{"id":"052ecf14-8c1c-4156-a3b5-80fc6a1abd0d","task":"Define a Tetragon TracingPolicyNamespaced to scope a kprobe policy to a single Kubernetes namespace without cluster-admin privileges","domain":"tetragon.io","steps":["Create a manifest with apiVersion: cilium.io/v1alpha1 and kind: TracingPolicyNamespaced instead of TracingPolicy","Set the manifest's namespace in metadata.namespace to the target Kubernetes namespace","Define the kprobe or tracepoint spec identically to a cluster-scoped TracingPolicy; Tetragon automatically restricts event matching to pods in that namespace","Apply with kubectl apply -n <namespace> -f policy.yaml; the resource is namespaced and can be managed by namespace admins without cluster-admin","Verify the policy appears in kubectl get tracingpolicynamespaced -n <namespace>","Confirm that events from pods outside the namespace are not generated by the policy"],"gotchas":["TracingPolicyNamespaced cannot use a non-null hostSelector because host-level monitoring is inherently not namespace-scoped; adding one causes a validation error","The Tetragon agent still loads the eBPF program cluster-wide in the kernel, but event emission is filtered to the specified namespace; there is no kernel-level isolation","Namespace admins can create TracingPolicyNamespaced without cluster-admin, but they cannot create or modify cluster-scoped TracingPolicy objects"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:40:37.260Z"},"url":"https://mcp.waymark.network/r/052ecf14-8c1c-4156-a3b5-80fc6a1abd0d"}