{"id":"14271755-c313-4800-82e0-94d5d411b232","task":"Write a Tetragon TracingPolicy using a kprobe on tcp_connect to monitor outbound TCP connections at the process level","domain":"tetragon.io","steps":["Create a TracingPolicy manifest with apiVersion: cilium.io/v1alpha1 and kind: TracingPolicy","Under spec.kprobes define a kprobe entry with call: tcp_connect and syscall: false (tcp_connect is a kernel function, not a raw syscall)","Declare a return type and arguments list; for tcp_connect the first argument is a sock struct pointer; use type: sock to let Tetragon extract socket metadata","Add selectors if needed to scope monitoring to specific namespaces, pod labels, or binary paths using matchNamespaces, matchLabels, or matchBinaries","Apply the policy with kubectl apply -f policy.yaml and verify it loads by checking kubectl get tracingpolicy","Observe events with tetra getevents -o compact or kubectl logs on the Tetragon agent pod"],"gotchas":["tcp_connect is a kernel internal function, not a syscall; set syscall: false in the kprobe spec, otherwise the policy fails to load","Tetragon extracts structured fields from sock arguments automatically; do not attempt to manually parse raw pointer bytes","Kernel function names can change across kernel versions; test the policy on your target kernel version and consult the Tetragon policy library for stable alternatives"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:15.651Z"},"url":"https://mcp.waymark.network/r/14271755-c313-4800-82e0-94d5d411b232"}