Skip to main content
Version: latest

Restricting Gadgets

It is possible to limit the gadgets that can be run by using the --allowed-gadgets flag. With this flag, you can restrict running the gadgets using the following:

  1. By digest,
  2. By tag
  3. Or by using a prefix, with a wildcard at the end, like ghcr.io/inspektor-gadget/gadget/*.

By default, all gadgets are allowed, although other restrictions (like a signature check) could still keep them from running.

By digest

You can restrict running gadgets by specifying the digest of the ones you want to run:

You can specify this option only at deploy time:

$ kubectl gadget deploy --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f,ghcr.io/your-repo/gadget/your_gadget@sha256:digest_of_your_gadget'
...
Inspektor Gadget successfully deployed

$ kubectl gadget run trace_exec
K8S.NAMESPACE K8S.PODNAME K8S.CONTAINERNA… COMM PID TID PCOMM PPID ARGS K8S.NODE E… TIMESTAMP
gadget gadget-fdpxp gadget gadgettr… 131299 131299 runc 131281 /bin/ga… minikub… 2024-07-25T08:22:…
gadget gadget-fdpxp gadget gadgettr… 131298 131298 runc 131280 /bin/ga… minikub… 2024-07-25T08:22:…
^C

$ kubectl gadget run trace_open
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: trace_open is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec@sha256:e13e3859be5ed8cef676a720274480d2748f66fd98cf8d963af6c4c05121526f, ghcr.io/your-repo/gadget/your_gadget@sha256:digest_of_your_gadget

$ kubectl gadget run ghcr./io/your-repo/gadget/your_gadget
K8S.NAMESPACE K8S.PODNAME K8S.CONTAINER… TIMEST… PID UID GID MNTNS_… ERR FD FLAGS MODE COMM FNAME K8S.N…
gadget gadget-8rcdz gadget 500159134426 0 0 4026530 5 0 0 runc:… /sys/… minik…
gadget gadget-8rcdz gadget 500159134427 0 0 4026530 5 0 0 runc:… /sys/… minik…
^C

By tag

We also offer the possibility to restrict running by gadget tags:

You can specify this option only at deploy time:

$ kubectl gadget deploy --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_exec:latest,ghcr.io/your-repo/gadget/your_gadget:latest'
...
Inspektor Gadget successfully deployed

$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/trace_exec:latest
K8S.NAMESPACE K8S.PODNAME K8S.CONTAINERNA… COMM PID TID PCOMM PPID ARGS K8S.NODE E… TIMESTAMP
gadget gadget-fdpxp gadget gadgettr… 131299 131299 runc 131281 /bin/ga… minikub… 2024-07-25T08:22:…
gadget gadget-fdpxp gadget gadgettr… 131298 131298 runc 131280 /bin/ga… minikub… 2024-07-25T08:22:…
^C

# As the name matches, the execution is allowed.
$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/trace_exec:v0.32.0
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: ghcr.io/inspektor-gadget/gadget/trace_exec:v0.32.0 is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec:latest, ghcr.io/your-repo/gadget/your_gadget:latest

$ kubectl gadget run trace_open
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: trace_open is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_exec:latest, ghcr.io/your-repo/gadget/your_gadget:latest

$ kubectl gadget run ghcr./io/your-repo/gadget/your_gadget:latest
K8S.NAMESPACE K8S.PODNAME K8S.CONTAINER… TIMEST… PID UID GID MNTNS_… ERR FD FLAGS MODE COMM FNAME K8S.N…
gadget gadget-8rcdz gadget 500159134426 0 0 4026530 5 0 0 runc:… /sys/… minik…
gadget gadget-8rcdz gadget 500159134427 0 0 4026530 5 0 0 runc:… /sys/… minik…
^C

By prefix

This can be used to allow all the gadgets from a specific repository. Let's see how you can use it:

You can specify this option only at deploy time:

# Let's allow all the tracers from Inspektor Gadget repository and all the gadgets from your repository.
$ kubectl gadget deploy --allowed-gadgets='ghcr.io/inspektor-gadget/gadget/trace_*,ghcr.io/your-repo/gadget/*'
...
Inspektor Gadget successfully deployed

$ kubectl gadget run trace_exec
K8S.NAMESPACE K8S.PODNAME K8S.CONTAINERNA… COMM PID TID PCOMM PPID ARGS K8S.NODE E… TIMESTAMP
gadget gadget-fdpxp gadget gadgettr… 131299 131299 runc 131281 /bin/ga… minikub… 2024-07-25T08:22:…
gadget gadget-fdpxp gadget gadgettr… 131298 131298 runc 131280 /bin/ga… minikub… 2024-07-25T08:22:…
^C

$ kubectl gadget run top_file
Error: fetching gadget information: getting gadget info: rpc error: code = Unknown desc = getting gadget info: initializing and preparing operators: instantiating operator "oci": ensuring image: top_file is not part of allowed gadgets: ghcr.io/inspektor-gadget/gadget/trace_*, ghcr.io/your-repo/gadget/*

$ kubectl gadget run ghcr./io/your-repo/gadget/your_gadget
K8S.NAMESPACE K8S.PODNAME K8S.CONTAINER… TIMEST… PID UID GID MNTNS_… ERR FD FLAGS MODE COMM FNAME K8S.N…
gadget gadget-8rcdz gadget 500159134426 0 0 4026530 5 0 0 runc:… /sys/… minik…
gadget gadget-8rcdz gadget 500159134427 0 0 4026530 5 0 0 runc:… /sys/… minik…
^C