From 1f5a134f60b5955e306083164525564f45353663 Mon Sep 17 00:00:00 2001
From: William Findlay <william.findlay@isovalent.com>
Date: Wed, 11 Dec 2024 14:57:44 -0500
Subject: [PATCH 1/3] pkg/filters: add k8s CIDR and IP helpers to CEL filters

This simple PR adds CIDR and IP helpers from the k8s CEL libraries to our CEL filters.
This should enable users to write export filters in CEL that match IPs in kprobe events
using CIDR ranges etc.

For example, the following CEL expression written as a CEL filter would match kprobe
events where the first argument contains a socket with source address in CIDR range
10.0.0.0/16:

    cidr('10.0.0.0/16').containsIP(process_kprobe.args[0].sock_arg.saddr)

The specific documentation for these CEL libraries is available here:

- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR
- https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP

Signed-off-by: William Findlay <william.findlay@isovalent.com>
---
 go.mod                             | 10 +++----
 go.sum                             | 20 +++++++-------
 pkg/filters/cel_expression.go      |  4 +++
 pkg/filters/cel_expression_test.go | 42 ++++++++++++++++++++++++++++++
 vendor/modules.txt                 | 10 +++----
 5 files changed, 66 insertions(+), 20 deletions(-)

diff --git a/go.mod b/go.mod
index 46158e0ab09..99cce402ae1 100644
--- a/go.mod
+++ b/go.mod
@@ -48,10 +48,11 @@ require (
 	google.golang.org/grpc v1.68.1
 	google.golang.org/protobuf v1.35.2
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.31.3
+	k8s.io/api v0.31.4
 	k8s.io/apiextensions-apiserver v0.31.3
-	k8s.io/apimachinery v0.31.3
-	k8s.io/client-go v0.31.3
+	k8s.io/apimachinery v0.31.4
+	k8s.io/apiserver v0.31.4
+	k8s.io/client-go v0.31.4
 	k8s.io/code-generator v0.31.3
 	k8s.io/cri-api v0.30.7
 	k8s.io/klog/v2 v2.130.1
@@ -167,8 +168,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiserver v0.31.3 // indirect
-	k8s.io/component-base v0.31.3 // indirect
+	k8s.io/component-base v0.31.4 // indirect
 	k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70 // indirect
 	k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
diff --git a/go.sum b/go.sum
index b6bd258d7b8..d07842d27be 100644
--- a/go.sum
+++ b/go.sum
@@ -586,20 +586,20 @@ gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.31.3 h1:umzm5o8lFbdN/hIXbrK9oRpOproJO62CV1zqxXrLgk8=
-k8s.io/api v0.31.3/go.mod h1:UJrkIp9pnMOI9K2nlL6vwpxRzzEX5sWgn8kGQe92kCE=
+k8s.io/api v0.31.4 h1:I2QNzitPVsPeLQvexMEsj945QumYraqv9m74isPDKhM=
+k8s.io/api v0.31.4/go.mod h1:d+7vgXLvmcdT1BCo79VEgJxHHryww3V5np2OYTr6jdw=
 k8s.io/apiextensions-apiserver v0.31.3 h1:+GFGj2qFiU7rGCsA5o+p/rul1OQIq6oYpQw4+u+nciE=
 k8s.io/apiextensions-apiserver v0.31.3/go.mod h1:2DSpFhUZZJmn/cr/RweH1cEVVbzFw9YBu4T+U3mf1e4=
-k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4=
-k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
-k8s.io/apiserver v0.31.3 h1:+1oHTtCB+OheqFEz375D0IlzHZ5VeQKX1KGXnx+TTuY=
-k8s.io/apiserver v0.31.3/go.mod h1:PrxVbebxrxQPFhJk4powDISIROkNMKHibTg9lTRQ0Qg=
-k8s.io/client-go v0.31.3 h1:CAlZuM+PH2cm+86LOBemaJI/lQ5linJ6UFxKX/SoG+4=
-k8s.io/client-go v0.31.3/go.mod h1:2CgjPUTpv3fE5dNygAr2NcM8nhHzXvxB8KL5gYc3kJs=
+k8s.io/apimachinery v0.31.4 h1:8xjE2C4CzhYVm9DGf60yohpNUh5AEBnPxCryPBECmlM=
+k8s.io/apimachinery v0.31.4/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/apiserver v0.31.4 h1:JbtnTaXVYEAYIHJil6Wd74Wif9sd8jVcBw84kwEmp7o=
+k8s.io/apiserver v0.31.4/go.mod h1:JJjoTjZ9PTMLdIFq7mmcJy2B9xLN3HeAUebW6xZyIP0=
+k8s.io/client-go v0.31.4 h1:t4QEXt4jgHIkKKlx06+W3+1JOwAFU/2OPiOo7H92eRQ=
+k8s.io/client-go v0.31.4/go.mod h1:kvuMro4sFYIa8sulL5Gi5GFqUPvfH2O/dXuKstbaaeg=
 k8s.io/code-generator v0.31.3 h1:Pj0fYOBms+ZrsulLi4DMsCEx1jG8fWKRLy44onHsLBI=
 k8s.io/code-generator v0.31.3/go.mod h1:/umCIlT84g1+Yu5ZXtP1KGSRTnGiIzzX5AzUAxsNlts=
-k8s.io/component-base v0.31.3 h1:DMCXXVx546Rfvhj+3cOm2EUxhS+EyztH423j+8sOwhQ=
-k8s.io/component-base v0.31.3/go.mod h1:xME6BHfUOafRgT0rGVBGl7TuSg8Z9/deT7qq6w7qjIU=
+k8s.io/component-base v0.31.4 h1:wCquJh4ul9O8nNBSB8N/o8+gbfu3BVQkVw9jAUY/Qtw=
+k8s.io/component-base v0.31.4/go.mod h1:G4dgtf5BccwiDT9DdejK0qM6zTK0jwDGEKnCmb9+u/s=
 k8s.io/cri-api v0.30.7 h1:4SRl/zLF+FuzQ6sUkrI5c6U8drlF3xF6/ad/Qs0AMuE=
 k8s.io/cri-api v0.30.7/go.mod h1://4/umPJSW1ISNSNng4OwjpkvswJOQwU8rnkvO8P+xg=
 k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70 h1:NGrVE502P0s0/1hudf8zjgwki1X/TByhmAoILTarmzo=
diff --git a/pkg/filters/cel_expression.go b/pkg/filters/cel_expression.go
index 30df09c8ddd..44024fe9d19 100644
--- a/pkg/filters/cel_expression.go
+++ b/pkg/filters/cel_expression.go
@@ -14,6 +14,7 @@ import (
 	"github.com/cilium/tetragon/api/v1/tetragon/codegen/helpers"
 	"github.com/google/cel-go/cel"
 	"github.com/sirupsen/logrus"
+	celk8s "k8s.io/apiserver/pkg/cel/library"
 )
 
 // compile will parse and check an expression `expr` against a given
@@ -99,6 +100,9 @@ func NewCELExpressionFilter(log logrus.FieldLogger) *CELExpressionFilter {
 	responseTypeMap := helpers.ResponseTypeMap()
 	options := []cel.EnvOption{
 		cel.Container("tetragon"),
+		// Import IP and CIDR related helpers from k8s CEL library
+		celk8s.IP(),
+		celk8s.CIDR(),
 	}
 	for key, val := range responseTypeMap {
 		name := string(val.ProtoReflect().Descriptor().FullName())
diff --git a/pkg/filters/cel_expression_test.go b/pkg/filters/cel_expression_test.go
index 7977a720a2b..cc620e11090 100644
--- a/pkg/filters/cel_expression_test.go
+++ b/pkg/filters/cel_expression_test.go
@@ -65,3 +65,45 @@ func TestProcessKprobeFilter(t *testing.T) {
 	}
 	assert.False(t, fl.MatchOne(&ev))
 }
+
+func TestCIDR(t *testing.T) {
+	log := logrus.New()
+	f := []*tetragon.Filter{{CelExpression: []string{"cidr('10.0.0.0/16').containsIP(process_kprobe.args[0].sock_arg.saddr)"}}}
+	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{NewCELExpressionFilter(log)})
+	assert.NoError(t, err)
+	ev := v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessKprobe{
+				ProcessKprobe: &tetragon.ProcessKprobe{Args: []*tetragon.KprobeArgument{{Arg: &tetragon.KprobeArgument_SockArg{SockArg: &tetragon.KprobeSock{Saddr: "10.0.2.21"}}}}}},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessKprobe{
+				ProcessKprobe: &tetragon.ProcessKprobe{Args: []*tetragon.KprobeArgument{{Arg: &tetragon.KprobeArgument_SockArg{SockArg: &tetragon.KprobeSock{Saddr: "192.0.2.21"}}}}}},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev))
+}
+
+func TestIP(t *testing.T) {
+	log := logrus.New()
+	f := []*tetragon.Filter{{CelExpression: []string{"ip(process_kprobe.args[0].sock_arg.saddr).family() == 4"}}}
+	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{NewCELExpressionFilter(log)})
+	assert.NoError(t, err)
+	ev := v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessKprobe{
+				ProcessKprobe: &tetragon.ProcessKprobe{Args: []*tetragon.KprobeArgument{{Arg: &tetragon.KprobeArgument_SockArg{SockArg: &tetragon.KprobeSock{Saddr: "10.0.2.21"}}}}}},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev))
+	ev = v1.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessKprobe{
+				ProcessKprobe: &tetragon.ProcessKprobe{Args: []*tetragon.KprobeArgument{{Arg: &tetragon.KprobeArgument_SockArg{SockArg: &tetragon.KprobeSock{Saddr: "2001:db8::abcd"}}}}}},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev))
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index b6844878ca9..c1d87bb8cd7 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -831,7 +831,7 @@ gopkg.in/yaml.v2
 # gopkg.in/yaml.v3 v3.0.1
 ## explicit
 gopkg.in/yaml.v3
-# k8s.io/api v0.31.3
+# k8s.io/api v0.31.4
 ## explicit; go 1.22.0
 k8s.io/api/admission/v1
 k8s.io/api/admission/v1beta1
@@ -913,7 +913,7 @@ k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensio
 k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/internalinterfaces
 k8s.io/apiextensions-apiserver/pkg/client/listers/apiextensions/v1
 k8s.io/apiextensions-apiserver/pkg/features
-# k8s.io/apimachinery v0.31.3
+# k8s.io/apimachinery v0.31.4
 ## explicit; go 1.22.0
 k8s.io/apimachinery/pkg/api/equality
 k8s.io/apimachinery/pkg/api/errors
@@ -978,7 +978,7 @@ k8s.io/apimachinery/pkg/watch
 k8s.io/apimachinery/third_party/forked/golang/json
 k8s.io/apimachinery/third_party/forked/golang/netutil
 k8s.io/apimachinery/third_party/forked/golang/reflect
-# k8s.io/apiserver v0.31.3
+# k8s.io/apiserver v0.31.4
 ## explicit; go 1.22.0
 k8s.io/apiserver/pkg/apis/cel
 k8s.io/apiserver/pkg/authentication/serviceaccount
@@ -994,7 +994,7 @@ k8s.io/apiserver/pkg/features
 k8s.io/apiserver/pkg/util/feature
 k8s.io/apiserver/pkg/util/version
 k8s.io/apiserver/pkg/warning
-# k8s.io/client-go v0.31.3
+# k8s.io/client-go v0.31.4
 ## explicit; go 1.22.0
 k8s.io/client-go/applyconfigurations
 k8s.io/client-go/applyconfigurations/admissionregistration/v1
@@ -1366,7 +1366,7 @@ k8s.io/code-generator/cmd/register-gen/generators
 k8s.io/code-generator/pkg/namer
 k8s.io/code-generator/pkg/util
 k8s.io/code-generator/third_party/forked/golang/reflect
-# k8s.io/component-base v0.31.3
+# k8s.io/component-base v0.31.4
 ## explicit; go 1.22.0
 k8s.io/component-base/cli/flag
 k8s.io/component-base/featuregate

From 59477f0ba5321557d90493171f5b048469e92b4c Mon Sep 17 00:00:00 2001
From: William Findlay <william.findlay@isovalent.com>
Date: Wed, 11 Dec 2024 15:04:10 -0500
Subject: [PATCH 2/3] api: ensure CIDR and IP CEL extensions are documented

Add CIDR and IP CEL extensions to the docs by sneaking them in through gRPC API
documentation. A subsequent commit will add similar docs to the event filtering documentation.

Signed-off-by: William Findlay <william.findlay@isovalent.com>
---
 api/v1/README.md                                               | 2 +-
 api/v1/tetragon/events.pb.go                                   | 3 ++-
 api/v1/tetragon/events.proto                                   | 3 ++-
 .../github.com/cilium/tetragon/api/v1/tetragon/events.pb.go    | 3 ++-
 .../github.com/cilium/tetragon/api/v1/tetragon/events.proto    | 3 ++-
 docs/content/en/docs/reference/grpc-api.md                     | 2 +-
 vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go | 3 ++-
 vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto | 3 ++-
 8 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/api/v1/README.md b/api/v1/README.md
index 741a939ec4c..d357a634950 100644
--- a/api/v1/README.md
+++ b/api/v1/README.md
@@ -1426,7 +1426,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
 | policy_names | [string](#string) | repeated | Filter events by tracing policy names |
 | capabilities | [CapFilter](#tetragon-CapFilter) |  | Filter events by Linux process capability |
 | parent_binary_regex | [string](#string) | repeated | Filter parent process&#39; binary using RE2 regular expression syntax. |
-| cel_expression | [string](#string) | repeated | Filter using CEL expressions. |
+| cel_expression | [string](#string) | repeated | Filter using CEL expressions. CEL filters support IP and CIDR notiation extensions from the k8s project. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP and https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR for details. |
 | parent_arguments_regex | [string](#string) | repeated | Filter by process.parent.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
 | container_id | [string](#string) | repeated | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
 | in_init_tree | [google.protobuf.BoolValue](#google-protobuf-BoolValue) |  | Filter containerized processes based on whether they are descendants of the container&#39;s init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. |
diff --git a/api/v1/tetragon/events.pb.go b/api/v1/tetragon/events.pb.go
index acf20bfb855..61ff7de73eb 100644
--- a/api/v1/tetragon/events.pb.go
+++ b/api/v1/tetragon/events.pb.go
@@ -232,7 +232,8 @@ type Filter struct {
 	Capabilities *CapFilter `protobuf:"bytes,11,opt,name=capabilities,proto3" json:"capabilities,omitempty"`
 	// Filter parent process' binary using RE2 regular expression syntax.
 	ParentBinaryRegex []string `protobuf:"bytes,12,rep,name=parent_binary_regex,json=parentBinaryRegex,proto3" json:"parent_binary_regex,omitempty"`
-	// Filter using CEL expressions.
+	// Filter using CEL expressions. CEL filters support IP and CIDR notiation extensions from the k8s project.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP and https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR for details.
 	CelExpression []string `protobuf:"bytes,13,rep,name=cel_expression,json=celExpression,proto3" json:"cel_expression,omitempty"`
 	// Filter by process.parent.arguments field using RE2 regular expression syntax:
 	// https://github.com/google/re2/wiki/Syntax
diff --git a/api/v1/tetragon/events.proto b/api/v1/tetragon/events.proto
index 5411bb9937f..c6ed6f698e3 100644
--- a/api/v1/tetragon/events.proto
+++ b/api/v1/tetragon/events.proto
@@ -61,7 +61,8 @@ message Filter {
 	CapFilter capabilities = 11;
     // Filter parent process' binary using RE2 regular expression syntax.
     repeated string parent_binary_regex = 12;
-    // Filter using CEL expressions.
+    // Filter using CEL expressions. CEL filters support IP and CIDR notiation extensions from the k8s project.
+    // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP and https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR for details.
     repeated string cel_expression = 13;
     // Filter by process.parent.arguments field using RE2 regular expression syntax:
     // https://github.com/google/re2/wiki/Syntax
diff --git a/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go b/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
index acf20bfb855..61ff7de73eb 100644
--- a/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
+++ b/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
@@ -232,7 +232,8 @@ type Filter struct {
 	Capabilities *CapFilter `protobuf:"bytes,11,opt,name=capabilities,proto3" json:"capabilities,omitempty"`
 	// Filter parent process' binary using RE2 regular expression syntax.
 	ParentBinaryRegex []string `protobuf:"bytes,12,rep,name=parent_binary_regex,json=parentBinaryRegex,proto3" json:"parent_binary_regex,omitempty"`
-	// Filter using CEL expressions.
+	// Filter using CEL expressions. CEL filters support IP and CIDR notiation extensions from the k8s project.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP and https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR for details.
 	CelExpression []string `protobuf:"bytes,13,rep,name=cel_expression,json=celExpression,proto3" json:"cel_expression,omitempty"`
 	// Filter by process.parent.arguments field using RE2 regular expression syntax:
 	// https://github.com/google/re2/wiki/Syntax
diff --git a/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto b/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
index 5411bb9937f..c6ed6f698e3 100644
--- a/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
+++ b/contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
@@ -61,7 +61,8 @@ message Filter {
 	CapFilter capabilities = 11;
     // Filter parent process' binary using RE2 regular expression syntax.
     repeated string parent_binary_regex = 12;
-    // Filter using CEL expressions.
+    // Filter using CEL expressions. CEL filters support IP and CIDR notiation extensions from the k8s project.
+    // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP and https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR for details.
     repeated string cel_expression = 13;
     // Filter by process.parent.arguments field using RE2 regular expression syntax:
     // https://github.com/google/re2/wiki/Syntax
diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md
index 16bd72adefa..2575a5aa6a0 100644
--- a/docs/content/en/docs/reference/grpc-api.md
+++ b/docs/content/en/docs/reference/grpc-api.md
@@ -894,7 +894,7 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
 | policy_names | [string](#string) | repeated | Filter events by tracing policy names |
 | capabilities | [CapFilter](#tetragon-CapFilter) |  | Filter events by Linux process capability |
 | parent_binary_regex | [string](#string) | repeated | Filter parent process&#39; binary using RE2 regular expression syntax. |
-| cel_expression | [string](#string) | repeated | Filter using CEL expressions. |
+| cel_expression | [string](#string) | repeated | Filter using CEL expressions. CEL filters support IP and CIDR notiation extensions from the k8s project. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP and https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR for details. |
 | parent_arguments_regex | [string](#string) | repeated | Filter by process.parent.arguments field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
 | container_id | [string](#string) | repeated | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax |
 | in_init_tree | [google.protobuf.BoolValue](#google-protobuf-BoolValue) |  | Filter containerized processes based on whether they are descendants of the container&#39;s init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. |
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
index acf20bfb855..61ff7de73eb 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
@@ -232,7 +232,8 @@ type Filter struct {
 	Capabilities *CapFilter `protobuf:"bytes,11,opt,name=capabilities,proto3" json:"capabilities,omitempty"`
 	// Filter parent process' binary using RE2 regular expression syntax.
 	ParentBinaryRegex []string `protobuf:"bytes,12,rep,name=parent_binary_regex,json=parentBinaryRegex,proto3" json:"parent_binary_regex,omitempty"`
-	// Filter using CEL expressions.
+	// Filter using CEL expressions. CEL filters support IP and CIDR notiation extensions from the k8s project.
+	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP and https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR for details.
 	CelExpression []string `protobuf:"bytes,13,rep,name=cel_expression,json=celExpression,proto3" json:"cel_expression,omitempty"`
 	// Filter by process.parent.arguments field using RE2 regular expression syntax:
 	// https://github.com/google/re2/wiki/Syntax
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
index 5411bb9937f..c6ed6f698e3 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
@@ -61,7 +61,8 @@ message Filter {
 	CapFilter capabilities = 11;
     // Filter parent process' binary using RE2 regular expression syntax.
     repeated string parent_binary_regex = 12;
-    // Filter using CEL expressions.
+    // Filter using CEL expressions. CEL filters support IP and CIDR notiation extensions from the k8s project.
+    // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP and https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR for details.
     repeated string cel_expression = 13;
     // Filter by process.parent.arguments field using RE2 regular expression syntax:
     // https://github.com/google/re2/wiki/Syntax

From e1159a4ba029375cb99a1bb10c4f7a6b9e344fe4 Mon Sep 17 00:00:00 2001
From: William Findlay <william.findlay@isovalent.com>
Date: Wed, 11 Dec 2024 15:08:00 -0500
Subject: [PATCH 3/3] docs: add missing event filter docs

Add docs for missing event filter types:
- cel
- container_id
- in_init_tree

Signed-off-by: William Findlay <william.findlay@isovalent.com>
---
 docs/content/en/docs/concepts/events.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/content/en/docs/concepts/events.md b/docs/content/en/docs/concepts/events.md
index 6ff6c9f2233..5e53958d9bc 100644
--- a/docs/content/en/docs/concepts/events.md
+++ b/docs/content/en/docs/concepts/events.md
@@ -161,8 +161,11 @@ flags, or environment variables.
 | `labels` | Filter events by pod labels using [Kubernetes label selector syntax](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) Note that this filter never matches events without the pod field (i.e. host process events). |
 | `policy_names` | Filter events by tracing policy names. |
 | `capabilities` | Filter events by Linux process capability. |
+| `cel_expression` | Filter using CEL expressions. CEL filters support IP and CIDR notiation extensions from the k8s project. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#IP and https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#CIDR for details. |
 | `parent_binary_regex` | Filter process events by a list of regular expressions of parent process binary names (e.g. `"^/home/kubernetes/bin/kubelet$"`). You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
-| `parent_arguments_regex` | Filter by parent process arguments using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
+| `parent_arguments_regex` | Filter by the container ID in the process.docker field using RE2 regular expression syntax: https://github.com/google/re2/wiki/Syntax | 
+| `container_id` | Filter by parent process arguments using a list of regular expressions. You can find the full syntax [here](https://github.com/google/re2/wiki/Syntax). | 
+| `in_init_tree` | Filter containerized processes based on whether they are descendants of the container's init process. This can be used, for example, to watch for processes injected into a container via docker exec, kubectl exec, or similar mechanisms. | 
 
 #### Field Filtering