cilium · mtardy · Jan 22, 2026 · Jan 22, 2026 · Jan 22, 2026 · Jan 21, 2026
@@ -83,6 +83,9 @@ message Filter {
   // Filter by the container name in the process.pod.container field using RE2 regular expression syntax:
   // https://github.com/google/re2/wiki/Syntax
   repeated string container_name_regex = 18;
+  // Filter by the namespace in the process.pod.namespace field using RE2 regular expression syntax:
+  // https://github.com/google/re2/wiki/Syntax
+  repeated string namespace_regex = 19;
 }
 
 // Filter over a set of Linux process capabilities. See `message Capabilities`

@@ -23,27 +23,28 @@ import (
 )
 
 type Opts struct {
-	Output        string
-	Color         string
-	IncludeFields []string
-	EventTypes    []string
-	ExcludeFields []string
-	Namespaces    []string
-	Namespace     []string // deprecated: use Namespaces
-	Processes     []string
-	Process       []string // deprecated: use Processes
-	Pods          []string
-	Pod           []string // deprecated: use Pods
-	Containers    []string
-	Host          bool
-	Timestamps    bool
-	TTYEncode     string
-	StackTraces   bool
-	ImaHash       bool
-	PolicyNames   []string
-	CelExpression []string
-	Reconnect     bool
-	ReconnectWait time.Duration
+	Output         string
+	Color          string
+	IncludeFields  []string
+	EventTypes     []string
+	ExcludeFields  []string
+	Namespaces     []string
+	Namespace      []string // deprecated: use Namespaces
+	Processes      []string
+	Process        []string // deprecated: use Processes
+	Pods           []string
+	Pod            []string // deprecated: use Pods
+	Containers     []string
+	Host           bool
+	Timestamps     bool
+	TTYEncode      string
+	StackTraces    bool
+	ImaHash        bool
+	PolicyNames    []string
+	NamespaceRegex []string
+	CelExpression  []string
+	Reconnect      bool
+	ReconnectWait  time.Duration
 }
 
 var Options Opts
@@ -95,6 +96,9 @@ var GetFilter = func() *tetragon.Filter {
 	if len(Options.PolicyNames) > 0 {
 		filter.PolicyNames = Options.PolicyNames
 	}
+	if len(Options.NamespaceRegex) > 0 {
+		filter.NamespaceRegex = Options.NamespaceRegex
+	}
 	if len(Options.CelExpression) > 0 {
 		filter.CelExpression = Options.CelExpression
 	}
@@ -257,6 +261,7 @@ redirection of events to the stdin. Examples:
 	flags.BoolVar(&Options.StackTraces, "stack-traces", true, "Include stack traces in compact output")
 	flags.BoolVar(&Options.ImaHash, "ima-hash", true, "Include ima hashes in compact output")
 	flags.StringSliceVar(&Options.PolicyNames, "policy-names", nil, "Get events by tracing policy names")
+	flags.StringSliceVar(&Options.NamespaceRegex, "namespace-regex", nil, "Get events by namespace name regex")
 	flags.StringSliceVar(&Options.CelExpression, "cel-expression", nil, "Get events satisfying the CEL expression")
 	flags.BoolVar(&Options.Reconnect, "reconnect", false, "Keep trying to connect even if an error occurred")
 	flags.DurationVar(&Options.ReconnectWait, "reconnect-wait", 2*time.Second, "wait time before attempting to reconnect")

@@ -139,6 +139,7 @@ var Filters = []OnBuildFilter{
 	&AncestorBinaryRegexFilter{},
 	&HealthCheckFilter{},
 	&NamespaceFilter{},
+	&NamespaceRegexFilter{},
 	&PidFilter{},
 	&PidSetFilter{},
 	&EventTypeFilter{},

@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package filters
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+
+	"github.com/cilium/tetragon/api/v1/tetragon"
+	"github.com/cilium/tetragon/pkg/event"
+)
+
+func filterByNamespaceRegex(namespacePatterns []string) (FilterFunc, error) {
+	var namespaces []*regexp.Regexp
+	for _, pattern := range namespacePatterns {
+		query, err := regexp.Compile(pattern)
+		if err != nil {
+			return nil, fmt.Errorf("failed to compile regexp: %w", err)
+		}
+		namespaces = append(namespaces, query)
+	}
+	return func(ev *event.Event) bool {
+		process := GetProcess(ev)
+		if process == nil {
+			return false
+		}
+		if process.Pod == nil {
+			return false
+		}
+		for _, ns := range namespaces {
+			if ns.MatchString(process.Pod.Namespace) {
+				return true
+			}
+		}
+		return false
+	}, nil
+}
+
+type NamespaceRegexFilter struct{}
+
+func (f *NamespaceRegexFilter) OnBuildFilter(_ context.Context, ff *tetragon.Filter) ([]FilterFunc, error) {
+	var fs []FilterFunc
+	if ff.NamespaceRegex != nil {
+		filters, err := filterByNamespaceRegex(ff.NamespaceRegex)
+		if err != nil {
+			return nil, err
+		}
+		fs = append(fs, filters)
+	}
+	return fs, nil
+}
@@ -66,3 +66,102 @@ func TestNamespace(t *testing.T) {
 	ev = event.Event{Event: &tetragon.GetEventsResponse{Event: &tetragon.GetEventsResponse_ProcessExec{ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{}}}}}
 	assert.True(t, fl.MatchOne(&ev))
 }
+
+func TestNamespaceRegex(t *testing.T) {
+	f := []*tetragon.Filter{{NamespaceRegex: []string{"test-.*"}}}
+	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&NamespaceRegexFilter{}})
+	require.NoError(t, err)
+
+	ev := event.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{Namespace: "test-app"}}},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev), "should match test-app namespace")
+
+	ev = event.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{Namespace: "test-system"}}},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev), "should match test-system namespace")
+
+	ev = event.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{Namespace: "kube-system"}}},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev), "should not match kube-system namespace")
+
+	ev = event.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{Namespace: "default"}}},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev), "should not match default namespace")
+
+	ev = event.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{}},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev), "should not match process without pod info")
+
+	ev = event.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev), "should not match nil process")
+}
+
+func TestNamespaceRegexMultiplePatterns(t *testing.T) {
+	f := []*tetragon.Filter{{NamespaceRegex: []string{"prod-.*", "staging-.*"}}}
+	fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&NamespaceRegexFilter{}})
+	require.NoError(t, err)
+
+	ev := event.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{Namespace: "prod-app"}}},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev), "should match prod-app namespace")
+
+	ev = event.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{Namespace: "staging-app"}}},
+			},
+		},
+	}
+	assert.True(t, fl.MatchOne(&ev), "should match staging-app namespace")
+
+	ev = event.Event{
+		Event: &tetragon.GetEventsResponse{
+			Event: &tetragon.GetEventsResponse_ProcessExec{
+				ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{Namespace: "dev-app"}}},
+			},
+		},
+	}
+	assert.False(t, fl.MatchOne(&ev), "should not match dev-app namespace")
+}
+
+func TestNamespaceRegexInvalidPattern(t *testing.T) {
+	f := []*tetragon.Filter{{NamespaceRegex: []string{"[invalid"}}}
+	_, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&NamespaceRegexFilter{}})
+	require.Error(t, err, "should return error for invalid regex")
+}