Skip to main content

kguardian

Kubernetes Security Made Simple - Automatically generate least-privilege Network Policies and Seccomp Profiles using eBPF-powered runtime behavior analysis.

What is kguardian?

kguardian is a Kubernetes security toolkit that observes your applications at runtime using eBPF technology and automatically generates tailored security resources. Say goodbye to manual policy crafting and hello to zero-trust security that adapts to your workloads.

Network Policies

Generate least-privilege network policies from observed pod communication patterns

Seccomp Profiles

Create syscall allowlists based on actual container behavior

eBPF Monitoring

Low-overhead kernel-level visibility without code changes

Real-time Visualization

Interactive UI to explore pod communication and traffic flows

Why kguardian?

Writing Network Policies and Seccomp profiles by hand is tedious and error-prone. kguardian observes your running applications and generates policies automatically in seconds.
Start with a default-deny posture and allow only the exact network paths and syscalls your applications actually use. No guesswork, no over-permissioning.
See exactly how your pods communicate and what system calls they make. The built-in UI provides real-time insights into your cluster’s behavior.
Export policies as YAML files for review and version control. Perfect for Infrastructure as Code workflows and compliance audits.

How it Works

kguardian consists of four components working together:
1

Controller Monitors

The Controller (Rust + eBPF) runs as a DaemonSet on your nodes, using kernel-level eBPF programs to capture network traffic and syscall activity with minimal overhead.
2

Broker Stores

The Broker (Rust + Actix-web) receives telemetry from controllers and stores it in PostgreSQL, providing a historical view of your workload behavior.
3

CLI Generates

The CLI (kubectl kguardian) queries the broker, analyzes traffic patterns, and generates ready-to-apply Network Policies and Seccomp profiles.
4

UI Visualizes

The UI (React + TypeScript) provides an interactive graph showing pod communication, making it easy to understand complex network topologies.

Quick Example

Generate a Network Policy for a pod in seconds: 
# Install the controller (one-time setup)
helm install kguardian oci://ghcr.io/kguardian-dev/charts/kguardian \
  --namespace kguardian \
  --create-namespace

# Let your app run normally for a few minutes...

# Generate policy from observed traffic
kubectl kguardian gen networkpolicy my-app -n production \
  --output-dir ./policies

# Review and apply
kubectl apply -f ./policies/production-my-app-networkpolicy.yaml
That’s it! You now have a least-privilege network policy based on real runtime behavior.

Supported Resources

✅ Kubernetes NetworkPolicy

Standard K8s resource for ingress/egress rules

✅ Cilium NetworkPolicy

Enhanced policies with L7 visibility (Cilium CNI)

✅ Seccomp Profiles

Linux seccomp-bpf syscall filters

🔜 AppArmor Profiles

Coming soon in future releases

🔜 SELinux Policies

Planned for future versions

🔜 Pod Security Standards

Auto-generate PSS labels and policies

Get Started

Quickstart

Get kguardian running in 5 minutes

Architecture

Understand how components work together

User Guides

Learn to generate security policies

Comparison with Other Tools

FeaturekguardianInspektor GadgetSecurity Profiles Operator
Network Policy (K8s)
Network Policy (Cilium)
Seccomp Profile Generation📝
AppArmor Profile Mgmt🔜
Real-time UI
GitOps-friendlyPartial
eBPF-based
kguardian’s unique strength: Generate both Network Policies (K8s + Cilium) and Seccomp profiles from a single eBPF data source with visual exploration via the UI.

Community & Support

GitHub Discussions

Ask questions, share ideas, and get help from the community

Issues & Bugs

Report bugs or request features on GitHub

Contributing

Learn how to contribute to kguardian

Releases

View release notes and download binaries

License

kguardian is licensed under the Business Source License 1.1 (BSL 1.1):
  • Free for development, testing, evaluation, and non-production use
  • Free for non-commercial use
  • ⚠️ Commercial production use requires a commercial license
  • 🔄 Converts to Apache License 2.0 on January 1, 2029
See the LICENSE for full details.

Ready to secure your cluster?

Get started with kguardian in just 5 minutes →