# Tetragon TracingPolicy for Stella Ops Runtime Instrumentation
# Sprint: SPRINT_20260118_019_Infra_tetragon_integration
# Task: TASK-019-001 - Define Tetragon TracingPolicy for stack capture
#
# This policy captures process execution, syscalls, and stack traces for
# runtime reachability validation. Integrates with existing Signals infrastructure.

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: stella-ops-runtime-capture
  namespace: stella-ops
  labels:
    app.kubernetes.io/name: stella-ops
    app.kubernetes.io/component: runtime-instrumentation
spec:
  # Process execution events
  kprobes:
    - call: "sys_execve"
      syscall: true
      return: false
      args:
        - index: 0
          type: "string"  # filename
        - index: 1
          type: "string"  # argv[0]
      selectors:
        - matchNamespaces:
            - namespace: stella-ops-workloads
              operator: In
          matchLabels:
            - key: "stella-ops.io/instrumented"
              operator: Exists
      returnArgAction: Post

    # Security-relevant syscalls for reachability validation
    - call: "sys_openat"
      syscall: true
      args:
        - index: 0
          type: "int"     # dirfd
        - index: 1
          type: "string"  # pathname
        - index: 2
          type: "int"     # flags
      selectors:
        - matchNamespaces:
            - namespace: stella-ops-workloads
              operator: In
        - matchArgs:
            - index: 1
              operator: "Prefix"
              values:
                - "/etc/"
                - "/proc/"
                - "/sys/"
      returnArg:
        index: 0
        type: "int"

    - call: "sys_connect"
      syscall: true
      args:
        - index: 0
          type: "int"     # sockfd
        - index: 1
          type: "sock"    # addr struct
      selectors:
        - matchNamespaces:
            - namespace: stella-ops-workloads
              operator: In
      returnArg:
        index: 0
        type: "int"

  # Tracepoints for additional coverage
  tracepoints:
    - subsystem: "sched"
      event: "sched_process_exec"
      args:
        - index: 0
          type: "string"  # filename
      selectors:
        - matchNamespaces:
            - namespace: stella-ops-workloads
              operator: In

  # Stack trace configuration
  options:
    # Enable kernel + userspace stack traces
    stackTraces: true
    # Capture both kernel and user stacks
    stackTraceSize: 16
    # Symbol resolution for userspace
    symbols: true

---
# Companion TracingPolicy for library loading
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: stella-ops-library-capture
  namespace: stella-ops
spec:
  # Capture dynamic library loading
  uprobes:
    - path: "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2"
      symbols:
        - "_dl_map_object"
      args:
        - index: 0
          type: "string"  # library name
      selectors:
        - matchNamespaces:
            - namespace: stella-ops-workloads
              operator: In

  # Alternative for musl-based containers
  - path: "/lib/ld-musl-x86_64.so.1"
    symbols:
      - "__dls3"
    selectors:
      - matchNamespaces:
          - namespace: stella-ops-workloads
            operator: In