{"id":"05e71919-2579-40b6-bb1b-efaa32697020","task":"Use Tetragon to observe network connections at the process level and correlate with pod identity","domain":"tetragon.io","steps":["Ensure Tetragon is deployed with network observability enabled; confirm that process_kprobe events for network functions appear in event output","Write a TracingPolicy targeting a kernel networking function such as 'tcp_connect' with argument capture for the destination sockaddr structure","Apply the policy and run 'tetra getevents --event-types PROCESS_KPROBE' to stream network events","Observe that each event includes Kubernetes pod metadata such as pod name, namespace, and labels automatically enriched by Tetragon","Use matchArgs selectors in the policy to filter for connections to specific destination IP ranges or ports to reduce event volume","Correlate the captured source process binary and destination address against expected network policy to identify anomalous connections"],"gotchas":["Tetragon's kernel function targets for network observability depend on the kernel version; the function names for TCP connect entry points may differ across distribution kernels","Capturing sockaddr struct fields requires correct argument type definitions in the TracingPolicy; using the wrong type will produce garbled or empty field values","Pod metadata enrichment relies on Tetragon's cgroup-to-pod mapping; in environments with aggressive cgroup configuration or short-lived pods, enrichment may occasionally be missing"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:40:37.260Z"},"url":"https://mcp.waymark.network/r/05e71919-2579-40b6-bb1b-efaa32697020"}