126 lines
3.2 KiB
YAML
126 lines
3.2 KiB
YAML
# Tetragon TracingPolicy for Stella Ops Runtime Instrumentation
|
|
# Sprint: SPRINT_20260118_019_Infra_tetragon_integration
|
|
# Task: TASK-019-001 - Define Tetragon TracingPolicy for stack capture
|
|
#
|
|
# This policy captures process execution, syscalls, and stack traces for
|
|
# runtime reachability validation. Integrates with existing Signals infrastructure.
|
|
|
|
apiVersion: cilium.io/v1alpha1
|
|
kind: TracingPolicy
|
|
metadata:
|
|
name: stella-ops-runtime-capture
|
|
namespace: stella-ops
|
|
labels:
|
|
app.kubernetes.io/name: stella-ops
|
|
app.kubernetes.io/component: runtime-instrumentation
|
|
spec:
|
|
# Process execution events
|
|
kprobes:
|
|
- call: "sys_execve"
|
|
syscall: true
|
|
return: false
|
|
args:
|
|
- index: 0
|
|
type: "string" # filename
|
|
- index: 1
|
|
type: "string" # argv[0]
|
|
selectors:
|
|
- matchNamespaces:
|
|
- namespace: stella-ops-workloads
|
|
operator: In
|
|
matchLabels:
|
|
- key: "stella-ops.io/instrumented"
|
|
operator: Exists
|
|
returnArgAction: Post
|
|
|
|
# Security-relevant syscalls for reachability validation
|
|
- call: "sys_openat"
|
|
syscall: true
|
|
args:
|
|
- index: 0
|
|
type: "int" # dirfd
|
|
- index: 1
|
|
type: "string" # pathname
|
|
- index: 2
|
|
type: "int" # flags
|
|
selectors:
|
|
- matchNamespaces:
|
|
- namespace: stella-ops-workloads
|
|
operator: In
|
|
- matchArgs:
|
|
- index: 1
|
|
operator: "Prefix"
|
|
values:
|
|
- "/etc/"
|
|
- "/proc/"
|
|
- "/sys/"
|
|
returnArg:
|
|
index: 0
|
|
type: "int"
|
|
|
|
- call: "sys_connect"
|
|
syscall: true
|
|
args:
|
|
- index: 0
|
|
type: "int" # sockfd
|
|
- index: 1
|
|
type: "sock" # addr struct
|
|
selectors:
|
|
- matchNamespaces:
|
|
- namespace: stella-ops-workloads
|
|
operator: In
|
|
returnArg:
|
|
index: 0
|
|
type: "int"
|
|
|
|
# Tracepoints for additional coverage
|
|
tracepoints:
|
|
- subsystem: "sched"
|
|
event: "sched_process_exec"
|
|
args:
|
|
- index: 0
|
|
type: "string" # filename
|
|
selectors:
|
|
- matchNamespaces:
|
|
- namespace: stella-ops-workloads
|
|
operator: In
|
|
|
|
# Stack trace configuration
|
|
options:
|
|
# Enable kernel + userspace stack traces
|
|
stackTraces: true
|
|
# Capture both kernel and user stacks
|
|
stackTraceSize: 16
|
|
# Symbol resolution for userspace
|
|
symbols: true
|
|
|
|
---
|
|
# Companion TracingPolicy for library loading
|
|
apiVersion: cilium.io/v1alpha1
|
|
kind: TracingPolicy
|
|
metadata:
|
|
name: stella-ops-library-capture
|
|
namespace: stella-ops
|
|
spec:
|
|
# Capture dynamic library loading
|
|
uprobes:
|
|
- path: "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2"
|
|
symbols:
|
|
- "_dl_map_object"
|
|
args:
|
|
- index: 0
|
|
type: "string" # library name
|
|
selectors:
|
|
- matchNamespaces:
|
|
- namespace: stella-ops-workloads
|
|
operator: In
|
|
|
|
# Alternative for musl-based containers
|
|
- path: "/lib/ld-musl-x86_64.so.1"
|
|
symbols:
|
|
- "__dls3"
|
|
selectors:
|
|
- matchNamespaces:
|
|
- namespace: stella-ops-workloads
|
|
operator: In
|