Skip to main content

kubectl kguardian

The kguardian CLI is a kubectl plugin that generates security policies from observed runtime behavior.

Installation

See the Installation Guide for detailed instructions.

Global Flags

Available for all commands:
FlagDescriptionDefault
--kubeconfigPath to kubeconfig file$KUBECONFIG or ~/.kube/config
--contextKubernetes context to useCurrent context
-n, --namespaceNamespace scopeCurrent namespace
--debugEnable debug loggingfalse

Commands

gen networkpolicy

Generate Network Policies from observed traffic

gen seccomp

Generate Seccomp profiles from syscall usage

audit promote

Convert an AuditNetworkPolicy into an enforced networking.k8s.io/v1 NetworkPolicy ready for kubectl apply.

audit promote-cluster

Convert an AuditClusterNetworkPolicy into one NetworkPolicy per matched namespace (discovery from namespaceSelector).

Examples

# Generate network policy for a pod
kubectl kguardian gen networkpolicy my-app -n production

# Generate seccomp for all pods in namespace
kubectl kguardian gen seccomp --all -n staging

# Generate Cilium policies cluster-wide
kubectl kguardian gen netpol -A --type cilium