What is kguardian?
kguardian implements observed-based security - it watches what your applications actually do at runtime and generates security policies that match that behavior. This is fundamentally different from traditional approaches where you manually write policies and hope they’re correct.Key Concepts
eBPF-Powered Observability
kguardian uses eBPF (extended Berkeley Packet Filter) technology to observe kernel-level events:- Network connections: TCP/UDP socket operations
- System calls: File access, process creation, etc.
- Zero code changes: No sidecars, agents, or instrumentation needed
eBPF runs safely in the kernel with minimal overhead (~1-2% CPU), making it perfect for production observability.
Least-Privilege Security
The core principle: allow only what’s actually used. Instead of guessing what your app needs, kguardian:- Observes actual behavior
- Generates policies that allow exactly that behavior
- Blocks everything else (default-deny)