metrics: add tags support

[tixxdz]

Tracing policies now support optional 'tags' https://tetragon.io/docs/concepts/tracing-policy/tags/, https://tetragon.io/docs/reference/grpc-api/#processkprobe including tracepoint and uprobes.

Tags are used to categorize generated events. Right now we give some examples of tags in the docs, and we will soon start to add tags to our tracing policies something like:

• 'observability.privilege_escalation' 'observability.x' for observability.
• 'cves', 'cve.x' something like sigma cve tag namespace https://github.com/SigmaHQ/sigma-specification/blob/main/Tags_specification.md#namespace-cve
• 'sandbox.privilege_escalation' for sandbox or enforcement policies.

tags are more stable hence we want to generate metrics as an example the context of 'cves' 'cve.x' or 'observability.privilege_escalation' , etc.

Note: the metrics should work even if we do redaction filters or field filters as they need to be calculate before.

[lambdanis]

IIRC tags can be arbitrary, but if we're putting them in metrics then ideally we should constrain the possible values. Is there a list of standard tag values?

[tixxdz]

IIRC tags can be arbitrary, but if we're putting them in metrics then ideally we should constrain the possible values. Is there a list of standard tag values?

We can define our list, next release I think we will start adding tags to our tracing policies. For arbitrary tags, yes that's the aim we should allow users to set their proper tags to build nicely on top of tetragon, so how about:

• [ ] Print the list of tags inside the https://tetragon.io/docs/reference/metrics/#tetragon_events_total at first, since they are mostly triggered by kprobes policies which should allow to count tags by other post processing tools I presume.
• [ ] Define a way to have that summary in tetragon metrics even if it is not per binary, let's say more by tags and triggered numbers?