Enhance Tetragon Events with Pod Annotations Support #3527
Conversation
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
cy83rc0llect0r
force-pushed
the
pr/cy83rc0llect0r/add-pod-annotations-to-event
branch
from
6d5b2a5 to
553e100
Compare
| @@ -86,3 +86,6 @@ data: | |||
| cri-endpoint: "unix://{{ .Values.tetragon.cri.socketHostPath }}" | |||
| {{- end }} | |||
| enable-cgidmap: {{ .Values.tetragon.cgidmap.enabled | quote }} | |||
| {{- if .Values.tetragon.enablePodAnnotations }} | |||
| enable-pod-annotations: "true" | |||
There was a problem hiding this comment.
I guess this works because the agent flag is by default false, but if that changes then a user setting enablePodAnnotations to false in helm would not get the expected result.
How about:
enable-pod-annotations: {{- if .Values.tetragon.enablePodAnnotations }}?
There was a problem hiding this comment.
Resolved all comments:
- Rebasing done on
upstream/mainto remove merge commit as requested. - Fixed
tetragon_configmap.yamlto always setenable-pod-annotationswith.Values.tetragon.podAnnotations.enabled. - Moved
enablePodAnnotationstotetragon.podAnnotations.enabledinvalues.yamlfor better structure. - Excluded local changes to
podinfo_testfrom the PR. - Tested with Helm:
- Deployed with
tetragon.podAnnotations.enabled: true→ annotations liketest-key=test-valueappear in logs. - Deployed with
tetragon.podAnnotations.enabled: false→ no annotations in logs.
- Deployed with
Pushed to my fork (github.com/cy83rc0llect0r/tetragon). Ready for review!
There was a problem hiding this comment.
I don't think this is resolved.
There was a problem hiding this comment.
@kkourt
Could you please provide more details? I’ve tested various scenarios, and everything seems to be working as expected:
- Installed with tetragon.podAnnotations.enabled=false → No annotations appear in the logs.
- Upgraded to tetragon.podAnnotations.enabled=true → Annotations appear in the logs.
- Upgraded to tetragon.podAnnotations.enabled=false → Annotations are no longer present in new logs.
- Installed with tetragon.podAnnotations.enabled=true → Annotations appear in the logs.
- Upgraded to tetragon.podAnnotations.enabled=false → Annotations are removed from new logs.
- Upgraded to tetragon.podAnnotations.enabled=true → Annotations appear in the logs.
There was a problem hiding this comment.
What will happen instead of:
flags.Bool(KeyEnablePodAnnotations, false, "Add pod annotations field to events.")
We have:
flags.Bool(KeyEnablePodAnnotations, true, "Add pod annotations field to events.")
And then use:
tetragon.podAnnotations.enabled=false
There was a problem hiding this comment.
@kkourt Following up on your comment:
- Changed the code default to
flags.Bool(KeyEnablePodAnnotations, true, "Add pod annotations field to events."). - Kept
values.yamldefault astetragon.podAnnotations.enabled: false, which overrides the code default via Helm ( and also set to false again). - Testing:
helm install tetragon ./install/kubernetes/tetragon→ No annotations (Helm setsfalse).- (after uninstall again:)
helm install tetragon ./install/kubernetes/tetragon--set tetragon.podAnnotations.enabled=false → No annotations (Helm setsfalse). helm upgrade tetragon ./install/kubernetes/tetragon --set tetragon.podAnnotations.enabled=true→ Annotations (e.g.,test-key=test-value) in logs.helm upgrade tetragon ./install/kubernetes/tetragon --set tetragon.podAnnotations.enabled=false→ No annotations in new logs.
Does this resolve your concern?
| @@ -47,6 +47,7 @@ tetragon: | |||
| # extraEnv: | |||
| # - name: foo | |||
| # value: bar | |||
| enablePodAnnotations: false | |||
There was a problem hiding this comment.
I believe @lambdanis was advocating for having one object per configuration.
So:
podAnnotations:
enabled: true
There was a problem hiding this comment.
Resolved all comments:
- Rebasing done on
upstream/mainto remove merge commit as requested. - Fixed
tetragon_configmap.yamlto always setenable-pod-annotationswith.Values.tetragon.podAnnotations.enabled. - Moved
enablePodAnnotationstotetragon.podAnnotations.enabledinvalues.yamlfor better structure. - Excluded local changes to
podinfo_testfrom the PR. - Tested with Helm:
- Deployed with
tetragon.podAnnotations.enabled: true→ annotations liketest-key=test-valueappear in logs. - Deployed with
tetragon.podAnnotations.enabled: false→ no annotations in logs.
- Deployed with
Pushed to my fork (github.com/cy83rc0llect0r/tetragon). Ready for review!
There was a problem hiding this comment.
same for this comment, I don't think this is resolved.
There was a problem hiding this comment.
@kkourt Following up on your comment:
Changed the code default to flags.Bool(KeyEnablePodAnnotations, true, "Add pod annotations field to events.").
Kept values.yaml default as tetragon.podAnnotations.enabled: false, which overrides the code default via Helm ( and also set to false again).
Testing:
helm install tetragon ./install/kubernetes/tetragon → No annotations (Helm sets false).
(after uninstall again:) helm install tetragon ./install/kubernetes/tetragon--set tetragon.podAnnotations.enabled=false → No annotations (Helm sets false).
helm upgrade tetragon ./install/kubernetes/tetragon --set tetragon.podAnnotations.enabled=true → Annotations (e.g., test-key=test-value) in logs.
helm upgrade tetragon ./install/kubernetes/tetragon --set tetragon.podAnnotations.enabled=false → No annotations in new logs.
Does this resolve your concern?
cy83rc0llect0r
force-pushed
the
pr/cy83rc0llect0r/add-pod-annotations-to-event
branch
from
6ad10e7 to
1131ac5
Compare
This commit adds support for including Kubernetes pod annotations in Tetragon
event logs via the '--enable-pod-annotations' flag. Changes:
- Added 'pod_annotations' field to 'tetragon.Pod' in 'tetragon.proto' (ID 8).
- Regenerated protobuf files ('tetragon.pb.go').
- Added 'EnablePodAnnotations' config and flag in 'pkg/option/config.go' and 'pkg/option/flags.go'.
- Updated 'getPodInfo' in 'pkg/process/podinfo.go' to include annotations when enabled.
Enhancement cilium#3316
Signed-off-by: Amir Reza Nazarizadeh <[email protected]>
This commit updates the Helm chart to support enabling pod annotations via the 'enablePodAnnotations' value (default: false) in 'values.yaml' and 'tetragon_configmap.yaml'. Enhancement: cilium#3316 Signed-off-by: Amir Reza Nazarizadeh <[email protected]>
Signed-off-by: Amir Reza Nazarizadeh <[email protected]>
cy83rc0llect0r
force-pushed
the
pr/cy83rc0llect0r/add-pod-annotations-to-event
branch
from
1131ac5 to
15b258d
Compare
Signed-off-by: Amir Reza Nazarizadeh <[email protected]>
cy83rc0llect0r
force-pushed
the
pr/cy83rc0llect0r/add-pod-annotations-to-event
branch
from
15b258d to
9ab5d2c
Compare
Enhancement #3316
Description
This pull request implements support for including Kubernetes pod annotations in Tetragon event logs, addressing the enhancement request in issue #3316. The feature introduces an optional
--enable-pod-annotationsflag, allowing users to enrich process execution events with pod annotations for improved workload visibility and debugging in Kubernetes environments. The change is split into two commits for clarity:pod_annotationsfield to the Tetragon protobuf definition and integrates it into the event generation logic.The feature is disabled by default to maintain backward compatibility and can be activated via Helm or command-line flag.
Use Case Example: This enhancement enables tracking of Kubernetes users who execute commands in pods. For instance, a mutating admission webhook could annotate pods with the username (e.g.,
exec-user) and timestamp (e.g.,exec-time) of anexecoperation. With--enable-pod-annotationsenabled, Tetragon would then include these annotations in its event logs, providing valuable audit trails for security and troubleshooting.Changelog