Hey HN,

I'm Mahesh, and together with Michael Fornaro we built kguardian in our free time because we kept running into the same loop: deploy a workload, figure out what traffic it needs, write a NetworkPolicy from memory, break something in staging. Repeat for seccomp profiles, except now the surface is 400+ Linux syscalls with no good way to know which ones your container uses without just running it and watching.

The gap between what you think your application does and what it actually does at runtime is where security incidents live.

What kguardian does:

- Runs a DaemonSet using eBPF — kernel programs that fire on TCP connections, UDP sends, and syscall entries with ~1-2% CPU overhead - Attributes every event to the right pod via network namespace inodes — no sidecars, no proxy injection, no application changes - Detects silently-dropped NetworkPolicy traffic by counting TCP SYN retransmissions — otherwise nearly invisible

Using the UI:

  kubectl port-forward svc/kguardian-frontend 5173 -n kguardian

Open the dashboard, pick a namespace, and you see your actual network topology — not what you declared, what the kernel recorded. Pods are grouped by workload identity. Edges are colored by type: blue for internal traffic, amber for external, red for connections being silently dropped by an existing policy. Each edge is labeled with the top port and protocol (HTTP :80, HTTPS :443, DNS :53, K8s API :6443).

Click any workload → Build Policy → kguardian generates a least-privilege NetworkPolicy YAML in seconds, resolving IPs to pod selectors, deduplicating ClusterIP flows, and scoping egress to exactly what was observed. You can also view live generated NetworkPolicies and Seccomp profiles based on current cluster traffic.

An AI assistant (MCP server — Claude, OpenAI, Gemini, GitHub Copilot) lets you query in plain English: "Which pods are making unexpected DNS queries?" or "Are any workloads hitting the Kubernetes API directly?"

CLI for GitOps:

  helm install kguardian oci://ghcr.io/kguardian-dev/charts/kguardian \
    --namespace kguardian --create-namespace

  # Let workloads run for a few minutes...
  kubectl kguardian gen networkpolicy --all -n production --output-dir ./policies
  kubectl kguardian gen seccomp my-app -n production --output-dir ./seccomp
  kubectl apply -f ./policies/

Where this is going:

We're working on capturing L7 HTTP traffic (paths, methods, headers) at the eBPF layer and turning that into L7-aware Cilium policies — not just "allow port 443" but "allow GET /api/v1/health from this workload." Beyond that: Istio AuthorizationPolicies from observed mesh traffic, Cilium Gateway API resources (HTTPRoutes, Gateways, VirtualServices), and AI-assisted anomaly detection for behavioral drift. The long-term vision: observe → generate → apply → monitor → alert → repeat.

Links: - GitHub: https://github.com/kguardian-dev/kguardian - Docs: https://docs.kguardian.dev

It's free and open source. We'd love feedback, bug reports, or ideas. Contributions welcome.

Thanks, Mahesh & Michael

Millwright: Smarter Tool Selection from Agent Experience

Show HN: Playtest my browser-based RPG

I Hate Anthropic and You Should Too

Self-Driving Codebase: Background agents and the next era of software delivery

CIA Prepares Criminal Referral of Tucker Carlson, as Israel et al. Demand Arrest

Giving MCP servers a voice in tool selection

Manjaro Linux 2.0 Manifesto

To fall asleep faster, try cognitive shuffling

Steve Jobs's 10-80-10 Rule Is More Useful in the AI Era

Show HN: Open-source playground to red-team AI agents with exploits published

Learn Haskell in Two Weeks

Show HN: OnTimer – persistent calendar alarms so you never miss a meeting

Website visualizes the 100k most popular Wikipedia articles as skyscrapers

CarTalk-AMP Web Player

Building observable file systems for agents

Token optimized query language (Memelang)

Show HN: SciTeX Notification – Give AI agents a voice: TTS, phone calls, SMS

Show HN: Kubernetes Security Profile Generator Using eBPF

Nasdaq's Shame

A new Bigfoot documentary helps explain our conspiracy-minded era

Twitch is overhauling its suspensions policy

CostClaw – free local dashboard to track and reduce OpenClaw agent costs

From the Hills of Nepal to the Colombian Jungle: A Migrant's Story (2020)

GladAItor – Crowd-testing AI products in a public arena

Kangina

Cert Authorities Check for DNSSEC from Today

Hacking 'Skill' distilled from 4200 Hackerone vulns

Copilot Health

Cloudflare forked just-bash and they really, really should not have

Road Safety Annual Report 2025 [pdf]

Show HN: Raw Binary Program Analysis Tool