Skip to main content

What is eBPF?

eBPF (extended Berkeley Packet Filter) is a revolutionary Linux kernel technology that allows running custom programs inside the kernel without changing kernel source code or loading kernel modules.

How kguardian Uses eBPF

kguardian attaches eBPF programs to kernel hooks to observe pod behavior:

Network Traffic Monitoring

Hook points:
  • tcp_connect - Outbound TCP connections
  • tcp_sendmsg / tcp_recvmsg - Data transmission
  • udp_sendmsg / udp_recvmsg - UDP traffic
Captured data:
  • Source and destination IP addresses
  • Source and destination ports
  • Protocol (TCP/UDP)
  • Network namespace (to map to containers)

Syscall Monitoring

Hook points:
  • sys_enter_* - Entry to any syscall
  • sys_exit_* - Exit from syscall
Captured data:
  • Syscall name (e.g., open, read, socket)
  • Process ID and container namespace
  • Architecture (x86_64, arm64, etc.)

Why eBPF?

Performance

~1-2% CPU overhead vs 10-20% for proxy-based solutions

Safety

Verifier ensures programs can’t crash the kernel

No Changes Required

No code changes, sidecars, or pod restarts needed

Kernel-Level Visibility

See everything, including encrypted connections
Learn more: