What is kguardian?
kguardian implements observed-based security - it watches what your applications actually do at runtime and generates security policies that match that behavior. This is fundamentally different from traditional approaches where you manually write policies and hope they’re correct.Key Concepts
eBPF-Powered Observability
kguardian uses eBPF (extended Berkeley Packet Filter) technology to observe kernel-level events:- Network connections: TCP/UDP socket operations
- System calls: File access, process creation, etc.
- Zero code changes: No sidecars, agents, or instrumentation needed
eBPF runs safely in the kernel with minimal overhead (~1-2% CPU), making it perfect for production observability.
Least-Privilege Security
The core principle: allow only what’s actually used. Instead of guessing what your app needs, kguardian:- Observes actual behavior
- Generates policies that allow exactly that behavior
- Blocks everything else (default-deny)
Runtime to Policy Pipeline
eBPF Monitoring
Deep dive into how eBPF observability works
Network Policies
Understanding Kubernetes network policies
Seccomp Profiles
What are seccomp profiles and why they matter
Architecture
See how all components work together