diff --git a/helm-chart/Chart.yaml b/helm-chart/Chart.yaml index 4efb7d57c..0e0cff10c 100644 --- a/helm-chart/Chart.yaml +++ b/helm-chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: kubeshark -version: "53.2.3" +version: "53.2.5" description: The API Traffic Analyzer for Kubernetes home: https://kubeshark.com keywords: diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 4b8906c9e..302bafc2b 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -188,7 +188,7 @@ tap: streamingType: connect-rpc completeStreamingEnabled: true clusterWideMapEnabled: false - entriesLimit: 300000 + entriesLimit: "300000" telemetry: enabled: true resourceGuard: diff --git a/manifests/complete.yaml b/manifests/complete.yaml index b89040190..b55991a39 100644 --- a/manifests/complete.yaml +++ b/manifests/complete.yaml @@ -4,10 +4,10 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm name: kubeshark-hub-network-policy namespace: default @@ -33,10 +33,10 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-front-network-policy @@ -60,10 +60,10 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-dex-network-policy @@ -87,10 +87,10 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-worker-network-policy @@ -116,10 +116,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm name: kubeshark-service-account namespace: default @@ -132,10 +132,10 @@ metadata: namespace: default labels: app.kubeshark.com/app: hub - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm stringData: LICENSE: '' @@ -151,10 +151,10 @@ metadata: namespace: default labels: app.kubeshark.com/app: hub - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm stringData: AUTH_SAML_X509_CRT: | @@ -167,10 +167,10 @@ metadata: namespace: default labels: app.kubeshark.com/app: hub - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm stringData: AUTH_SAML_X509_KEY: | @@ -182,10 +182,10 @@ metadata: name: kubeshark-nginx-config-map namespace: default labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm data: default.conf: | @@ -252,10 +252,10 @@ metadata: namespace: default labels: app.kubeshark.com/app: hub - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm data: POD_REGEX: '.*' @@ -293,7 +293,7 @@ data: TIMEZONE: ' ' CLOUD_LICENSE_ENABLED: 'true' DUPLICATE_TIMEFRAME: '200ms' - ENABLED_DISSECTORS: 'amqp,dns,http,icmp,kafka,mongodb,redis,ws,ldap,radius,diameter,udp-flow,tcp-flow,udp-conn,tcp-conn' + ENABLED_DISSECTORS: 'amqp,dns,http,icmp,kafka,mongodb,mysql,postgresql,redis,ws,ldap,radius,diameter,udp-flow,tcp-flow,udp-conn,tcp-conn' CUSTOM_MACROS: '{"https":"tls and (http or http2)"}' DISSECTORS_UPDATING_ENABLED: 'true' SNAPSHOTS_UPDATING_ENABLED: 'true' @@ -303,7 +303,7 @@ data: PCAP_TIME_INTERVAL: '1m' PCAP_MAX_TIME: '1h' PCAP_MAX_SIZE: '500MB' - PORT_MAPPING: '{"amqp":[5671,5672],"diameter":[3868],"http":[80,443,8080],"kafka":[9092],"ldap":[389],"mongodb":[27017],"redis":[6379]}' + PORT_MAPPING: '{"amqp":[5671,5672],"diameter":[3868],"http":[80,443,8080],"kafka":[9092],"ldap":[389],"mongodb":[27017],"mysql":[3306],"postgresql":[5432],"redis":[6379]}' RAW_CAPTURE_ENABLED: 'true' RAW_CAPTURE_STORAGE_SIZE: '1Gi' --- @@ -312,10 +312,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm name: kubeshark-cluster-role-default namespace: default @@ -359,10 +359,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm name: kubeshark-cluster-role-binding-default namespace: default @@ -380,10 +380,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-self-config-role @@ -439,10 +439,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm annotations: name: kubeshark-self-config-role-binding @@ -462,10 +462,10 @@ kind: Service metadata: labels: app.kubeshark.com/app: hub - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm name: kubeshark-hub namespace: default @@ -483,10 +483,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm name: kubeshark-front namespace: default @@ -504,10 +504,10 @@ kind: Service apiVersion: v1 metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm annotations: prometheus.io/scrape: 'true' @@ -517,10 +517,10 @@ metadata: spec: selector: app.kubeshark.com/app: worker - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm ports: - name: metrics @@ -533,10 +533,10 @@ kind: Service apiVersion: v1 metadata: labels: - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm annotations: prometheus.io/scrape: 'true' @@ -546,10 +546,10 @@ metadata: spec: selector: app.kubeshark.com/app: hub - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm ports: - name: metrics @@ -564,10 +564,10 @@ metadata: labels: app.kubeshark.com/app: worker sidecar.istio.io/inject: "false" - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm name: kubeshark-worker-daemon-set namespace: default @@ -581,10 +581,10 @@ spec: metadata: labels: app.kubeshark.com/app: worker - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm name: kubeshark-worker-daemon-set namespace: kubeshark @@ -805,10 +805,10 @@ kind: Deployment metadata: labels: app.kubeshark.com/app: hub - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm name: kubeshark-hub namespace: default @@ -823,10 +823,10 @@ spec: metadata: labels: app.kubeshark.com/app: hub - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm spec: dnsPolicy: ClusterFirstWithHostNet @@ -936,10 +936,10 @@ kind: Deployment metadata: labels: app.kubeshark.com/app: front - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm name: kubeshark-front namespace: default @@ -954,10 +954,10 @@ spec: metadata: labels: app.kubeshark.com/app: front - helm.sh/chart: kubeshark-53.2.3 + helm.sh/chart: kubeshark-53.2.5 app.kubernetes.io/name: kubeshark app.kubernetes.io/instance: kubeshark - app.kubernetes.io/version: "53.2.3" + app.kubernetes.io/version: "53.2.5" app.kubernetes.io/managed-by: Helm spec: containers: @@ -1006,6 +1006,8 @@ spec: value: 'false' - name: REACT_APP_RAW_CAPTURE_ENABLED value: 'true' + - name: REACT_APP_ENTRIES_LIMIT + value: '300000' - name: REACT_APP_SENTRY_ENABLED value: 'false' - name: REACT_APP_SENTRY_ENVIRONMENT diff --git a/skills/kfl/SKILL.md b/skills/kfl/SKILL.md index 466424627..06b3dbbb1 100644 --- a/skills/kfl/SKILL.md +++ b/skills/kfl/SKILL.md @@ -88,13 +88,15 @@ filter term — they're fast and narrow the search space immediately. |------|----------|------|----------| | `http` | HTTP/1.1, HTTP/2 | `redis` | Redis | | `dns` | DNS | `kafka` | Kafka | -| `tls` | TLS/SSL | `amqp` | AMQP | +| `tls` | eBPF TLS interception | `amqp` | AMQP | | `tcp` | TCP | `ldap` | LDAP | | `udp` | UDP | `ws` | WebSocket | | `sctp` | SCTP | `gql` | GraphQL (v1+v2) | | `icmp` | ICMP | `gqlv1` / `gqlv2` | GraphQL version-specific | -| `radius` | RADIUS | `conn` / `flow` | L4 connection/flow tracking | -| `diameter` | Diameter | `tcp_conn` / `udp_conn` | Transport-specific connections | +| `grpc` | gRPC (HTTP/2 sub-protocol) | `mongodb` | MongoDB | +| `mysql` | MySQL | `radius` | RADIUS | +| `diameter` | Diameter | `conn` / `flow` | L4 connection/flow tracking | +| | | `tcp_conn` / `udp_conn` | Transport-specific connections | ## Kubernetes Context @@ -112,6 +114,17 @@ dst.service.namespace == "payments" Pod fields fall back to service data when pod info is unavailable, so `dst.pod.namespace` works even for service-level entries. +### Summary Name and Namespace + +Convenience variables that pick the best available identity for a peer: + +``` +src.name == "api-gateway" // pod > service > dns > process +dst.name.contains("payment") // works across identity types +src.namespace == "production" // pod namespace, falls back to service +dst.namespace != "kube-system" // exclude system namespace +``` + ### Aggregate Collections Match against any direction (src or dst): @@ -192,8 +205,14 @@ http && request.headers["content-type"] == "application/json" // GraphQL (subset of HTTP) gql && method == "POST" && status_code >= 400 + +// Only eBPF-intercepted TLS traffic (decrypted HTTPS) +tls && http && status_code >= 500 ``` +> **Note on `tls`**: The `tls` flag is an alias for `capture_source == "ebpf_tls"`. +> It indicates traffic captured via eBPF TLS interception, not TLS protocol dissection. + ## DNS Filtering DNS issues are often the hidden root cause of outages. @@ -235,6 +254,40 @@ kafka && kafka_request_summary.contains("orders") // Topic filtering kafka && kafka_size > 10000 // Large messages ``` +### MongoDB + +``` +mongodb && mongodb_command == "find" // Find operations +mongodb && mongodb_collection == "users" // Collection filtering +mongodb && mongodb_database == "mydb" // Database filtering +mongodb && !mongodb_success // Failed operations +mongodb && mongodb_error_code != 0 // Error code filtering +mongodb && mongodb_total_size > 10000 // Large operations +``` + +### MySQL + +``` +mysql && mysql_command == "COM_QUERY" // SQL queries +mysql && mysql_query.contains("SELECT") // SELECT statements +mysql && mysql_database == "orders_db" // Database filtering +mysql && !mysql_success // Failed queries +mysql && mysql_error_code != 0 // Error code filtering +mysql && mysql_total_size > 10000 // Large queries +``` + +### gRPC + +gRPC is a sub-protocol of HTTP/2. All HTTP variables are also available on gRPC entries. + +``` +grpc && grpc_method == "SayHello" // Method filtering +grpc && grpc_status != 0 // Non-OK status codes +grpc && grpc_status == 14 // UNAVAILABLE +grpc && grpc_method.contains("Create") // Method pattern +grpc && elapsed_time > 1000000 // Slow gRPC calls (>1s) +``` + ### AMQP, LDAP, RADIUS, Diameter ``` @@ -288,7 +341,7 @@ dst.port >= 8000 && dst.port <= 9000 timestamp > timestamp("2026-03-14T22:00:00Z") timestamp >= timestamp("2026-03-14T22:00:00Z") && timestamp <= timestamp("2026-03-14T23:00:00Z") timestamp > now() - duration("5m") // Last 5 minutes -elapsed_time > 2000000 // Older than 2 seconds +elapsed_time > 2000000 // Latency > 2 seconds ``` ## Building Filters: Progressive Narrowing diff --git a/skills/kfl/references/kfl2-reference.md b/skills/kfl/references/kfl2-reference.md index 45b49128c..18d8599a7 100644 --- a/skills/kfl/references/kfl2-reference.md +++ b/skills/kfl/references/kfl2-reference.md @@ -39,7 +39,7 @@ These are the variables you'll reach for in 90% of investigations: | `index` | int | Entry index for stream uniqueness | | `stream` | string | Stream identifier (hex string) | | `timestamp` | timestamp | Event time (UTC), use with `timestamp()` function | -| `elapsed_time` | int | Age since timestamp in microseconds | +| `elapsed_time` | int | Response-request latency in microseconds | | `worker` | string | Worker identifier | ## Cross-Reference Variables @@ -67,13 +67,15 @@ Boolean variables indicating detected protocol. Use as first filter term for per |----------|----------|----------|----------| | `http` | HTTP/1.1, HTTP/2 | `redis` | Redis | | `dns` | DNS | `kafka` | Kafka | -| `tls` | TLS/SSL handshake | `amqp` | AMQP messaging | +| `tls` | eBPF TLS interception | `amqp` | AMQP messaging | | `tcp` | TCP transport | `ldap` | LDAP directory | | `udp` | UDP transport | `ws` | WebSocket | | `sctp` | SCTP streaming | `gql` | GraphQL (v1 or v2) | | `icmp` | ICMP | `gqlv1` | GraphQL v1 only | -| `radius` | RADIUS auth | `gqlv2` | GraphQL v2 only | -| `diameter` | Diameter | `conn` | L4 connection tracking | +| `grpc` | gRPC (HTTP/2 sub-protocol) | `gqlv2` | GraphQL v2 only | +| `mongodb` | MongoDB | `mysql` | MySQL | +| `radius` | RADIUS auth | `diameter` | Diameter | +| | | `conn` | L4 connection tracking | | `flow` | L4 flow tracking | `tcp_conn` | TCP connection tracking | | `tcp_flow` | TCP flow tracking | `udp_conn` | UDP connection tracking | | `udp_flow` | UDP flow tracking | | | @@ -123,7 +125,7 @@ Supported question types: A, AAAA, NS, CNAME, SOA, MX, TXT, SRV, PTR, ANY. | Variable | Type | Description | Example | |----------|------|-------------|---------| -| `tls` | bool | TLS payload detected | | +| `tls` | bool | eBPF TLS interception (alias for `capture_source == "ebpf_tls"`) | | | `tls_summary` | string | TLS handshake summary | `"ClientHello"`, `"ServerHello"` | | `tls_info` | string | TLS connection details | `"TLS 1.3, AES-256-GCM"` | | `tls_request_size` | int | TLS request size in bytes | | @@ -263,6 +265,55 @@ Supported question types: A, AAAA, NS, CNAME, SOA, MX, TXT, SRV, PTR, ANY. | `diameter_response_length` | int | Response size (0 if absent) | | `diameter_total_size` | int | Sum of request + response | +## MongoDB Variables + +| Variable | Type | Description | Example | +|----------|------|-------------|---------| +| `mongodb` | bool | MongoDB payload detected | | +| `mongodb_command` | string | Operation type | `"find"`, `"insert"`, `"update"`, `"delete"` | +| `mongodb_database` | string | Database name | `"mydb"` | +| `mongodb_collection` | string | Collection name | `"users"` | +| `mongodb_opcode` | string | Operation opcode name | | +| `mongodb_request_size` | int | Request size in bytes | | +| `mongodb_response_size` | int | Response size in bytes | | +| `mongodb_total_size` | int | Combined request + response size | | +| `mongodb_success` | bool | Operation success status | | +| `mongodb_error_code` | int | Error code | | +| `mongodb_error_message` | string | Error description | | +| `mongodb_error_code_name` | string | Named error code | | + +**Example**: `mongodb && mongodb_command == "find" && mongodb_collection == "users"` + +## MySQL Variables + +| Variable | Type | Description | Example | +|----------|------|-------------|---------| +| `mysql` | bool | MySQL payload detected | | +| `mysql_command` | string | SQL command name | `"COM_QUERY"`, `"COM_STMT_PREPARE"` | +| `mysql_query` | string | Full SQL query text | `"SELECT * FROM users"` | +| `mysql_database` | string | Active database name | `"orders_db"` | +| `mysql_statement_id` | int | Prepared statement identifier | | +| `mysql_request_size` | int | Request payload size in bytes | | +| `mysql_response_size` | int | Response payload size in bytes | | +| `mysql_total_size` | int | Combined request + response size | | +| `mysql_success` | bool | Response OK status | | +| `mysql_error_code` | int | MySQL error code | | +| `mysql_error_message` | string | Error description | | + +**Example**: `mysql && mysql_query.contains("SELECT") && !mysql_success` + +## gRPC Variables + +gRPC is a sub-protocol of HTTP/2. When `grpc` is true, all HTTP variables are also available. + +| Variable | Type | Description | Example | +|----------|------|-------------|---------| +| `grpc` | bool | gRPC payload detected | | +| `grpc_method` | string | Trailing method name from gRPC :path | `"SayHello"` (from `/helloworld.Greeter/SayHello`) | +| `grpc_status` | int | gRPC status code from Grpc-Status trailer | `0`=OK, `5`=NOT_FOUND, `14`=UNAVAILABLE; `-1` on non-gRPC | + +**Example**: `grpc && grpc_status != 0 && grpc_method.contains("Create")` + ## L4 Connection Tracking Variables | Variable | Type | Description | Example | @@ -320,6 +371,15 @@ even when only service-level resolution exists. **Example**: `src.service.name == "api-gateway" && dst.pod.namespace == "production"` +### Summary Name and Namespace + +| Variable | Type | Description | +|----------|------|-------------| +| `src.name` | string | Worker-enriched summary name of source (pod > service > dns > process) | +| `dst.name` | string | Worker-enriched summary name of destination | +| `src.namespace` | string | Source namespace with service fallback | +| `dst.namespace` | string | Destination namespace with service fallback | + ### Aggregate Collections (Non-Directional) | Variable | Type | Description |