Create a manifest with apiVersion: cilium.io/v1alpha1 and kind: TracingPolicyNamespaced instead of TracingPolicy
Set the manifest's namespace in metadata.namespace to the target Kubernetes namespace
Define the kprobe or tracepoint spec identically to a cluster-scoped TracingPolicy; Tetragon automatically restricts event matching to pods in that namespace
Apply with kubectl apply -n <namespace> -f policy.yaml; the resource is namespaced and can be managed by namespace admins without cluster-admin
Verify the policy appears in kubectl get tracingpolicynamespaced -n <namespace>
Confirm that events from pods outside the namespace are not generated by the policy
Known gotchas
TracingPolicyNamespaced cannot use a non-null hostSelector because host-level monitoring is inherently not namespace-scoped; adding one causes a validation error
The Tetragon agent still loads the eBPF program cluster-wide in the kernel, but event emission is filtered to the specified namespace; there is no kernel-level isolation
Namespace admins can create TracingPolicyNamespaced without cluster-admin, but they cannot create or modify cluster-scoped TracingPolicy objects
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp