Version: latest

Restricting Gadgets

It is possible to limit the gadgets that can be run by using the --allowed-gadgets flag. With this flag, you can restrict running the gadgets using the following:

By digest,
By tag
Or by using a prefix, with a wildcard at the end, like ghcr.io/inspektor-gadget/gadget/*.

By default, all gadgets are allowed, although other restrictions (like a signature check) could still keep them from running.

By digest

You can restrict running gadgets by specifying the digest of the ones you want to run:

kubectl gadget
ig
ig daemon

You can specify this option only at deploy time:

$ kubectl gadget deploy --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f,ghcr.io/your-repo/gadget/your_gadget@sha256:digest_of_your_gadget'
...
Inspektor Gadget successfully deployed

$ kubectl gadget run trace_exec
K8S.NAMESPACE    K8S.PODNAME      K8S.CONTAINERNA… COMM            PID      TID PCOMM        PPID ARGS     K8S.NODE E… TIMESTAMP
gadget           gadget-fdpxp     gadget           gadgettr…    131299   131299 runc       131281 /bin/ga… minikub…    2024-07-25T08:22:…
gadget           gadget-fdpxp     gadget           gadgettr…    131298   131298 runc       131280 /bin/ga… minikub…    2024-07-25T08:22:…
^C

$ kubectl gadget run trace_open
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: trace_open is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f, ghcr.io/your-repo/gadget/your_gadget@sha256:digest_of_your_gadget

$ kubectl gadget run ghcr./io/your-repo/gadget/your_gadget
K8S.NAMESPACE  K8S.PODNAME    K8S.CONTAINER… TIMEST… PID     UID     GID     MNTNS_… ERR     FD      FLAGS   MODE    COMM   FNAME  K8S.N…
gadget         gadget-8rcdz   gadget         500159… 134426  0       0       402653… 0       5       0       0       runc:… /sys/… minik…
gadget         gadget-8rcdz   gadget         500159… 134427  0       0       402653… 0       5       0       0       runc:… /sys/… minik…
^C

You can use the --allowed-gadgets flag at run time:

$ sudo ig run --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f,ghcr.io/inspektor-gadget/gadget/trace_open@sha256:be8dd66efc69a14f2812b7d5472b378b095a2002ef89fa7aa1e33b7133da762d' trace_exec
RUNTIME.CONTAINERNAME    COMM                    PID           TID PCOMM                PPID ARGS         ER… TIMESTAMP
minikube-docker          iptables             137722        137722 kubelet             11713 /usr/sbin/i…     2024-07-25T10:30:21.902064…
minikube-docker          ip6tables            137723        137723 kubelet             11713 /usr/sbin/i…     2024-07-25T10:30:21.904561…
^C

$ sudo ig run ---allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f,ghcr.io/inspektor-gadget/gadget/trace_open@sha256:be8dd66efc69a14f2812b7d5472b378b095a2002ef89fa7aa1e33b7133da762d' trace_open
RUNTIME.CONTAINER… COMM              PID       TID       UID       GID  FD FNAME                    MODE      ERROR  TIMESTAMP
minikube-docker    kubelet         11713     11715         0         0  20 /sys/fs/cgroup/kubepods… --------…        2024-07-25T10:30:44…
minikube-docker    kubelet         11713     11715         0         0  20 /proc/2136/fd            --------…        2024-07-25T10:30:44…
^C

$ sudo ig run --allowed-gadgetss='ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f,ghcr.io/inspektor-gadget/gadget/trace_open@sha256:be8dd66efc69a14f2812b7d5472b378b095a2002ef89fa7aa1e33b7133da762d' trace_signal
Error: fetching gadget information: initializing and preparing operators: instantiating operator "oci": ensuring image: trace_signal is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f, ghcr.io/inspektor-gadget/gadget/trace_open@sha256:be8dd66efc69a14f2812b7d5472b378b095a2002ef89fa7aa1e33b7133da762d

$ sudo ig run --allowed-gadgetss='ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f,ghcr.io/inspektor-gadget/gadget/trace_open@sha256:be8dd66efc69a14f2812b7d5472b378b095a2002ef89fa7aa1e33b7133da762d' ghcr.io/your-repo/gadget/your-gadget
Error: fetching gadget information: initializing and preparing operators: instantiating operator "oci": ensuring image: ghcr.io/your-repo/gadget/your-gadget is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f, ghcr.io/inspektor-gadget/gadget/trace_open@sha256:be8dd66efc69a14f2812b7d5472b378b095a2002ef89fa7aa1e33b7133da762d

You can specify these options only at start time:

$ sudo ig daemon --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f,ghcr.io/your-repo/gadget/your_gadget@sha256:digest_of_your_gadget'
...
# Switch to another terminal
$ gadgetctl run trace_exec
RUNTIME.CONTAINERNAME    COMM                    PID           TID PCOMM                PPID ARGS         ER… TIMESTAMP
$ gadgetctl run trace_open
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: trace_open is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f, ghcr.io/your_repo/gadget/your_gadget@sha256:digest_of_your_gadget
$ gadgetctl run ghcr./io/your-repo/gadget/your_gadget
RUNTIME.CONTAINERN… TIMESTAMP  PID        UID        GID        MNTNS_ID   ERR        FD         FLAGS      MODE      COMM      FNAME

By tag

We also offer the possibility to restrict running by gadget tags:

kubectl gadget
ig
ig daemon

You can specify this option only at deploy time:

$ kubectl gadget deploy --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec:latest,ghcr.io/your-repo/gadget/your_gadget:latest'
...
Inspektor Gadget successfully deployed

$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/trace_exec:latest
K8S.NAMESPACE    K8S.PODNAME      K8S.CONTAINERNA… COMM            PID      TID PCOMM        PPID ARGS     K8S.NODE E… TIMESTAMP
gadget           gadget-fdpxp     gadget           gadgettr…    131299   131299 runc       131281 /bin/ga… minikub…    2024-07-25T08:22:…
gadget           gadget-fdpxp     gadget           gadgettr…    131298   131298 runc       131280 /bin/ga… minikub…    2024-07-25T08:22:…
^C

# As the name matches, the execution is allowed.
$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/trace_exec:v0.32.0
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: ghcr.io/inspektor-gadget/gadget/trace_exec:v0.32.0 is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec:latest, ghcr.io/your-repo/gadget/your_gadget:latest

$ kubectl gadget run trace_open
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: trace_open is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec:latest, ghcr.io/your-repo/gadget/your_gadget:latest

$ kubectl gadget run ghcr./io/your-repo/gadget/your_gadget:latest
K8S.NAMESPACE  K8S.PODNAME    K8S.CONTAINER… TIMEST… PID     UID     GID     MNTNS_… ERR     FD      FLAGS   MODE    COMM   FNAME  K8S.N…
gadget         gadget-8rcdz   gadget         500159… 134426  0       0       402653… 0       5       0       0       runc:… /sys/… minik…
gadget         gadget-8rcdz   gadget         500159… 134427  0       0       402653… 0       5       0       0       runc:… /sys/… minik…
^C

You can use the --allowed-gadgets flag at run time:

$ sudo ig run --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec:latest,ghcr.io/inspektor-gadget/gadget/trace_open:latest' ghcr.io/inspektor-gadget/gadget/trace_exec:latest
RUNTIME.CONTAINERNAME    COMM                    PID           TID PCOMM                PPID ARGS         ER… TIMESTAMP
minikube-docker          iptables             137722        137722 kubelet             11713 /usr/sbin/i…     2024-07-25T10:30:21.902064…
minikube-docker          ip6tables            137723        137723 kubelet             11713 /usr/sbin/i…     2024-07-25T10:30:21.904561…
^C

$ sudo ig run --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec:latest,ghcr.io/inspektor-gadget/gadget/trace_open:latest' ghcr.io/inspektor-gadget/gadget/trace_open:latest
RUNTIME.CONTAINER… COMM              PID       TID       UID       GID  FD FNAME                    MODE      ERROR  TIMESTAMP
minikube-docker    kubelet         11713     11715         0         0  20 /sys/fs/cgroup/kubepods… --------…        2024-07-25T10:30:44…
minikube-docker    kubelet         11713     11715         0         0  20 /proc/2136/fd            --------…        2024-07-25T10:30:44…
^C

$ sudo ig run --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec:latest,ghcr.io/inspektor-gadget/gadget/trace_open:latest' ghcr.io/inspektor-gadget/gadget/trace_exec:v0.32.0
Error: fetching gadget information: initializing and preparing operators: instantiating operator "oci": ensuring image: ghcr.io/inspektor-gadget/gadget/trace_exec:v0.32.0 is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec:latest, ghcr.io/inspektor-gadget/gadget/trace_open:latest

$ sudo ig run --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec:latest,ghcr.io/inspektor-gadget/gadget/trace_open:latest' trace_signal
Error: fetching gadget information: initializing and preparing operators: instantiating operator "oci": ensuring image: trace_signal is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec:latest, ghcr.io/inspektor-gadget/gadget/trace_open:latest

$ sudo ig run --allowed-gadgetss='ghcr.io/inspektor-gadget/gadget/trace_exec,ghcr.io/inspektor-gadget/gadget/trace_open' ghcr.io/your-repo/gadget/your-gadget
Error: fetching gadget information: initializing and preparing operators: instantiating operator "oci": ensuring image: ghcr.io/your-repo/gadget/your-gadget is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec:latest, ghcr.io/inspektor-gadget/gadget/trace_open:latest

You can specify these options only at start time:

$ sudo ig daemon --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec:latest,ghcr.io/your-repo/gadget/your_gadget:latest'
...
# Switch to another terminal
$ gadgetctl run trace_exec:latest
RUNTIME.CONTAINERNAME    COMM                    PID           TID PCOMM                PPID ARGS         ER… TIMESTAMP
$ gadgetctl run trace_open
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: trace_open is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec:latest, ghcr.io/your-repo/gadget/your_gadget:latest
$ gadgetctl run ghcr./io/your-repo/gadget/your_gadget:latest
RUNTIME.CONTAINERN… TIMESTAMP  PID        UID        GID        MNTNS_ID   ERR        FD         FLAGS      MODE      COMM      FNAME

By prefix

This can be used to allow all the gadgets from a specific repository. Let's see how you can use it:

kubectl gadget
ig
ig daemon

You can specify this option only at deploy time:

# Let's allow all the tracers from Inspektor Gadget repository and all the gadgets from your repository.
$ kubectl gadget deploy --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_*,ghcr.io/your-repo/gadget/*'
...
Inspektor Gadget successfully deployed

$ kubectl gadget run trace_exec
K8S.NAMESPACE    K8S.PODNAME      K8S.CONTAINERNA… COMM            PID      TID PCOMM        PPID ARGS     K8S.NODE E… TIMESTAMP
gadget           gadget-fdpxp     gadget           gadgettr…    131299   131299 runc       131281 /bin/ga… minikub…    2024-07-25T08:22:…
gadget           gadget-fdpxp     gadget           gadgettr…    131298   131298 runc       131280 /bin/ga… minikub…    2024-07-25T08:22:…
^C

$ kubectl gadget run top_file
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: top_file is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_*, ghcr.io/your-repo/gadget/*

$ kubectl gadget run ghcr./io/your-repo/gadget/your_gadget
K8S.NAMESPACE  K8S.PODNAME    K8S.CONTAINER… TIMEST… PID     UID     GID     MNTNS_… ERR     FD      FLAGS   MODE    COMM   FNAME  K8S.N…
gadget         gadget-8rcdz   gadget         500159… 134426  0       0       402653… 0       5       0       0       runc:… /sys/… minik…
gadget         gadget-8rcdz   gadget         500159… 134427  0       0       402653… 0       5       0       0       runc:… /sys/… minik…
^C

You can use the --allowed-gadgets flag at run time:

# Let's allow all the tracers and toppers from Inspektor Gadget repository.
$ sudo ig run --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_*,ghcr.io/inspektor-gadget/gadget/top_*' trace_exec
RUNTIME.CONTAINERNAME    COMM                    PID           TID PCOMM                PPID ARGS         ER… TIMESTAMP
minikube-docker          iptables             137722        137722 kubelet             11713 /usr/sbin/i…     2024-07-25T10:30:21.902064…
minikube-docker          ip6tables            137723        137723 kubelet             11713 /usr/sbin/i…     2024-07-25T10:30:21.904561…
^C

$ sudo ig run ---allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec,ghcr.io/inspektor-gadget/gadget/trace_open' trace_open
RUNTIME.CONTAINER… COMM              PID       TID       UID       GID  FD FNAME                    MODE      ERROR  TIMESTAMP
minikube-docker    kubelet         11713     11715         0         0  20 /sys/fs/cgroup/kubepods… --------…        2024-07-25T10:30:44…
minikube-docker    kubelet         11713     11715         0         0  20 /proc/2136/fd            --------…        2024-07-25T10:30:44…
^C

$ sudo ig run --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec,ghcr.io/inspektor-gadget/gadget/trace_open' profile_blockio
Error: fetching gadget information: initializing and preparing operators: instantiating operator "oci": ensuring image: profile_blockio is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_*, ghcr.io/inspektor-gadget/gadget/top_*

$ sudo ig run --allowed-gadgetss='ghcr.io/inspektor-gadget/gadget/trace_exec,ghcr.io/inspektor-gadget/gadget/trace_open' ghcr.io/your-repo/gadget/your-gadget
Error: fetching gadget information: initializing and preparing operators: instantiating operator "oci": ensuring image: ghcr.io/your-repo/gadget/your-gadget is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_*, ghcr.io/inspektor-gadget/gadget/top_*

You can specify these options only at start time:

# Let's allow all the tracers from Inspektor Gadget repository and all the gadgets from your repository.
$ sudo ig daemon --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_*,ghcr.io/your-repo/gadget/*'
...
# Switch to another terminal
$ gadgetctl run trace_exec
RUNTIME.CONTAINERNAME    COMM                    PID           TID PCOMM                PPID ARGS         ER… TIMESTAMP
$ gadgetctl run top_file
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: top_file is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_*, ghcr.io/your_repo/gadget/*
$ gadgetctl run ghcr./io/your-repo/gadget/your_gadget
RUNTIME.CONTAINERN… TIMESTAMP  PID        UID        GID        MNTNS_ID   ERR        FD         FLAGS      MODE      COMM      FNAME

By digest​

By tag​

By prefix​

By digest

By tag

By prefix