Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kguardian.dev/llms.txt

Use this file to discover all available pages before exploring further.

kguardian

kguardian watches pod traffic and syscalls with eBPF, then writes Kubernetes NetworkPolicies, CiliumNetworkPolicies, and seccomp profiles from what it sees — no hand-authored rules.

Docs map

What is kguardian?

A Kubernetes runtime-observability tool that turns the network and syscall behavior of your pods into the policy YAML you would otherwise have to write by hand.

Network Policies

Generate least-privilege network policies from observed pod communication patterns

Seccomp Profiles

Create syscall allowlists based on actual container behavior

eBPF Monitoring

Low-overhead kernel-level visibility without code changes

Live view (polled, ~5s)

Interactive UI that polls the Broker every few seconds to render pod-to-pod traffic

Why kguardian?

Writing Network Policies and Seccomp profiles by hand is tedious and error-prone. kguardian observes your running applications and generates policies automatically in seconds.
Start with a default-deny posture and allow only the exact network paths and syscalls your applications actually use. No guesswork, no over-permissioning.
See exactly how your pods communicate and what system calls they make. The UI polls the Broker every few seconds and renders the latest observed traffic and syscall data.
Export policies as YAML files for review and version control. Perfect for Infrastructure as Code workflows and compliance audits.

How it Works

kguardian consists of four components working together:
1

Controller Monitors

The Controller (Rust + eBPF) runs as a DaemonSet on your nodes, using kernel-level eBPF programs to capture network traffic and syscall activity with minimal overhead.
2

Broker Stores

The Broker (Rust + Actix-web) receives telemetry from controllers and stores it in PostgreSQL, providing a historical view of your workload behavior.
3

CLI Generates

The CLI (kubectl kguardian) queries the broker, analyzes traffic patterns, and generates ready-to-apply Network Policies and Seccomp profiles.
4

UI Visualizes

The UI (React + TypeScript) provides an interactive graph showing pod communication, making it easy to understand complex network topologies.

Quick Example

Generate a Network Policy for a pod in seconds: 
# Install the controller (one-time setup)
helm install kguardian oci://ghcr.io/kguardian-dev/charts/kguardian \
  --namespace kguardian \
  --create-namespace

# Let your app run normally for a few minutes...

# Generate policy from observed traffic
kubectl kguardian gen networkpolicy my-app -n production \
  --output-dir ./policies

# Review and apply
kubectl apply -f ./policies/production-my-app-networkpolicy.yaml
That’s it! You now have a least-privilege network policy based on real runtime behavior.

Supported Resources

✅ Kubernetes NetworkPolicy

Standard K8s resource for ingress/egress rules

✅ Cilium NetworkPolicy

Enhanced policies with L7 visibility (Cilium CNI)

✅ Seccomp Profiles

Linux seccomp-bpf syscall filters

🔜 AppArmor Profiles

Coming soon in future releases

🔜 SELinux Policies

Planned for future versions

🔜 Pod Security Standards

Auto-generate PSS labels and policies

Get Started

Quickstart

Get kguardian running in 5 minutes

Architecture

Understand how components work together

User Guides

Learn to generate security policies

Policy Gallery

See generated policies for nginx, Postgres, Prometheus, and more

Comparison with Other Tools

FeaturekguardianInspektor GadgetSecurity Profiles Operator
Network Policy (K8s)
Network Policy (Cilium)
Seccomp Profile Generation📝
AppArmor Profile Mgmt🔜
Live view (polled, ~5s)
GitOps-friendlyPartial
eBPF-based
kguardian’s unique strength: Generate both Network Policies (K8s + Cilium) and Seccomp profiles from a single eBPF data source with visual exploration via the UI.

Community & Support

GitHub Discussions

Ask questions, share ideas, and get help from the community

Issues & Bugs

Report bugs or request features on GitHub

Contributing

Learn how to contribute to kguardian

Releases

View release notes and download binaries

License

kguardian is licensed under the Business Source License 1.1 (BSL 1.1):
  • Free for development, testing, evaluation, and non-production use
  • Free for non-commercial use
  • ⚠️ Commercial production use requires a commercial license
  • 🔄 Converts to Apache License 2.0 on January 1, 2029
See the LICENSE for full details.

Ready to secure your cluster?

Get started with kguardian in just 5 minutes →