Skip to content

existing_container

NAME

existing_container - existing container detection and information

DESCRIPTION

Triggered when Tracee detects and analyzes existing containers running on the system. This event provides comprehensive information about discovered containers, including runtime details, container identification, image information, and Kubernetes pod metadata when applicable.

This event is essential for establishing container inventory and understanding the container landscape when Tracee starts monitoring or when new containers are discovered during operation.

EVENT SETS

containers

DATA FIELDS

runtime (string) : The container runtime being used (e.g., Docker, containerd, CRI-O)

container_id (string) : The unique identifier of the container

ctime (uint64) : The creation time of the container

container_image (string) : The container image name and tag

container_image_digest (string) : The cryptographic digest of the container image

container_name (string) : The human-readable name assigned to the container

pod_name (string) : The Kubernetes pod name (if running in Kubernetes)

pod_namespace (string) : The Kubernetes namespace containing the pod

pod_uid (string) : The unique identifier of the Kubernetes pod

pod_sandbox (bool) : Whether this container is a Kubernetes pod sandbox container

DEPENDENCIES

This event is generated by Tracee's container discovery mechanisms and does not depend on specific kernel probes.

USE CASES

  • Container discovery: Discover and catalog existing containers on the system

  • Container security monitoring: Establish security baseline for discovered containers

  • Kubernetes monitoring: Track Kubernetes pod and container relationships

  • Container lifecycle tracking: Track complete container lifecycle from discovery to termination

  • Compliance monitoring: Ensure discovered containers meet security and compliance requirements

  • switch_task_ns: Namespace switching events related to containers
  • cgroup_attach_task: Container process management events
  • init_namespaces: Namespace configuration events
  • Container lifecycle events: Related container management and monitoring events