Provide a flag to only enable `enable-process-environment-variable` for process_exec events

[ywmei-brt1]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem?

We want to capture the env variables used by each process with minimum overhead cost. It would be nice if we can have a way to control what tetragon events should contains env variables, what tetragon events are not, to reduce the total size of the raw tetragon events emitting through the grpc port.

For reference, one tetragon raw event is about 2KB (in json format), but with all the env variables captured, it can easily larger than 16KB, considering the large volume of events tetragon emitting through the grpc port, making every raw events 8 times larger in size, this becomes very expensive to drop/filter on the client side (by the client that listen to the grpc port, like tetra).

To reproduce

1. build tetragon, tetra at head,

$ git clone https://github.com/cilium/tetragon
$ make tetragon tetragon-bpf tetra

2. start tetragon with any policy and enable env var:

sudo tetragon --bpf-lib bpf/objs --tracing-policy=examples/tracingpolicy/fd_install_ns_host.yaml   --enable-process-environment-variables

3. run tetra, you will see that each events, both process_start, process_exit, and process_kprobe are having the environment_variables field.

Describe the feature you would like

For example, at the gRPC port, we want to only capture env variables for process_exec events, but avoid having the env vars for all the process_kprobe events (we really need this) or process_exit events (if possible).

Describe your proposed solution

Maybe provide a flag (say, env:false ) to disable env variables in the tracing policy, so user can selectively disable env vars for each kprobes and reduce the total traffic volume of the gRPC port?

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "fd-install"
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    env:false   <--------- Add a bool flag to disable env variables for a Kprobe
    args:
    - index: 0
      type: int
    - index: 1
      type: "file"
    selectors:
    - matchNamespaces:
      - namespace: Pid
        operator: In
        values:
        - "host_ns"

Code of Conduct

• I agree to follow this project's Code of Conduct

[olsajiri]

For example, at the gRPC port, we want to only capture env variables for process_exec events, but avoid having the env vars for all the process_kprobe events (we really need this) or process_exit events (if possible).

so the env variables are part of process record which is included in kprobe events, so that can't be easily redacted just for some type of events

but there's redaction support for the env variables data itself, please check https://tetragon.io/docs/concepts/events/#redacting-sensitive-information or it’s also possible to store only requested environment variables with –filter-environment-variables VAR1[,VAR2..] option.