Future Supported Resources

Roadmap Overview

kguardian is continuously evolving to support more Kubernetes security resources. This page outlines our plans for future capabilities.

Want to contribute? Check out our GitHub Discussions to participate in roadmap planning or our Contributing Guide to help build these features!

Planned Resources

✅ Network Policies

Status: Generally Available (v1.0.0)

Kubernetes NetworkPolicy
Cilium NetworkPolicy
Cilium ClusterwideNetworkPolicy

✅ Seccomp Profiles

Status: Generally Available (v1.0.0)

OCI seccomp JSON format
Architecture-aware profiles
Customizable default actions

🚧 AppArmor Profiles

Status: In Development (Target: v1.2.0)

Generate from observed file access
Network capability restrictions
Integration with Security Profiles Operator

📋 SELinux Policies

Status: Planned (Target: v1.3.0)

Type enforcement rules
File context generation
Process domain transitions

📋 Pod Security Standards

Status: Planned (Target: v1.4.0)

Auto-generate PSS labels
Compliance validation
Migration recommendations

💡 Resource Quotas & Limits

Status: Under Consideration

Observed CPU/memory usage
Suggested request/limit values
Autoscaling recommendations

AppArmor Profiles (v1.2.0)

Target Release: Q2 2025 Status: In active development

AppArmor provides mandatory access control (MAC) for Linux applications, restricting file access, network capabilities, and more.

Capabilities

File Access Rules

kguardian will observe:

File read/write operations via eBPF (openat, read, write syscalls)
Directory listings and creation
Execution of binaries

Generated rules:

# Allow read access to config files
/etc/nginx/** r,
/etc/ssl/certs/** r,

# Allow write to logs
/var/log/nginx/** w,

# Allow execute for application binary
/usr/sbin/nginx ix,

Network Capabilities

Based on observed network activity:

# Allow TCP connections
network inet stream,

# Allow UDP for DNS
network inet dgram,

Capability Restrictions

Limit Linux capabilities:

# Allow binding to privileged ports
capability net_bind_service,

# Allow changing UID/GID
capability setuid,
capability setgid,

Integration

Export as standalone AppArmor profiles
Integration with Security Profiles Operator
Auto-apply via AppArmorProfile CRD

CLI Usage (Planned)

# Generate AppArmor profile for a pod
kubectl kguardian gen apparmor nginx -n production \
  --output-dir ./apparmor

# View generated profile
cat ./apparmor/production-nginx-apparmor.profile

# Apply via Security Profiles Operator
kubectl apply -f ./apparmor/production-nginx-apparmorprofile.yaml

SELinux Policies (v1.3.0)

Target Release: Q3 2025 Status: Planning phase

SELinux provides fine-grained access control using security contexts and policies.

Capabilities

Type Enforcement

Generate custom SELinux types for pods:

Observe process domains and transitions
File type associations
Network access rules per type

Example policy:

type nginx_t;
type nginx_exec_t;
type nginx_log_t;

# Allow nginx to read config files
allow nginx_t nginx_conf_t:file { read open };

# Allow nginx to write logs
allow nginx_t nginx_log_t:file { write create append };

# Allow nginx to bind to port 80
allow nginx_t http_port_t:tcp_socket name_bind;

File Contexts

Auto-generate file context mappings:

/usr/sbin/nginx     -- gen_context(system_u:object_r:nginx_exec_t,s0)
/etc/nginx(/.*)?       gen_context(system_u:object_r:nginx_conf_t,s0)
/var/log/nginx(/.*)?   gen_context(system_u:object_r:nginx_log_t,s0)

Integration Challenges

SELinux support is complex:

Requires kernel support and enabled enforcement
Policy compilation and loading
Container runtime integration

We’re exploring:

Using udica for container policy generation
CRI-O selinuxOptions integration
Collaboration with SELinux community

Pod Security Standards (v1.4.0)

Target Release: Q4 2025 Status: Research phase

Pod Security Standards define three security profiles: Privileged, Baseline, and Restricted.

Capabilities

Compliance Detection

Analyze observed pod behavior and suggest appropriate PSS level:

Privileged: Uses host namespaces, runs as root, etc.
Baseline: Minimal restrictions, prevents known privilege escalations
Restricted: Hardened, follows current security best practices

Example:

kubectl kguardian audit pss nginx -n production

# Output:
# Pod: nginx
# Current PSS Level: Privileged
# Recommended: Baseline
# Violations:
#   - Running as root (UID 0)
#   - hostNetwork: true
# Suggested fixes:
#   - Set runAsNonRoot: true
#   - Remove hostNetwork

Automatic Labeling

Generate namespace labels for PSS enforcement:

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Migration Assistance

Help migrate from PSPs or insecure configurations:

Identify pods violating target PSS level
Suggest PodSecurityContext changes
Generate compliant manifests

Resource Recommendations

Status: Under consideration - feedback welcome!

Generate CPU/memory requests and limits based on observed usage.

Concept

kubectl kguardian gen resources nginx -n production \
  --observation-period 7d \
  --percentile 95

# Output: Recommended resource configuration
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    resources:
      requests:
        cpu: "100m"        # 95th percentile observed usage
        memory: "128Mi"
      limits:
        cpu: "500m"        # Max observed + 20% headroom
        memory: "256Mi"

Challenges

Requires metrics-server or Prometheus integration
Observation period must cover peak loads
Needs statistical analysis (percentiles, outliers)
May overlap with VPA (Vertical Pod Autoscaler)

Decision pending: Is this in scope for kguardian, or should we focus on security resources?

Other Ideas

We’re collecting community feedback on:

Falco Rules Generation

Generate runtime security rules from observed behavior

OPA/Gatekeeper Policies

Create admission control policies based on cluster patterns

Service Mesh Policies

Generate Istio/Linkerd AuthorizationPolicies

RBAC Recommendations

Suggest least-privilege RBAC roles

How You Can Help

Vote on Features

Star or comment on GitHub Issues for features you want most.

Share Use Cases

Tell us how you’d use these resources in Discussions.

Contribute Code

Pick up an issue labeled help-wanted or good-first-issue and submit a PR!

Sponsor Development

Commercial licenses help fund feature development. Contact us for enterprise support.

Check out planned features and milestones

See the full release roadmap →

Getting Started

Core Concepts

User Guides

CLI Reference

Advanced

Roadmap

Future Supported Resources

Roadmap Overview

Planned Resources

✅ Network Policies

✅ Seccomp Profiles

🚧 AppArmor Profiles

📋 SELinux Policies

📋 Pod Security Standards

💡 Resource Quotas & Limits

AppArmor Profiles (v1.2.0)

Capabilities

CLI Usage (Planned)

SELinux Policies (v1.3.0)

Capabilities

Pod Security Standards (v1.4.0)

Capabilities

Resource Recommendations

Concept

Challenges

Other Ideas

Falco Rules Generation

OPA/Gatekeeper Policies

Service Mesh Policies

RBAC Recommendations

How You Can Help

Check out planned features and milestones

Getting Started

Core Concepts

User Guides

CLI Reference

Advanced

Roadmap

​Roadmap Overview

​Planned Resources

✅ Network Policies

✅ Seccomp Profiles

🚧 AppArmor Profiles

📋 SELinux Policies

📋 Pod Security Standards

💡 Resource Quotas & Limits

​AppArmor Profiles (v1.2.0)

​Capabilities

​CLI Usage (Planned)

​SELinux Policies (v1.3.0)

​Capabilities

​Pod Security Standards (v1.4.0)

​Capabilities

​Resource Recommendations

​Concept

​Challenges

​Other Ideas

Falco Rules Generation

OPA/Gatekeeper Policies

Service Mesh Policies

RBAC Recommendations

​How You Can Help

Check out planned features and milestones

Roadmap Overview

Planned Resources

AppArmor Profiles (v1.2.0)

Capabilities

CLI Usage (Planned)

SELinux Policies (v1.3.0)

Capabilities

Pod Security Standards (v1.4.0)

Capabilities

Resource Recommendations

Concept

Challenges

Other Ideas

How You Can Help