CIS Kubernetes v1.8 · Read-Only · Push-Only
elf-owl
Minimal Kubernetes Compliance Observer
Core Pipeline Active
March 26, 2026
CIS K8s v1.8 · 48 Controls
~1200 LOC Core Agent
View Architecture Explore Features
scroll
Pipeline
Event Processing
Architecture

A linear, read-only pipeline from kernel-space eBPF events to encrypted, signed push — zero inbound surface, zero enforcement capability.

Read-only kernel instrumentation
One-way outbound push only
HMAC-SHA256 + AES-256-GCM evidence
cilium/ebpf kernel integration
01
cilium/ebpf Kernel Events
kernel space · eBPF programs attached
KERNEL
02
🔎
Event Monitors
process · network · dns · file · capability
eBPF
03
☸️
Event Enrichment
k8s metadata · pod/node/namespace/rbac
K8s
04
📋
Rule Engine
48 CIS controls · yaml/configmap · condition eval
CIS
05
🔐
Evidence Processing
hmac-sha256 sign · aes-256-gcm encrypt
SECURE
06
📦
Buffering & Batching
gzip compress · retry backoff · flush logic
BATCH
07
🦉
Owl SaaS Push API
jwt · tls · one-way · no inbound
OUT
Capabilities
Implemented Features

All components below are shipped and wired into the core pipeline.

eBPF Runtime Security
  • Process exec events via execve/execveat
  • Network connection telemetry (TCP/UDP · IPv4/IPv6)
  • DNS query/response metadata + payload parsing
  • File activity — open, write, chmod, unlink
  • Linux capability checks + syscall attribution
📋
CIS K8s Compliance
  • 48 automated CIS control mappings
  • 9 manual control references
  • Rule engine with condition evaluation
  • YAML & ConfigMap rule loading
  • Hardcoded fallback rule set
☸️
Kubernetes Integration
  • In-cluster pod metadata enrichment
  • Namespace, labels, service accounts, node
  • NetworkPolicy evaluation signals
  • RBAC context + privilege scoring
  • Container ID → Pod mapping via cgroup
🔐
Evidence Protection
  • HMAC-SHA256 signing pipeline
  • AES-256-GCM encryption
  • gzip compression + batch formatting
  • Retry logic with exponential backoff
  • JWT + TLS outbound push
📊
Observability
  • Health check endpoint — /health
  • Prometheus metrics — /metrics
  • Structured logging throughout
  • Metadata cache with TTL
  • Owner reference resolution
🚀
Cloud-Native Deployment
  • Kubernetes DaemonSet deployment
  • Helm chart + Kustomize overlays
  • Read-only RBAC manifests
  • ServiceAccount + ClusterRole definitions
  • ConfigMap & Secret management
Components
Core Modules
agent.go
config.go
logger.go
client.go
cache.go
enrichment/types.go
rules/engine.go
cis_mappings.go
rule loader
signer.go
cipher.go
buffer.go
api/client.go
go.mod · cilium/ebpf
Helm DaemonSet
RBAC manifests
/health · /metrics
At a Glance
Project Status
0
CIS Automated Controls
0
Manual References
~0
LOC Core Agent
0
eBPF Monitor Types
elf-owl · agent log · v0.1.0
2026-03-26T10:00:01Z [INFO] elf-owl agent starting version=0.1.0
2026-03-26T10:00:01Z [INFO] loading configuration source=configmap/elf-owl-config
2026-03-26T10:00:02Z [INFO] rule engine initialized automated=48 manual=9
2026-03-26T10:00:02Z [INFO] kubernetes client ready mode=in-cluster
2026-03-26T10:00:02Z [INFO] enrichment pipeline wired cache_ttl=5m
2026-03-26T10:00:03Z [INFO] attaching eBPF programs monitors=process,network,dns,file,cap
2026-03-26T10:00:03Z [INFO] evidence pipeline ready sign=hmac-sha256 encrypt=aes-256-gcm
2026-03-26T10:00:03Z [INFO] push client connected endpoint=owl-saas tls=true jwt=true
2026-03-26T10:00:04Z [INFO] health endpoint listening addr=:8080/health
2026-03-26T10:00:04Z [INFO] metrics endpoint listening addr=:8080/metrics
2026-03-26T10:00:04Z [INFO] agent running · read-only mode · push-only