diff --git a/api/v1/README.md b/api/v1/README.md index eebc443f12f..002f7cf647a 100644 --- a/api/v1/README.md +++ b/api/v1/README.md @@ -1454,6 +1454,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here. | parent_arguments_regex | [string](#string) | repeated | Filter by process.parent.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | container_id | [string](#string) | repeated | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | in_init_tree | [google.protobuf.BoolValue](#google-protobuf-BoolValue) | | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | +| ancestor_binary_regex | [string](#string) | repeated | Filter ancestor processes' binaries using RE2 regular expression syntax. | diff --git a/docs/content/en/docs/concepts/events.md b/docs/content/en/docs/concepts/events.md index 5e53958d9bc..f4292e7c281 100644 --- a/docs/content/en/docs/concepts/events.md +++ b/docs/content/en/docs/concepts/events.md @@ -166,8 +166,9 @@ flags, or environment variables. | `parent_arguments_regex` | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | `container_id` | Filter by parent process arguments using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | | `in_init_tree` | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | +| `ancestor_binary_regex` | Filter process events by a list of regular expressions of ancestor processes' binary names (e.g. `"^/home/kubernetes/bin/kubelet$"`). You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | -#### Field Filtering +#### Field Filtering In some cases, it is not desirable to include all of the fields exported in Tetragon events by default. In these cases, you can use field filters to diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md index c8792c8b1f6..02420908dfd 100644 --- a/docs/content/en/docs/reference/grpc-api.md +++ b/docs/content/en/docs/reference/grpc-api.md @@ -914,6 +914,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here. | parent_arguments_regex | [string](#string) | repeated | Filter by process.parent.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | container_id | [string](#string) | repeated | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | | in_init_tree | [google.protobuf.BoolValue](#google-protobuf-BoolValue) | | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | +| ancestor_binary_regex | [string](#string) | repeated | Filter ancestor processes' binaries using RE2 regular expression syntax. |