Write a TracingPolicy manifest with apiVersion 'cilium.io/v1alpha1' and kind 'TracingPolicy' targeting a kernel function used in process execution such as 'security_bprm_check'
Set the 'kprobes' array entry with the function name and define which arguments to capture using the 'args' list with index, type, and label fields
Add a 'selectors' block to filter events by binary path using a 'matchBinaries' selector with the 'values' list of full binary paths to monitor
Apply the TracingPolicy to the cluster with kubectl apply and confirm the CRD is accepted without validation errors
Run 'tetra getevents' to stream process events and filter for exec events matching your target binary
Verify captured events include the expected process metadata such as binary path, arguments, and pod context
Known gotchas
Tetragon TracingPolicy kprobe argument indices are 0-based and map to kernel function parameter positions; using the wrong index captures the wrong data or causes a Tetragon error
Some kernel functions are inlined or renamed across kernel versions; a kprobe on a function that does not exist on the host kernel will fail to load — check the function name against the running kernel's /proc/kallsyms
The matchBinaries selector requires full absolute paths and does not support glob patterns; list each binary path explicitly
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp