cilium · tpapagian · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 7, 2026
@@ -10,11 +10,22 @@
 #define POLICY_FILTER_MAX_POLICIES   128
 #define POLICY_FILTER_MAX_CGROUP_IDS 1024
 
+#define ALL_PODS_POLICY_ID 0xFFFFFFFFul
+#define HOST_SELECTOR_MODE 0xFFFFFFFFFFFFFFFFull
+
+// In order to implement the hostSelector we add one more entry in the outer map
+// that is not related to any specific policy. This entry has policy_id equals
+// to ALL_PODS_POLICY_ID (UINT32_MAX). In that case the inner map contains the
+// cgroup_ids for *all* containers inside *all* pods. This allows us to generate
+// a mechanism to match (i) on all pods or (ii) in none of the pods (which is the
+// same as the host workload).
 struct {
 	__uint(type, BPF_MAP_TYPE_HASH_OF_MAPS);
 	__uint(max_entries, POLICY_FILTER_MAX_POLICIES);
 	__type(key, u32); /* policy id */
 	__array(
+		// If a specific policy needs to match on host workloads as well we also
+		// add an entry with key HOST_SELECTOR_MODE (UINT64_MAX).
 		values, struct {
 			__uint(type, BPF_MAP_TYPE_HASH);
 			__uint(max_entries, 1);
@@ -63,7 +74,23 @@ FUNC_INLINE bool policy_filter_check(u32 policy_id)
 	if (trackerid)
 		cgroupid = trackerid;
 
-	return map_lookup_elem(policy_map, &cgroupid);
+	if (map_lookup_elem(policy_map, &cgroupid))
+		return true; // We have a match from the podSelector and/or the containerSelector.
+
+	// We didn't match on the podSelector and/or the containerSelector.
+	// Now we need to check if we have a hostSelector match.
+
+	trackerid = HOST_SELECTOR_MODE;
+	if (!map_lookup_elem(policy_map, &trackerid))
+		return false; // Cannot find the match mode of the hostSelector so we do not care to match any host workloads.
+
+	policy_id = ALL_PODS_POLICY_ID;
+	policy_map = map_lookup_elem(&policy_filter_maps, &policy_id);
+	if (!policy_map)
+		return false; // Cannot find the cgroupids of all containers inside all pods. This should not happen.
+
+	// If !map_lookup_elem(policy_map, &cgroupid) then our cgroupid belongs to a host workload.
+	return !map_lookup_elem(policy_map, &cgroupid);
 }
 
 #endif /* POLICY_FILTER_MAPS_H__ */
@@ -49,6 +49,63 @@ the policy is applied to.
 
 For container field filters, we use the `containerSelector` field of tracing policies to select the containers that the policy is applied to. At the moment, the only supported fields are `name` and `repo` which refers to the container repository.
 
+## Host workload filters
+
+To filter host workloads we use the `hostSelector` field of tracing policies to select if a policy
+should be applied to host workloads or not. For now this only supports `{}` to match all host workloads
+and `null` to match none of the host workloads.
+
+## Examples
+
+By default, a policy match on all workloads, similar to the following example:
+
+```yaml
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "workload-filtering"
+spec:
+  hostSelector: {}
+  podSelector: {}
+  containerSelector: {}
+  kprobes:
+```
+
+This is the same as if the user does not define any of `hostSelector`, `podSelector`, and `containerSelector`. Based on that the user can filter out specific workloads.
+
+The following example will match only host workloads.
+
+```yaml
+spec:
+  hostSelector: {}
+  podSelector: null
+  containerSelector: null
+```
+
+The following example will match only pod workloads.
+
+```yaml
+spec:
+  hostSelector: null
+  podSelector: {}
+  containerSelector: {}
+```
+
+`containerSelector` acts as a second level filtering on the `podSelector`. This means that first the podSelector is evaluated and if pod match we then apply the `containerSelector`.
+The following example will match all pods inside the `kube-system` namespace and all host workloads.
+
+```yaml
+spec:
+  hostSelector: {}
+  podSelector:
+    matchExpressions:
+    - key: "k8s:io.kubernetes.pod.namespace"
+      operator: In
+      values:
+      - "kube-system"
+  containerSelector: {} # this can be also omitted as the default value is {}
+```
+
 ## Demo
 
 ### Setup