apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: audit-process-execution annotations: security-tier: audit-baseline description: "Logs all process executions (sys_execve) for cluster-wide visibility." spec: kprobes: - call: "sys_execve" syscall: true args: - index: 0 type: "string" - index: 1 type: "string_array" selectors: - matchPIDs: - operator: NotIn followForks: true isNamespacePID: true values: - 1