This guide will help you install kguardian and generate your first security policy.
Prerequisites Before you begin, ensure you have:
Kubernetes v1.19 or later
Linux nodes with kernel 6.2+ (for eBPF support)
kubectl configured and connected to your cluster
Helm v3.0 or later
Or use raw manifests if you prefer
Admin access to install the controller (DaemonSet, RBAC, etc.)
Permission to create resources in your target namespaces
Kernel Version Check: kguardian requires Linux kernel 6.2+ for eBPF functionality. Run uname -r on your nodes to verify.
Step 1: Install the Controller The kguardian controller runs as a DaemonSet and uses eBPF to observe your workloads.
Helm (Recommended)
Specific Version
Custom Values
# Install directly from OCI registry helm install kguardian oci://ghcr.io/kguardian-dev/charts/kguardian \ --namespace kguardian \ --create-namespace \ --wait
The controller will automatically start monitoring pods across your cluster (excluding kube-system and kguardian namespaces by default).
# Install a specific version from OCI registry helm install kguardian oci://ghcr.io/kguardian-dev/charts/kguardian \ --version 1.1.1 \ --namespace kguardian \ --create-namespace \ --wait
# Create a custom values file cat > values.yaml << EOF controller: resources: limits: memory: "512Mi" cpu: "500m" excludedNamespaces: "kube-system,kguardian,monitoring" broker: replicas: 2 persistence: enabled: true size: 10Gi EOF # Install with custom values helm install kguardian oci://ghcr.io/kguardian-dev/charts/kguardian \ --namespace kguardian \ --create-namespace \ --values values.yaml \ --wait
Verify Installation Check that all components are running:
kubectl get pods -n kguardian # Expected output: # NAME READY STATUS RESTARTS AGE # kguardian-controller-xxxxx 1/1 Running 0 2m # kguardian-broker-xxxxxxxxxx-xxxxx 1/1 Running 0 2m # kguardian-ui-xxxxxxxxxx-xxxxx 1/1 Running 0 2m
Step 2: Install the CLI Plugin The kguardian CLI is a kubectl plugin for generating policies.
# Download and install the latest release sh -c "$( curl -fsSL https://raw.githubusercontent.com/kguardian-dev/kguardian/main/scripts/quick-install.sh)" # Verify installation kubectl kguardian --version
# Install via Krew plugin manager kubectl krew install kguardian # Verify installation kubectl kguardian --version
# Download the binary for your platform # Replace {VERSION}, {OS}, and {ARCH} with appropriate values VERSION = "v1.0.0" OS = "linux" # or darwin, windows ARCH = "amd64" # or arm64 curl -LO "https://github.com/kguardian-dev/kguardian/releases/download/${ VERSION }/kguardian-${ OS }-${ ARCH }" # Make it executable and move to PATH chmod +x kguardian- ${ OS } - ${ ARCH } sudo mv kguardian- ${ OS } - ${ ARCH } /usr/local/bin/kubectl-kguardian # Verify installation kubectl kguardian --version
Step 3: Let Your Workloads Run kguardian learns from actual runtime behavior, so let your applications run normally for 5-15 minutes to collect meaningful data.
Deploy Test Workload (Optional)
If you don’t have existing workloads, deploy a simple app: kubectl create deployment nginx --image=nginx:latest kubectl expose deployment nginx --port=80 kubectl run curl-pod --image=curlimages/curl --command -- sleep 3600 # Generate some traffic kubectl exec curl-pod -- curl nginx
Monitor Data Collection
Check that the broker is receiving data: # Port-forward to the broker kubectl port-forward -n kguardian svc/kguardian-broker 9090:9090 & # Check for traffic data (replace 'nginx' with your pod name) curl http://localhost:9090/pod/traffic/name/default/nginx
The longer you let workloads run, the more comprehensive your policies will be.
Step 4: Generate Your First Network Policy Now generate a network policy based on observed traffic:
# Generate policy for a specific pod kubectl kguardian gen networkpolicy nginx -n default \ --output-dir ./policies # View the generated policy cat ./policies/default-nginx-networkpolicy.yaml
apiVersion : networking.k8s.io/v1 kind : NetworkPolicy metadata : name : nginx namespace : default labels : kguardian.dev/managed-by : kguardian kguardian.dev/version : v1.0.0 spec : podSelector : matchLabels : app : nginx policyTypes : - Ingress - Egress ingress : - from : - podSelector : matchLabels : run : curl-pod namespaceSelector : matchLabels : kubernetes.io/metadata.name : default ports : - protocol : TCP port : 80 egress : - to : - namespaceSelector : matchLabels : kubernetes.io/metadata.name : kube-system podSelector : matchLabels : k8s-app : kube-dns ports : - protocol : UDP port : 53
Success! kguardian automatically discovered that your nginx pod receives traffic from the curl-pod on port 80 and makes DNS queries.
Apply the Policy Review the generated policy and apply it:
# Review first (always recommended) kubectl apply --dry-run=client -f ./policies/default-nginx-networkpolicy.yaml # Apply to cluster kubectl apply -f ./policies/default-nginx-networkpolicy.yaml # Verify it's created kubectl get networkpolicies -n default
Step 5: Generate a Seccomp Profile Generate a seccomp profile to restrict syscalls:
# Generate seccomp profile for nginx kubectl kguardian gen seccomp nginx -n default \ --output-dir ./seccomp # View the generated profile cat ./seccomp/default-nginx-seccomp.json
{ "defaultAction" : "SCMP_ACT_ERRNO" , "architectures" : [ "SCMP_ARCH_X86_64" ], "syscalls" : [ { "names" : [ "read" , "write" , "open" , "close" , "stat" ], "action" : "SCMP_ACT_ALLOW" }, { "names" : [ "socket" , "connect" , "accept" , "bind" , "listen" ], "action" : "SCMP_ACT_ALLOW" }, { "names" : [ "mmap" , "munmap" , "brk" , "mprotect" ], "action" : "SCMP_ACT_ALLOW" } ] }
Apply the Seccomp Profile To use the profile, you need to:
Copy to nodes (for local profiles):kubectl cp ./seccomp/default-nginx-seccomp.json \ kguardian-controller-xxxxx:/var/lib/kubelet/seccomp/nginx-profile.json \ -n kguardian
Update your deployment to reference it:apiVersion : v1 kind : Pod metadata : name : nginx spec : securityContext : seccompProfile : type : Localhost localhostProfile : nginx-profile.json containers : - name : nginx image : nginx:latest
Future versions will support automatic seccomp profile management via the Security Profiles Operator.
Next Steps Common Issues
Solution: Ensure your pods have been running and generating traffic for at least 5 minutes. Check broker logs:kubectl logs -n kguardian deployment/kguardian-broker
Controller pods not starting
Solution: Verify kernel version (6.2+) and that nodes support eBPF:kubectl describe pod -n kguardian kguardian-controller-xxxxx
CLI can't connect to broker
Solution: The CLI auto-discovers the broker via port-forwarding. Ensure you have permissions:kubectl auth can-i create pods/portforward -n kguardian
For more troubleshooting, see the Troubleshooting Guide .
Learn more about kguardian's architecture Understand how the components work together →
