Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kguardian.dev/llms.txt

Use this file to discover all available pages before exploring further.

What is kguardian?

kguardian watches pod traffic and syscalls with eBPF, then writes Kubernetes NetworkPolicies, CiliumNetworkPolicies, and seccomp profiles from what it sees — no hand-authored rules. This is fundamentally different from traditional approaches where you write policies manually and hope they cover what your workloads actually do.

Key Concepts

eBPF-Powered Observability

kguardian uses eBPF (extended Berkeley Packet Filter) technology to observe kernel-level events:
  • Network connections: TCP/UDP socket operations
  • System calls: File access, process creation, etc.
  • Zero code changes: No sidecars, agents, or instrumentation needed
eBPF runs safely in the kernel with minimal overhead (~1-2% CPU), making it perfect for production observability.

Least-Privilege Security

The core principle: allow only what’s actually used. Instead of guessing what your app needs, kguardian:
  1. Observes actual behavior
  2. Generates policies that allow exactly that behavior
  3. Blocks everything else (default-deny)

Runtime to Policy Pipeline

eBPF Monitoring

Deep dive into how eBPF observability works

Network Policies

Understanding Kubernetes network policies

Seccomp Profiles

What are seccomp profiles and why they matter

Architecture

See how all components work together