diff --git a/.github/workflows/generated-files.yaml b/.github/workflows/generated-files.yaml
index 192c200a9be..3fed238c2b3 100644
--- a/.github/workflows/generated-files.yaml
+++ b/.github/workflows/generated-files.yaml
@@ -35,7 +35,6 @@ jobs:
fi
- name: Check Tetragon daemon flags
run: |
- make tetragon
make generate-flags
git status
git diff
diff --git a/Makefile b/Makefile
index 9928ca64270..58d0a29da63 100644
--- a/Makefile
+++ b/Makefile
@@ -168,9 +168,7 @@ verify: tetragon-bpf
.PHONY: generate-flags tetragon tetra tetragon-operator tetragon-bench
generate-flags: tetragon
- echo "\`\`\`" > docs/content/en/docs/reference/daemon-flags.md
- echo "$$(./tetragon --help 2>&1)" >> docs/content/en/docs/reference/daemon-flags.md
- echo "\`\`\`" >> docs/content/en/docs/reference/daemon-flags.md
+ echo "$$(./tetragon --generate-docs)" > docs/data/tetragon_flags.yaml
tetragon:
$(GO_BUILD) ./cmd/tetragon/
diff --git a/api/export-doc.sh b/api/export-doc.sh
index f7a12869722..ca4347824cf 100755
--- a/api/export-doc.sh
+++ b/api/export-doc.sh
@@ -31,6 +31,7 @@ title: "gRPC API"
description: >
This reference is generated from the protocol buffer specification and
documents the gRPC API of Tetragon.
+weight: 3
---
{{< comment >}}
diff --git a/docs/content/en/docs/concepts/tracing-policy/_index.md b/docs/content/en/docs/concepts/tracing-policy/_index.md
index 6e28e5c0ada..a4e3e24d93d 100644
--- a/docs/content/en/docs/concepts/tracing-policy/_index.md
+++ b/docs/content/en/docs/concepts/tracing-policy/_index.md
@@ -31,7 +31,7 @@ startup using flags.
- You can use `tetra` gRPC CLI to add and remove a `TracingPolicy`.
- You can use the `--tracing-policy` and `--tracing-policy-dir` flags to statically add policies at
startup time, see more in the [daemon configuration page]({{< ref
- "/docs/reference/tetragon-configuration#configure-tracing-policies-location" >}}).
+ "/docs/reference/daemon-configuration#configure-tracing-policies-location" >}}).
Hence, even though Tracing Policies are structured as a Kubernetes CR, they can also be used in
diff --git a/docs/content/en/docs/installation/container.md b/docs/content/en/docs/installation/container.md
index ab2528589c3..f8167f5c2b0 100644
--- a/docs/content/en/docs/installation/container.md
+++ b/docs/content/en/docs/installation/container.md
@@ -55,7 +55,7 @@ There are multiple ways to set configuration options:
/usr/bin/tetragon --export-filename /var/log/tetragon/tetragon.log
```
- For a complete list of CLI arguments, please check [Tetragon daemon configuration](/docs/reference/tetragon-configuration).
+ For a complete list of CLI arguments, please check [Tetragon daemon configuration]({{< ref "/docs/reference/daemon-configuration" >}}).
2. Environment variables
@@ -70,11 +70,11 @@ There are multiple ways to set configuration options:
Every controlling setting can be set using environment variables. Prefix it with the key word `TETRAGON_` then upper case the controlling setting. As an example to set where to export JSON events: `--export-filename` will be `TETRAGON_EXPORT_FILENAME`.
- For a complete list of all controlling settings, please check [tetragon daemon configuration](/docs/reference/tetragon-configuration).
+ For a complete list of all controlling settings, please check [tetragon daemon configuration]({{< ref "/docs/reference/daemon-configuration" >}}).
3. Configuration files mounted as volumes
- On the host machine set the configuration drop-ins inside `/etc/tetragon/tetragon.conf.d/` directory according to the [configuration examples](/docs/reference/tetragon-configuration/#configuration-examples), then mount it as volume:
+ On the host machine set the configuration drop-ins inside `/etc/tetragon/tetragon.conf.d/` directory according to the [configuration examples]({{< ref "/docs/reference/daemon-configuration#configuration-examples" >}}), then mount it as volume:
```shell
docker run --name tetragon --rm -d \
@@ -86,5 +86,5 @@ There are multiple ways to set configuration options:
This will map the `/etc/tetragon/tetragon.conf.d/` drop-in directory from the host into the container.
-See [Tetragon daemon configuration](/docs/reference/tetragon-configuration) reference for further details.
+See [Tetragon daemon configuration]({{< ref "/docs/reference/daemon-configuration" >}}) reference for further details.
diff --git a/docs/content/en/docs/installation/package.md b/docs/content/en/docs/installation/package.md
index 17511fe80f9..9c326a93984 100644
--- a/docs/content/en/docs/installation/package.md
+++ b/docs/content/en/docs/installation/package.md
@@ -71,7 +71,7 @@ can change the configuration by adding drop-ins inside
command line flags. To restore default settings, remove any added configuration
inside `/etc/tetragon/tetragon.conf.d/`.
-See [Tetragon daemon configuration](/docs/reference/tetragon-configuration) for further details.
+See [Tetragon daemon configuration]({{< ref "/docs/reference/daemon-configuration" >}}) for further details.
## Upgrade
@@ -146,7 +146,7 @@ To access the gRPC API with `tetra` client, set `--server-address` to point to t
sudo tetra --server-address unix:///var/run/tetragon/tetragon.sock getevents
```
-See [restrict gRPC API access](/docs/reference/tetragon-configuration/#restrict-grpc-api-access) for further details.
+See [restrict gRPC API access]({{< ref "/docs/reference/daemon-configuration#restrict-grpc-api-access" >}}) for further details.
### Tetragon Events
diff --git a/docs/content/en/docs/reference/tetragon-configuration.md b/docs/content/en/docs/reference/daemon-configuration.md
similarity index 92%
rename from docs/content/en/docs/reference/tetragon-configuration.md
rename to docs/content/en/docs/reference/daemon-configuration.md
index ade1c63c608..a620ea9a29b 100644
--- a/docs/content/en/docs/reference/tetragon-configuration.md
+++ b/docs/content/en/docs/reference/daemon-configuration.md
@@ -1,18 +1,21 @@
---
-title: "Tetragon Daemon Configuration"
-linkTitle: "Tetragon Daemon Configuration"
-description: "Configure Tetragon daemon"
+title: "Daemon Configuration"
+description: "Explore Tetragon options and configuration mechanisms."
+weight: 1
---
Tetragon default controlling settings are set during compilation, so configuration
is only needed when it is necessary to deviate from those defaults. This
document lists those controlling settings and how they can be set
-as a CLI arguments or as configuration options from [YAML](https://yaml.org) files.
+as a CLI arguments or as configuration options from YAML files.
-## Tetragon Controlling Settings
+## Options
-Tetragon CLI arguments:
-{{< readfile "/docs/reference/daemon-flags.md" >}}
+The following table list all Tetragon daemon available options and is
+automatically generated using the tetragon binary `--generate-docs` flag. The
+same information can also be retrieved using `--help`.
+
+{{< tetragon-options >}}
## Configuration precedence
diff --git a/docs/content/en/docs/reference/daemon-flags.md b/docs/content/en/docs/reference/daemon-flags.md
deleted file mode 100644
index b57ca471c88..00000000000
--- a/docs/content/en/docs/reference/daemon-flags.md
+++ /dev/null
@@ -1,60 +0,0 @@
-```
-Tetragon - eBPF-based Security Observability and Runtime Enforcement
-
-Usage:
- tetragon [flags]
-
-Flags:
- --bpf-lib string Location of Tetragon libs (btf and bpf files) (default "/var/lib/tetragon/")
- --btf string Location of btf
- --config-dir string Configuration directory that contains a file for each option
- --data-cache-size int Size of the data events cache (default 1024)
- -d, --debug Enable debug messages. Equivalent to '--log-level=debug'
- --disable-kprobe-multi Allow to disable kprobe multi interface
- --enable-export-aggregation Enable JSON export aggregation
- --enable-k8s-api Access Kubernetes API to associate Tetragon events with Kubernetes pods
- --enable-msg-handling-latency Enable metrics for message handling latency
- --enable-pid-set-filter Enable pidSet export filters. Not recommended for production use
- --enable-pod-info Enable PodInfo custom resource
- --enable-policy-filter Enable policy filter code (beta)
- --enable-policy-filter-debug Enable policy filter debug messages
- --enable-process-ancestors Include ancestors in process exec events (default true)
- --enable-process-cred Enable process_cred events
- --enable-process-ns Enable namespace information in process_exec and process_kprobe events
- --event-queue-size uint Set the size of the internal event queue. (default 10000)
- --export-aggregation-buffer-size uint Aggregator channel buffer size (default 10000)
- --export-aggregation-window-size duration JSON export aggregation time window (default 15s)
- --export-allowlist string JSON export allowlist
- --export-denylist string JSON export denylist
- --export-file-compress Compress rotated JSON export files
- --export-file-max-backups int Number of rotated JSON export files to retain (default 5)
- --export-file-max-size-mb int Size in MB for rotating JSON export files (default 10)
- --export-file-perm string Access permissions on JSON export files (default "600")
- --export-file-rotation-interval duration Interval at which to rotate JSON export files in addition to rotating them by size
- --export-filename string Filename for JSON export. Disabled by default
- --export-rate-limit int Rate limit (per minute) for event export. Set to -1 to disable (default -1)
- --expose-kernel-addresses Expose real kernel addresses in events stack traces
- --field-filters string Field filters for event exports
- --force-large-progs Force loading large programs, even in kernels with < 5.3 versions
- --force-small-progs Force loading small programs, even in kernels with >= 5.3 versions
- --gops-address string gops server address (e.g. 'localhost:8118'). Disabled by default
- -h, --help help for tetragon
- --k8s-kubeconfig-path string Absolute path of the kubernetes kubeconfig file
- --kernel string Kernel version
- --kmods strings List of kernel modules to load symbols from
- --log-format string Set log format (default "text")
- --log-level string Set log level (default "info")
- --metrics-label-filter string Comma-separated list of enabled metric labels. (e.g. "namespace,workload,pod,binary") By default all labels are enabled.
- --metrics-server string Metrics server address (e.g. ':2112'). Disabled by default
- --netns-dir string Network namespace dir (default "/var/run/docker/netns/")
- --process-cache-size int Size of the process cache (default 65536)
- --procfs string Location of procfs to consume existing PIDs (default "/proc/")
- --rb-queue-size string Set size of channel between ring buffer and sensor go routines (default 65k, allows K/M/G suffix) (default "65535")
- --rb-size string Set perf ring buffer size for single cpu (default 65k, allows K/M/G suffix) (default "0")
- --rb-size-total string Set perf ring buffer size in total for all cpus (default 65k per cpu, allows K/M/G suffix) (default "0")
- --release-pinned-bpf Release all pinned BPF programs and maps in Tetragon BPF directory. Enabled by default. Set to false to disable (default true)
- --server-address string gRPC server address (e.g. 'localhost:54321' or 'unix:///var/run/tetragon/tetragon.sock' (default "localhost:54321")
- --tracing-policy string Tracing policy file to load at startup
- --tracing-policy-dir string Directory from where to load Tracing Policies (default "/etc/tetragon/tetragon.tp.d")
- --verbose int set verbosity level for eBPF verifier dumps. Pass 0 for silent, 1 for truncated logs, 2 for a full dump
-```
diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md
index eda4a9bc429..e91fc6f8d1b 100644
--- a/docs/content/en/docs/reference/grpc-api.md
+++ b/docs/content/en/docs/reference/grpc-api.md
@@ -3,6 +3,7 @@ title: "gRPC API"
description: >
This reference is generated from the protocol buffer specification and
documents the gRPC API of Tetragon.
+weight: 3
---
{{< comment >}}
diff --git a/docs/content/en/docs/reference/helm-chart.md b/docs/content/en/docs/reference/helm-chart.md
index 855266618a8..093fd61a5eb 100644
--- a/docs/content/en/docs/reference/helm-chart.md
+++ b/docs/content/en/docs/reference/helm-chart.md
@@ -1,6 +1,7 @@
---
title: "Helm chart"
description: "This reference is generated from the Tetragon Helm chart values."
+weight: 2
---
{{< comment >}}
diff --git a/docs/data/tetragon_flags.yaml b/docs/data/tetragon_flags.yaml
new file mode 100644
index 00000000000..e9b057711b0
--- /dev/null
+++ b/docs/data/tetragon_flags.yaml
@@ -0,0 +1,175 @@
+name: tetragon
+synopsis: |
+ Tetragon - eBPF-based Security Observability and Runtime Enforcement
+usage: tetragon [flags]
+options:
+ - name: bpf-lib
+ default_value: /var/lib/tetragon/
+ usage: Location of Tetragon libs (btf and bpf files)
+ - name: btf
+ usage: Location of btf
+ - name: config-dir
+ usage: Configuration directory that contains a file for each option
+ - name: cpuprofile
+ usage: Store CPU profile into provided file
+ - name: data-cache-size
+ default_value: "1024"
+ usage: Size of the data events cache
+ - name: debug
+ shorthand: d
+ default_value: "false"
+ usage: Enable debug messages. Equivalent to '--log-level=debug'
+ - name: disable-kprobe-multi
+ default_value: "false"
+ usage: Allow to disable kprobe multi interface
+ - name: enable-export-aggregation
+ default_value: "false"
+ usage: Enable JSON export aggregation
+ - name: enable-k8s-api
+ default_value: "false"
+ usage: |
+ Access Kubernetes API to associate Tetragon events with Kubernetes pods
+ - name: enable-msg-handling-latency
+ default_value: "false"
+ usage: Enable metrics for message handling latency
+ - name: enable-pid-set-filter
+ default_value: "false"
+ usage: |
+ Enable pidSet export filters. Not recommended for production use
+ - name: enable-pod-info
+ default_value: "false"
+ usage: Enable PodInfo custom resource
+ - name: enable-policy-filter
+ default_value: "false"
+ usage: Enable policy filter code (beta)
+ - name: enable-policy-filter-debug
+ default_value: "false"
+ usage: Enable policy filter debug messages
+ - name: enable-process-ancestors
+ default_value: "true"
+ usage: Include ancestors in process exec events
+ - name: enable-process-cred
+ default_value: "false"
+ usage: Enable process_cred events
+ - name: enable-process-ns
+ default_value: "false"
+ usage: |
+ Enable namespace information in process_exec and process_kprobe events
+ - name: event-queue-size
+ default_value: "10000"
+ usage: Set the size of the internal event queue.
+ - name: export-aggregation-buffer-size
+ default_value: "10000"
+ usage: Aggregator channel buffer size
+ - name: export-aggregation-window-size
+ default_value: 15s
+ usage: JSON export aggregation time window
+ - name: export-allowlist
+ usage: JSON export allowlist
+ - name: export-denylist
+ usage: JSON export denylist
+ - name: export-file-compress
+ default_value: "false"
+ usage: Compress rotated JSON export files
+ - name: export-file-max-backups
+ default_value: "5"
+ usage: Number of rotated JSON export files to retain
+ - name: export-file-max-size-mb
+ default_value: "10"
+ usage: Size in MB for rotating JSON export files
+ - name: export-file-perm
+ default_value: "600"
+ usage: Access permissions on JSON export files
+ - name: export-file-rotation-interval
+ default_value: 0s
+ usage: |
+ Interval at which to rotate JSON export files in addition to rotating them by size
+ - name: export-filename
+ usage: Filename for JSON export. Disabled by default
+ - name: export-rate-limit
+ default_value: "-1"
+ usage: |
+ Rate limit (per minute) for event export. Set to -1 to disable
+ - name: expose-kernel-addresses
+ default_value: "false"
+ usage: Expose real kernel addresses in events stack traces
+ - name: field-filters
+ usage: Field filters for event exports
+ - name: force-large-progs
+ default_value: "false"
+ usage: |
+ Force loading large programs, even in kernels with < 5.3 versions
+ - name: force-small-progs
+ default_value: "false"
+ usage: |
+ Force loading small programs, even in kernels with >= 5.3 versions
+ - name: generate-docs
+ default_value: "false"
+ usage: Generate documentation in YAML format to stdout
+ - name: gops-address
+ usage: |
+ gops server address (e.g. 'localhost:8118'). Disabled by default
+ - name: help
+ shorthand: h
+ default_value: "false"
+ usage: help for tetragon
+ - name: k8s-kubeconfig-path
+ usage: Absolute path of the kubernetes kubeconfig file
+ - name: kernel
+ usage: Kernel version
+ - name: kmods
+ default_value: '[]'
+ usage: List of kernel modules to load symbols from
+ - name: log-format
+ default_value: text
+ usage: Set log format
+ - name: log-level
+ default_value: info
+ usage: Set log level
+ - name: memprofile
+ usage: Store MEM profile into provided file
+ - name: metrics-label-filter
+ usage: |
+ Comma-separated list of enabled metric labels. (e.g. "namespace,workload,pod,binary") By default all labels are enabled.
+ - name: metrics-server
+ usage: Metrics server address (e.g. ':2112'). Disabled by default
+ - name: netns-dir
+ default_value: /var/run/docker/netns/
+ usage: Network namespace dir
+ - name: pprof-addr
+ usage: Profile via pprof http
+ - name: process-cache-size
+ default_value: "65536"
+ usage: Size of the process cache
+ - name: procfs
+ default_value: /proc/
+ usage: Location of procfs to consume existing PIDs
+ - name: rb-queue-size
+ default_value: "65535"
+ usage: |
+ Set size of channel between ring buffer and sensor go routines (default 65k, allows K/M/G suffix)
+ - name: rb-size
+ default_value: "0"
+ usage: |
+ Set perf ring buffer size for single cpu (default 65k, allows K/M/G suffix)
+ - name: rb-size-total
+ default_value: "0"
+ usage: |
+ Set perf ring buffer size in total for all cpus (default 65k per cpu, allows K/M/G suffix)
+ - name: release-pinned-bpf
+ default_value: "true"
+ usage: |
+ Release all pinned BPF programs and maps in Tetragon BPF directory. Enabled by default. Set to false to disable
+ - name: server-address
+ default_value: localhost:54321
+ usage: |
+ gRPC server address (e.g. 'localhost:54321' or 'unix:///var/run/tetragon/tetragon.sock'
+ - name: tracing-policy
+ usage: Tracing policy file to load at startup
+ - name: tracing-policy-dir
+ default_value: /etc/tetragon/tetragon.tp.d
+ usage: Directory from where to load Tracing Policies
+ - name: verbose
+ default_value: "0"
+ usage: |
+ set verbosity level for eBPF verifier dumps. Pass 0 for silent, 1 for truncated logs, 2 for a full dump
diff --git a/docs/layouts/shortcodes/tetragon-options.html b/docs/layouts/shortcodes/tetragon-options.html
new file mode 100644
index 00000000000..77c41fc8ea1
--- /dev/null
+++ b/docs/layouts/shortcodes/tetragon-options.html
@@ -0,0 +1,27 @@
+{{ with .Site.Data.tetragon_flags }}
+
+
+
+ | Flag |
+ Usage |
+ Default Value |
+
+
+
+ {{ range .options }}
+
+ --{{ .name }} |
+ {{ .usage }} |
+ {{ if .default_value }}
+ {{ .default_value }} |
+ {{ else }}
+ |
+ {{ end }}
+
+ {{ end }}
+
+
+{{ else }}
+ Error: table template failed, check build logs.
+ {{ warnf "Data file \"tetragon_flags\" seems to be missing. It is needed to display Tetragon options." }}
+{{ end }}
diff --git a/install/kubernetes/export-doc.sh b/install/kubernetes/export-doc.sh
index aba9dc8d6c7..adb68ac2c22 100755
--- a/install/kubernetes/export-doc.sh
+++ b/install/kubernetes/export-doc.sh
@@ -35,6 +35,7 @@ sed -i '/^[[:space:]]*$/N;/^[[:space:]]*\n[[:space:]]*$/D' $TMP_FILE
echo '---
title: "Helm chart"
description: "This reference is generated from the Tetragon Helm chart values."
+weight: 2
---
{{< comment >}}