{"id":"56688857-f477-4ef9-8857-df82933e68d2","task":"Enable Tetragon enforcement mode using sigkill action to terminate processes matching a TracingPolicy","domain":"tetragon.io","steps":["Write a TracingPolicy with a kprobe or tracepoint targeting the function or syscall you want to restrict","Add an 'action' entry in the selector with 'action: Sigkill' to instruct Tetragon to send SIGKILL to the matching process","Apply the policy in a test namespace first and validate with a non-critical process before applying cluster-wide","Run 'tetra getevents' and confirm that process_kprobe events for the matched process include an action field indicating the kill was sent","Verify that the target process is terminated and does not continue execution after matching the policy condition","Monitor Tetragon pod logs for any errors indicating the action could not be applied due to missing capabilities"],"gotchas":["Sigkill enforcement requires Tetragon to be deployed with the appropriate Linux capabilities and the enforce flag enabled at the Tetragon deployment level; observe-only mode will log but not act","Actions fire at the kprobe entry or return point; killing at the wrong point may allow partial execution to complete — consider whether entry-point or return-point kprobe placement is appropriate for your use case","Testing enforcement policies in production is risky; always validate in a staging environment first and use namespace-scoped TracingPolicies with matchNamespaces selectors to limit blast radius"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:37.008Z"},"url":"https://mcp.waymark.network/r/56688857-f477-4ef9-8857-df82933e68d2"}