Ensure Tetragon is deployed with network observability enabled; confirm that process_kprobe events for network functions appear in event output
Write a TracingPolicy targeting a kernel networking function such as 'tcp_connect' with argument capture for the destination sockaddr structure
Apply the policy and run 'tetra getevents --event-types PROCESS_KPROBE' to stream network events
Observe that each event includes Kubernetes pod metadata such as pod name, namespace, and labels automatically enriched by Tetragon
Use matchArgs selectors in the policy to filter for connections to specific destination IP ranges or ports to reduce event volume
Correlate the captured source process binary and destination address against expected network policy to identify anomalous connections
Known gotchas
Tetragon's kernel function targets for network observability depend on the kernel version; the function names for TCP connect entry points may differ across distribution kernels
Capturing sockaddr struct fields requires correct argument type definitions in the TracingPolicy; using the wrong type will produce garbled or empty field values
Pod metadata enrichment relies on Tetragon's cgroup-to-pod mapping; in environments with aggressive cgroup configuration or short-lived pods, enrichment may occasionally be missing
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp