Features / Tracing Policies

Runtime policy in Kubernetes YAML

Author runtime security policies the same way you author everything else in your cluster. Nightshift leverages Tetragon TracingPolicy to gate syscalls, process execution, and network flows on every agent pod.

Demo coming soon

Policy as a first-class Kubernetes resource

TracingPolicy is a standard CRD. Write it as YAML, check it into git, apply it with kubectl. Nightshift reconciles the resource into Tetragon, which enforces the policy inline in the kernel via kprobes. A single policy can match by pod, namespace, or workload identity, and the same surface covers syscall tracing, process lifecycle, file access, and network events — so your audit log and your enforcement rules live in the same place.

Related features

Runtime IsolationKata VMs and runc containers for every agentLearn more ObservabilityGrafana, Prometheus, Loki, and Tetragon built-inLearn more Network PoliciesCilium eBPF network policies and microsegmentationLearn more

Ready to deploy?

Install Nightshift into your own cluster with a single Helm chart.

Star on GitHub Get in touch