From 815b3c839754d621f8ac20f48d39b3b98849e57e Mon Sep 17 00:00:00 2001 From: t0x01 Date: Wed, 5 Feb 2025 19:32:27 +0400 Subject: [PATCH] docs: Add ancestor binary export filter information Add information about new ancestor binary export filter to documentation. Signed-off-by: t0x01 --- api/v1/README.md | 1 + docs/content/en/docs/concepts/events.md | 3 ++- docs/content/en/docs/reference/grpc-api.md | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/api/v1/README.md b/api/v1/README.md index d7ffad823c6..39b2313d3ad 100644 --- a/api/v1/README.md +++ b/api/v1/README.md @@ -1435,6 +1435,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here. | parent_arguments_regex | [string](#string) | repeated | Filter by process.parent.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | container_id | [string](#string) | repeated | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | in_init_tree | [google.protobuf.BoolValue](#google-protobuf-BoolValue) | | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | +| ancestor_binary_regex | [string](#string) | repeated | Filter ancestor processes' binaries using RE2 regular expression syntax. | diff --git a/docs/content/en/docs/concepts/events.md b/docs/content/en/docs/concepts/events.md index 5e53958d9bc..f4292e7c281 100644 --- a/docs/content/en/docs/concepts/events.md +++ b/docs/content/en/docs/concepts/events.md @@ -166,8 +166,9 @@ flags, or environment variables. | `parent_arguments_regex` | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | `container_id` | Filter by parent process arguments using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | | `in_init_tree` | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | +| `ancestor_binary_regex` | Filter process events by a list of regular expressions of ancestor processes' binary names (e.g. `"^/home/kubernetes/bin/kubelet$"`). You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | -#### Field Filtering +#### Field Filtering In some cases, it is not desirable to include all of the fields exported in Tetragon events by default. In these cases, you can use field filters to diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md index 95f059c3276..718a1c2154d 100644 --- a/docs/content/en/docs/reference/grpc-api.md +++ b/docs/content/en/docs/reference/grpc-api.md @@ -903,6 +903,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here. | parent_arguments_regex | [string](#string) | repeated | Filter by process.parent.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | container_id | [string](#string) | repeated | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | in_init_tree | [google.protobuf.BoolValue](#google-protobuf-BoolValue) | | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | +| ancestor_binary_regex | [string](#string) | repeated | Filter ancestor processes' binaries using RE2 regular expression syntax. |