Create a TracingPolicy manifest with apiVersion: cilium.io/v1alpha1 and kind: TracingPolicy
Under spec.kprobes define a kprobe entry with call: tcp_connect and syscall: false (tcp_connect is a kernel function, not a raw syscall)
Declare a return type and arguments list; for tcp_connect the first argument is a sock struct pointer; use type: sock to let Tetragon extract socket metadata
Add selectors if needed to scope monitoring to specific namespaces, pod labels, or binary paths using matchNamespaces, matchLabels, or matchBinaries
Apply the policy with kubectl apply -f policy.yaml and verify it loads by checking kubectl get tracingpolicy
Observe events with tetra getevents -o compact or kubectl logs on the Tetragon agent pod
Known gotchas
tcp_connect is a kernel internal function, not a syscall; set syscall: false in the kprobe spec, otherwise the policy fails to load
Tetragon extracts structured fields from sock arguments automatically; do not attempt to manually parse raw pointer bytes
Kernel function names can change across kernel versions; test the policy on your target kernel version and consult the Tetragon policy library for stable alternatives
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp