dpndncY

Kubernetes DaemonSet

Run one agent per node as a DaemonSet and it observes every container's syscalls on that node — so any CI workload scheduled there is covered without changing the workload itself. Works under Tekton, Argo Workflows, kpack, GitLab Kubernetes runners, Buildkite K8s agents, and actions-runner-controller.

Install

helm
helm install dpndncy-agent ./agent/k8s/helm \
  --namespace dpndncy --create-namespace \
  --set server=https://dpndncy.example.com \
  --set signingKey.existingSecret=dpndncy-agent-key

A raw manifest is provided too if you don’t use Helm.

Capabilities

The agent needs the capabilities required to load BPF and read process/network state:

  • CAP_BPF, CAP_PERFMON, CAP_SYS_RESOURCE — load and run the BPF programs.
  • CAP_NET_ADMIN — cgroup-BPF egress enforcement.
  • CAP_SYS_PTRACE — process ancestry correlation.
  • hostPID + hostNetwork — to see all node processes/connections.
Scoped caps, not privileged: true
The DaemonSet requests the specific capabilities it needs plus host PID/network — it does not run privileged: true. That keeps the blast radius tighter and passes stricter Pod Security Standards.

Configuration

  • Signing key — supplied from a Kubernetes Secret (per-cluster key).
  • Policy — a ConfigMap selects observe / learn / enforce and carries the egress allowlist.
  • Multi-arch — the image ships amd64 + arm64.

See also