Add an operator to manage TetragonPod resources

Signed-off-by: Prateek Singh <prateeksingh9741@gmail.com>
Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>

docs/content/en/docs/reference/helm-chart.md

@@ -98,7 +98,9 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u
 | tetragon.resources | object | `{}` |  |
 | tetragon.securityContext.privileged | bool | `true` |  |
 | tetragonOperator.enabled | bool | `true` | Enable the tetragon-operator component (required). |
-| tetragonOperator.image | object | `{"override":null,"repository":"quay.io/cilium/tetragon-operator","suffix":"","tag":"v0.10.0"}` | tetragon-operator image. |
+| tetragonOperator.image | object | `{"override":null,"repository":"quay.io/cilium/tetragon-operator","skipTetragonPodCRD":false,"suffix":"","tag":"v0.10.0"}` | tetragon-operator image. |
+| tetragonPod.enabled | bool | `false` |  |
+| tetragonPod.image | object | `{"override":null,"repository":"quay.io/cilium/tetragon-operator","tag":"v0.8.3"}` | tetragon-operator image. |
 | tolerations[0].operator | string | `"Exists"` |  |
 | updateStrategy | object | `{}` |  |
 

go.mod

@@ -48,6 +48,7 @@ require (
 	k8s.io/client-go v0.27.4
 	k8s.io/code-generator v0.27.4
 	k8s.io/klog/v2 v2.100.1
+	sigs.k8s.io/controller-runtime v0.15.0
 	sigs.k8s.io/controller-tools v0.12.1
 	sigs.k8s.io/e2e-framework v0.2.0
 	sigs.k8s.io/yaml v1.3.0
@@ -77,6 +78,7 @@ require (
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.2.4 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
 	github.com/go-openapi/errors v0.20.4 // indirect
@@ -164,17 +166,18 @@ require (
 	golang.org/x/term v0.10.0 // indirect
 	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/tools v0.11.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230526203410-71b5a4ffd15e // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/component-base v0.27.4 // indirect
 	k8s.io/gengo v0.0.0-20230306165830-ab3349d207d4 // indirect
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
 	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 // indirect
-	sigs.k8s.io/controller-runtime v0.15.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )

go.sum

@@ -61,6 +61,7 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -165,6 +166,7 @@ github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbV
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo=
+github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-openapi/analysis v0.21.2/go.mod h1:HZwRk4RRisyG8vx2Oe6aqeSQcoxRp47Xkp3+K6q+LdY=
@@ -634,11 +636,14 @@ go.opentelemetry.io/otel/metric v1.16.0/go.mod h1:QE47cpOmkwipPiefDwo2wDzwJrlfxx
 go.opentelemetry.io/otel/sdk v1.14.0 h1:PDCppFRDq8A1jL9v6KMI6dYesaq+DFcDZvjsoGvxGzY=
 go.opentelemetry.io/otel/trace v1.16.0 h1:8JRpaObFoW0pxuVPapkgH8UhHQj+bJW8jJsCZEu5MQs=
 go.opentelemetry.io/otel/trace v1.16.0/go.mod h1:Yt9vYq1SdNz3xdjZZK7wcXv1qv2pwLkqr2QVwea0ef0=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/dig v1.17.0 h1:5Chju+tUvcC+N7N6EV08BJz41UZuO3BmHcN4A287ZLI=
 go.uber.org/dig v1.17.0/go.mod h1:rTxpf7l5I0eBTlE6/9RL+lDybC7WFwY2QH55ZSjy1mU=
+go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
+go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
@@ -895,6 +900,7 @@ golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
+golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8=
 golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
@@ -903,6 +909,7 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc=
+gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1050,6 +1057,8 @@ k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk=
 k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc=
 k8s.io/code-generator v0.27.4 h1:bw2xFEBnthhCSC7Bt6FFHhPTfWX21IJ30GXxOzywsFE=
 k8s.io/code-generator v0.27.4/go.mod h1:DPung1sI5vBgn4AGKtlPRQAyagj/ir/4jI55ipZHVww=
+k8s.io/component-base v0.27.4 h1:Wqc0jMKEDGjKXdae8hBXeskRP//vu1m6ypC+gwErj4c=
+k8s.io/component-base v0.27.4/go.mod h1:hoiEETnLc0ioLv6WPeDt8vD34DDeB35MfQnxCARq3kY=
 k8s.io/gengo v0.0.0-20230306165830-ab3349d207d4 h1:aClvVG6GbX10ISHcc24J+tqbr0S7fEe1MWkFJ7cWWCI=
 k8s.io/gengo v0.0.0-20230306165830-ab3349d207d4/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=

install/kubernetes/README.md

@@ -81,7 +81,9 @@ Helm chart for Tetragon
 | tetragon.resources | object | `{}` |  |
 | tetragon.securityContext.privileged | bool | `true` |  |
 | tetragonOperator.enabled | bool | `true` | Enable the tetragon-operator component (required). |
-| tetragonOperator.image | object | `{"override":null,"repository":"quay.io/cilium/tetragon-operator","suffix":"","tag":"v0.10.0"}` | tetragon-operator image. |
+| tetragonOperator.image | object | `{"override":null,"repository":"quay.io/cilium/tetragon-operator","skipTetragonPodCRD":false,"suffix":"","tag":"v0.10.0"}` | tetragon-operator image. |
+| tetragonPod.enabled | bool | `false` |  |
+| tetragonPod.image | object | `{"override":null,"repository":"quay.io/cilium/tetragon-operator","tag":"v0.8.3"}` | tetragon-operator image. |
 | tolerations[0].operator | string | `"Exists"` |  |
 | updateStrategy | object | `{}` |  |
 

install/kubernetes/templates/_container_tetragon.tpl

@@ -82,5 +82,7 @@
 - name: {{ include "container.tetragon.name" . }}-operator
   image: "{{ if .Values.tetragonOperator.image.override }}{{ .Values.tetragonOperator.image.override }}{{ else }}{{ .Values.tetragonOperator.image.repository }}{{ .Values.tetragonOperator.image.suffix }}:{{ .Values.tetragonOperator.image.tag }}{{ end }}"
   imagePullPolicy: {{ .Values.imagePullPolicy }}
+  args:
+    - "--skip-tetragon-pod-crd={{ .Values.tetragonOperator.skipTetragonPodCRD }}"
 {{- end }}
 {{- end -}}

install/kubernetes/templates/_helpers.tpl

@@ -7,6 +7,9 @@ Create chart name and version as used by the chart label.
 {{- define "tetragon-operator.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
+{{- define "tetragonPod-controller.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
 
 {{/*
 Common labels
@@ -21,6 +24,11 @@ helm.sh/chart: {{ include "tetragon-operator.chart" . }}
 {{ include "tetragon-operator.selectorLabels" . }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
+{{- define "tetragonPod-controller.labels" -}}
+helm.sh/chart: {{ include "tetragonPod-controller.chart" . }}
+{{ include "tetragonPod-controller.selectorLabels" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
 
 {{/*
 Selector labels
@@ -33,6 +41,10 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/name: "tetragon-operator"
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+{{- define "tetragonPod-controller.selectorLabels" -}}
+app.kubernetes.io/name: "tetragonPod-controller"
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
 
 {{- define "container.export.stdout.name" -}}
 {{- print "export-stdout" -}}

install/kubernetes/templates/clusterrole.yaml

@@ -44,6 +44,7 @@ rules:
     resourceNames:
       - tracingpolicies.cilium.io
       - tracingpoliciesnamespaced.cilium.io
+      - tetragonpods.cilium.io
     verbs:
       - update
       - get

install/kubernetes/templates/deployment.yaml

@@ -0,0 +1,50 @@
+{{- if .Values.tetragonPod.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels: 
+    {{- include "tetragonPod-controller.labels" . | nindent 4 }}
+  name: {{ .Chart.Name }}-pod-controller
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "tetragonPod-controller.labels" . | nindent 6 }}
+  replicas: 1
+  template:
+    metadata:
+      labels: 
+        {{- include "tetragonPod-controller.labels" . | nindent 8 }}
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      containers:
+      - name: {{ .Chart.Name }}-pod
+        image: "{{ if .Values.tetragonPod.image.override }}{{ .Values.tetragonPod.image.override }}{{ else }}{{ .Values.tetragonPod.image.repository }}:{{ .Values.tetragonPod.image.tag | default .Chart.AppVersion }}{{ end }}"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - "ALL"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 10m
+            memory: 64Mi
+      serviceAccountName: {{ .Chart.Name }}-pod-controller-service-account
+      terminationGracePeriodSeconds: 10
+{{- end }}

install/kubernetes/templates/tpclusterrole.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.serviceAccount.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{.Chart.Name}}-pod-controller-role
+  labels:
+  {{- include "tetragonPod-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - cilium.io
+    resources:
+      - tetragonpods
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cilium.io
+    resources:
+      - tetragonpods/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - cilium.io
+    resources:
+      - tetragonpods/status
+    verbs:
+      - get
+      - patch
+      - update
+{{- end }}

install/kubernetes/templates/tpclusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.serviceAccount.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Chart.Name }}-pod-controller-rolebinding
+  labels:
+  {{- include "tetragonPod-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Chart.Name }}-pod-controller-role
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ .Chart.Name }}-pod-controller-service-account
+{{- end }}

install/kubernetes/templates/tpserviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Chart.Name }}-pod-controller-service-account
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "tetragonPod-controller.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

install/kubernetes/values.yaml

@@ -148,6 +148,13 @@ tetragon:
   enablePolicyFilterDebug: false
   # Enable latency monitoring in message handling
   enableMsgHandlingLatency: false
+tetragonPod:
+  enabled: false
+  # -- tetragon-operator image.
+  image:
+    override: ~
+    repository: quay.io/cilium/tetragon-operator
+    tag: v0.8.3
 tetragonOperator:
   # -- Enable the tetragon-operator component (required).
   enabled: true
@@ -158,6 +165,7 @@ tetragonOperator:
     tag: v0.10.0
     # tetragon-operator image-digest
     suffix: ""
+  skipTetragonPodCRD: false
 export:
   # "stdout". "" to disable.
   mode: "stdout"

my-values.yaml

@@ -0,0 +1,16 @@
+tetragonPod:
+  enabled: true
+  image:
+    override: quay.io/cilium/tetragon-operator-ci:812a91f2f8d8f0b71ea81ba5a55890046cc9cd77-podinfo
+<<<<<<< Updated upstream
+tetragonOperator:
+  image:
+    override: quay.io/cilium/tetragon-operator-ci:812a91f2f8d8f0b71ea81ba5a55890046cc9cd77
+=======
+
+tetragonOperator:
+  enabled: true
+  image:
+    override: quay.io/cilium/tetragon-operator-ci:812a91f2f8d8f0b71ea81ba5a55890046cc9cd77
+  skipTetragonPodCRD: false
+>>>>>>> Stashed changes

operator/flags.go

@@ -44,11 +44,14 @@ func initializeFlags() {
 
 	flags.String(operatorOption.KubeCfgPath, "", "Kubeconfig filepath to connect to k8s")
 
+	flags.Bool(operatorOption.SkipTetragonPodCRD, false, "When true, TetragonPod Custom Resource Definition (CRD) will not be created")
+
 	viper.BindPFlags(flags)
 }
 
-// Populate sets all options with the values from viper.
+// configPopulate sets all options with the values from viper.
 func configPopulate() {
 	operatorOption.Config.SkipCRDCreation = viper.GetBool(operatorOption.SkipCRDCreation)
 	operatorOption.Config.KubeCfgPath = viper.GetString(operatorOption.KubeCfgPath)
+	operatorOption.Config.SkipTetragonPodCRD = viper.GetBool(operatorOption.SkipTetragonPodCRD)
 }

operator/main.go

@@ -20,9 +20,10 @@ import (
 	"path/filepath"
 
 	operatorOption "github.com/cilium/tetragon/operator/option"
-	"github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client"
+	ciliumClient "github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client"
 	k8sversion "github.com/cilium/tetragon/pkg/k8s/version"
 	"github.com/cilium/tetragon/pkg/version"
+	tetragonClient "github.com/cilium/tetragon/tetragonpod/api/v1alpha1/client"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
@@ -53,6 +54,7 @@ var (
 	}
 )
 
+// getConfig is used to get the Kubernetes Config file
 func getConfig() (*rest.Config, error) {
 	if operatorOption.Config.KubeCfgPath != "" {
 		return clientcmd.BuildConfigFromFlags("", operatorOption.Config.KubeCfgPath)
@@ -94,9 +96,20 @@ func operatorExecute() {
 	// Register the CRDs after validating that we are running on a supported
 	// version of K8s.
 	if !operatorOption.Config.SkipCRDCreation {
-		if err := client.RegisterCRDs(k8sAPIExtClient); err != nil {
+
+		log.Info("Registering the CRDs")
+		// Register Tracing Policy CRD
+		if err := ciliumClient.RegisterCRDs(k8sAPIExtClient); err != nil {
 			log.WithError(err).Fatal("Unable to register CRDs")
 		}
+
+		if !operatorOption.Config.SkipTetragonPodCRD {
+			log.Info("Registering the TetragonPod CRD")
+			// Register TetragonPod CRD
+			if err := tetragonClient.RegisterCRD(k8sAPIExtClient); err != nil {
+				log.WithError(err).Fatal("Unable to register TetragonPod CRDs")
+			}
+		}
 	} else {
 		log.Info("Skipping creation of CRDs")
 	}