Features / Networking

Kernel-speed network enforcement

Nightshift builds on Cilium to filter every packet at the kernel level via eBPF. Policies reference pods and namespaces directly, so your rules map to how your cluster is actually organized.

Demo coming soon

eBPF policies, no sidecars required

Network policies are expressed as standard CiliumNetworkPolicy resources and enforced inline in the kernel. There are no sidecar proxies and no userspace hops. Every packet leaving an agent pod is filtered by identity (pod, namespace, workload), so you can write rules that are unambiguous and audit-friendly. Default-deny is the norm, not the exception.

Related features

Runtime IsolationKata VMs and runc containers for every agentLearn more ObservabilityGrafana, Prometheus, Loki, and Tetragon built-inLearn more Tracing PoliciesTetragon eBPF runtime security and file access tracingLearn more

Ready to deploy?

Install Nightshift into your own cluster with a single Helm chart.

Star on GitHub Get in touch