false function=fd_install override=false
level=info msg="Added generic kprobe sensor: /var/lib/tetragon/bpf_generic_kprobe_v61.o -> fd_install" override=false
level=info msg="BTF file: using metadata file" metadata=/sys/kernel/btf/vmlinux
level=info msg="Loading sensor" name=generic_kprobe
level=info msg="Loading kernel version 6.8.12"
level=info msg="Loaded generic kprobe program: /var/lib/tetragon/bpf_generic_kprobe_v61.o -> fd_install"
level=info msg="Loaded sensor successfully" sensor=generic_kprobe

Test 2: Policy with Deprecated Action (FollowFD)

$ kubectl apply -f - <<EOF
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: test-followfd-action
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    args:
    - index: 0
      type: "int"
    - index: 1
      type: "file"
    selectors:
    - matchActions:
      - action: "FollowFD"
        argFd: 0
        argName: 1
EOF

NOTE: The deprecated action was blocked at the CRD validation level

-- Logs: 

The TracingPolicy "test-followfd-action" is invalid: spec.kprobes[0].selectors[0].matchActions[0].action: Unsupported value: "FollowFD": supported values: "Post", "Sigkill", "Override", "GetUrl", "DnsLookup", "NoPost", "Signal", "TrackSock", "UntrackSock", "NotifyEnforcer", "CleanupEnforcerNotification", "Set"

Test 3: Valid Policy (No Warnings)

$ kubectl apply -f - <<EOF
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: fd-install-normal
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    args:
    - index: 0
      type: "int"
    - index: 1
      type: "file"
    selectors:
    - matchArgs:
      - index: 1
        operator: "Equal"
        values:
        - "/tmp/tetragon"
      matchActions:
      - action: Sigkill
EOF

tracingpolicy.cilium.io/fd-install-normal created

-- Logs:

ariosmon@lima-tetragon-lab:/Users/ariosmon/Documents/github_isovalent/tetragon$ kubectl logs -n kube-system tetragon-2lnlf -c tetragon --tail=50
[...]
level=info msg="adding tracing policy" name=fd-install-normal info="fd-install-normal (object:1/db17a4ae-9e9c-4bce-86c7-bf02f4925a90) (type:TracingPolicy/cilium.io/v1alpha1)"
[...]
level=info msg="Cgroup rate disabled (0/0s)"
level=info msg="Perf ring buffer size (bytes)" percpu=68K total=272K
level=info msg="Events queue size (events)" size=63K
level=info msg="Listening for events..."

@netlify
Copy link
Copy Markdown

netlify bot commented Feb 26, 2026
edited
Loading

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 1058199
🔍 Latest deploy log https://app.netlify.com/projects/tetragon/deploys/69a1b0f9d82ba500084e4378
😎 Deploy Preview https://deploy-preview-4700--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@ariosmon ariosmon force-pushed the ariosm/pr/remove-followFD-and-friends-from-BPF branch 9 times, most recently from 0968eeb to 37ec52a Compare February 27, 2026 15:44
@ariosmon
api: Remove deprecated FD-tracking actions from KprobeAction enum
c66095f 
The FollowFD, UnfollowFD, and CopyFD actions (values 2, 4, and 6) were
deprecated and have been removed from the API and BPF implementation.
Updated proto definitions, generated code, documentation, and removed
all related BPF map structures and helper functions.

Signed-off-by: ariosmon <ariosmon@cisco.com>
@ariosmon ariosmon force-pushed the ariosm/pr/remove-followFD-and-friends-from-BPF branch from 37ec52a to c66095f Compare February 27, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtardy mtardy Awaiting requested review from mtardy mtardy will be requested when the pull request is marked ready for review mtardy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

remove followFD and friends from BPF

1 participant

@ariosmon