Project Templates์ถ์ฒ: Show HN์กฐํ์ 1
Show HN: Kubernetes Security Profile Generator Using eBPF
By mrayas2026๋
3์ 16์ผ
**Show HN: Kubernetes Security Profile Generator Using eBPF**
Hey HN,I'm Mahesh, and together with Michael Fornaro we built kguardian in our free time because we kept running into the same loop: deploy a workload, figure out what traffic it needs, write a NetworkPolicy from memory, break something in staging. Repeat for seccomp profiles, except now the surface is 400+ Linux syscalls with no good way to know which ones your container uses without just running it and watching.The gap between what you think your application does and what it actually does at runtime is where security incidents live.What kguardian does:- Runs a DaemonSet using eBPF โ kernel programs that fire on TCP connections, UDP sends, and syscall entries with ~1-2% CPU overhead - Attributes every event to the right pod via network namespace inodes โ no sidecars, no proxy injection, no application changes - Detects silently-dropped NetworkPolicy traffic by counting TCP SYN retransmissions โ otherwise nearly invisibleUsing the UI: kubectl port-forward svc/kguardian-frontend 5173 -n kguardian Open the dashboard, pick a namespace, and you see your actual network topology โ not what you declared, what the kernel recorded. Pods are grouped by workload identity. Edges are colored by type: blue for internal traffic, amber for external, red for connections being silently dropped by an existing policy. Each edge is labeled with the top port and protocol (HTTP :80, HTTPS :443, DNS :53, K8s API :6443).Click any workload โ Build Policy โ kguardian generates a least-privilege NetworkPolicy YAML in seconds, resolving IPs to pod selectors, deduplicating ClusterIP flows, and scoping egress to exactly what was observed...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ Show HN์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Hey HN,I'm Mahesh, and together with Michael Fornaro we built kguardian in our free time because we kept running into the same loop: deploy a workload, figure out what traffic it needs, write a NetworkPolicy from memory, break something in staging. Repeat for seccomp profiles, except now the surface is 400+ Linux syscalls with no good way to know which ones your container uses without just running it and watching.The gap between what you think your application does and what it actually does at runtime is where security incidents live.What kguardian does:- Runs a DaemonSet using eBPF โ kernel programs that fire on TCP connections, UDP sends, and syscall entries with ~1-2% CPU overhead - Attributes every event to the right pod via network namespace inodes โ no sidecars, no proxy injection, no application changes - Detects silently-dropped NetworkPolicy traffic by counting TCP SYN retransmissions โ otherwise nearly invisibleUsing the UI: kubectl port-forward svc/kguardian-frontend 5173 -n kguardian Open the dashboard, pick a namespace, and you see your actual network topology โ not what you declared, what the kernel recorded. Pods are grouped by workload identity. Edges are colored by type: blue for internal traffic, amber for external, red for connections being silently dropped by an existing policy. Each edge is labeled with the top port and protocol (HTTP :80, HTTPS :443, DNS :53, K8s API :6443).Click any workload โ Build Policy โ kguardian generates a least-privilege NetworkPolicy YAML in seconds, resolving IPs to pod selectors, deduplicating ClusterIP flows, and scoping egress to exactly what was observed...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ Show HN์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.