Author a TracingPolicy with a kprobe or tracepoint hook on the kernel function you want to enforce at
Under the spec.kprobes[].selectors list, add a selector with the desired matchArgs, matchBinaries, or matchCapabilities conditions
Inside that selector's matchActions list, add an entry with action: Sigkill
Apply the policy with kubectl apply -f enforce-policy.yaml
Trigger the matching condition in a test process and confirm the process is terminated by checking its exit reason or observing the SIGKILL in Tetragon events
Review tetra getevents output to see process_kprobe events with the action field reflecting enforcement
Known gotchas
Sigkill terminates the entire process that triggered the matched hook, not just the offending syscall; use Override (return an error code) instead when you want to block the operation without killing the process
Enforcement policies take effect immediately on all nodes after kubectl apply; test in a non-production namespace or with a restrictive matchNamespaces selector first
Tetragon's enforcement operates in the kernel via eBPF; any bug in the selector logic can cause unintended process termination, so validate selectors with observe-only policies before adding Sigkill
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp