Xentra Advisor is a powerful kubectl plugin designed to enhance the security posture of your Kubernetes applications. It analyzes runtime behavior (via the Kube Guardian Controller) and generates tailored security resources like Network Policies and Seccomp Profiles.
- Xentra Advisor: Kubernetes Security Profile Enhancer
- Network Policy Generation: Automatically create least-privilege network policies based on observed pod communication.
- Supports standard Kubernetes
NetworkPolicyresources. - Supports
CiliumNetworkPolicyandCiliumClusterwideNetworkPolicyfor Cilium CNI users.
- Supports standard Kubernetes
- Seccomp Profile Generation: Generate least-privilege seccomp profiles by analyzing syscalls used by containers.
- Flexible Targeting: Generate policies/profiles for single pods, all pods in a namespace, or all pods across all namespaces.
- Dry-Run Mode: Preview generated resources without applying them to the cluster.
- File Output: Save generated resources to YAML files for review or integration into GitOps workflows.
This table provides a high-level comparison of Xentra Advisor with other popular open-source tools in the Kubernetes security space. The landscape evolves quickly, so features may change.
| Feature | Xentra Advisor | Inspektor Gadget | Security Profiles Operator (SPO) |
|---|---|---|---|
| Network Policy (K8s) | β | β (Network Policy Advisor) | β |
| Network Policy (Cilium) | β | β | β |
| Seccomp Profile Generation | β | π (Provides syscall trace data) | β (Via Log Enricher/Recorder) |
| AppArmor Profile Mgmt | β | β | β |
| SELinux Profile Mgmt | β | β | β |
| Data Source | Kube Guardian Controller (eBPF) | eBPF | Seccomp Logs / BPF Recorder |
| Operational Model | Client CLI + Server Controller | Client CLI + Server Gadgets | Server Operator + CRDs |
| Dry Run / Preview | β (NetPol) | β (YAML output for advisor) | N/A |
| Save to File | β (NetPol, Seccomp) | β (YAML output for advisor) | N/A (Uses CRDs) |
| Direct Apply (NetPol) | β | β | N/A |
| Direct Apply (Seccomp) | β | β | β |
Legend: β = Supported, β = Not Supported, π = Partial/Requires Manual Steps, N/A = Not Applicable
Note on Operational Models: Xentra Advisor and Inspektor Gadget use client CLIs that interact with dedicated server-side components (Controller/Gadgets) primarily for data retrieval. SPO operates as a full Kubernetes operator managing security profiles via Custom Resource Definitions (CRDs).
Key Differentiators for Xentra Advisor:
- Generates both Network Policies (K8s Native & Cilium) and Seccomp profiles from a single data source (Kube Guardian).
- Provides options for direct application (Network Policy) or saving to files for GitOps workflows.
- Linux Kernel 6.2+
- Kubernetes cluster v1.19+
kubectlv1.19+- Kube Guardian Controller MUST be installed and running in the cluster to collect the necessary data.
- (For Seccomp) Linux Kernel supporting seccomp (most modern kernels).
Choose one of the following methods:
This script downloads the latest release binary and attempts to install it.
sh -c "$(curl -fsSL https://raw.githubusercontent.com/xentra-ai/kube-guardian/main/scripts/quick-install.sh)"Use Krew, the plugin manager for kubectl:
# Ensure Krew is installed: https://krew.sigs.k8s.io/docs/user-guide/setup/install/
kubectl krew install xentraDownload the appropriate binary for your system from the Releases page and place it in your PATH named kubectl-xentra.
Example (Linux AMD64, replace version/binary name as needed):
# Replace with the correct release URL
wget -O xentra https://github.com/xentra-ai/kube-guardian/releases/download/vX.Y.Z/advisor-linux-amd64
chmod +x xentra
sudo mv xentra /usr/local/bin/kubectl-xentra
# Verify installation
kubectl xentra --helpOnce the Kube Guardian controller is running and collecting data, you can generate policies.
-
Generate a Network Policy (Dry Run, Save to File):
# Generate for a specific pod in the 'default' namespace kubectl xentra gen networkpolicy my-pod -n default --output-dir ./policies # Generate for all pods in the 'staging' namespace kubectl xentra gen networkpolicy --all -n staging --output-dir ./policies
-
Generate a Seccomp Profile (Save to File):
# Generate for a specific pod in the 'default' namespace kubectl xentra gen seccomp my-pod -n default --output-dir ./seccomp # Generate for all pods in all namespaces kubectl xentra gen seccomp -A --output-dir ./seccomp
-
Review the generated YAML files in the specified output directories.
-
(Optional) Apply the policies: If satisfied after reviewing the files or the dry-run output, remove
--dry-run(for network policies) or manually apply the saved YAML files usingkubectl apply -f <directory>. Note: Seccomp profiles currently only support saving to files. ## π¨ Usage
The plugin follows the standard kubectl command structure:
kubecl xentra [command] [subcommand] [flags]These flags are available for most commands:
--kubeconfig <path>: Path to the kubeconfig file to use.--context <name>: The name of the kubeconfig context to use.--namespace <name>,-n <name>: The namespace scope for this CLI request.--debug: Enable debug logging.
This is the main command group for generating security resources.
Generates Kubernetes or Cilium Network Policies based on observed traffic.
Usage:
kubectl xentra gen networkpolicy [pod-name] [flags]Arguments:
[pod-name](Optional): The name of the specific pod to generate a policy for. Required unless-aor-Ais used.
Flags:
-n, --namespace <string>: Namespace scope (defaults to current context namespace if not-A).-a, --all: Generate policies for all pods in the specified/current namespace.-A, --all-namespaces: Generate policies for all pods in all namespaces.-t, --type <string>: Type of policy:kubernetes(default) orcilium.--output-dir <string>: Directory to save generated policies (default:network-policies). If empty, policies are only printed in dry-run mode.--dry-run: If true (default), generate policies and save/print them without applying to the cluster. Set tofalseto apply Kubernetes policies directly.
Examples:
# Generate Kubernetes policy for 'my-app-pod' in 'prod' namespace (dry-run, save to ./netpols)
kubectl xentra gen networkpolicy my-app-pod -n prod --output-dir ./netpols
# Generate Cilium policies for all pods in 'dev' namespace (dry-run, save to ./cilium-pols)
kubectl xentra gen netpol --all -n dev --type cilium --output-dir ./cilium-pols
# Generate and APPLY Kubernetes policies for all pods in all namespaces (save to default dir)
kubectl xentra gen netpol -A --dry-run=false
# Generate Kubernetes policy for 'my-pod' (dry-run, print to stdout only)
kubectl xentra gen netpol my-pod --output-dir=""Generates Seccomp profiles based on observed syscalls.
Usage:
kubectl xentra gen seccomp [pod-name] [flags]Arguments:
[pod-name](Optional): The name of the specific pod to generate a profile for. Required unless-aor-Ais used.
Flags:
-n, --namespace <string>: Namespace scope (defaults to current context namespace if not-A).-a, --all: Generate profiles for all pods in the specified/current namespace.-A, --all-namespaces: Generate profiles for all pods in all namespaces.--output-dir <string>: Directory to save generated profiles (default:seccomp-profiles). Required for seccomp.--default-action <string>: Default action for unlisted syscalls (default:SCMP_ACT_ERRNO). Options:SCMP_ACT_ERRNO,SCMP_ACT_LOG,SCMP_ACT_KILL.
Examples:
# Generate seccomp profile for 'db-pod' in 'data' namespace (save to ./secp)
kubectl xentra gen seccomp db-pod -n data --output-dir ./secp
# Generate seccomp profiles for all pods in 'staging' namespace (save to default dir)
kubectl xentra gen secp --all -n staging
# Generate seccomp profiles for all pods in all namespaces, logging unlisted calls (save to ./all-secp)
kubectl xentra gen secp -A --default-action SCMP_ACT_LOG --output-dir ./all-secpContributions are welcome! Please read the contributing guide (TODO: Create CONTRIBUTING.md) to get started.
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.