Overview

Micromize is an open-source enforcement layer built on eBPF. Instead of chasing "bad" behavior, it enforces "good" architecture. It transforms high-level cloud-native assumptions into immutable kernel-level restrictions. If a workload attempts to deviate from its declared structural invariants, the kernel simply says "No."

Today, Micromize attaches eBPF programs to LSM hooks and enforces strict container boundaries, blocks filesystem escapes and host access. It restricts capabilities to prevent privilege escalation via unshare/clone/setns, eliminates ptrace-based debugging/injection attacks, and validates execution integrity via SBOM and runtime hash validation. Policies are loaded before container start and enforced at execution time. No runtime replacement. No learning mode. Kernel-native enforcement.

The Philosophy

Containers rely on namespaces, cgroups, seccomp, and LSMs but they still expose kernel attack surface. Misconfigured or overly privileged workloads lead to container escape primitives, host mutation from containers, runtime drift from the image, and undefined kernel behavior. Tools may detect this. Few eliminate it.

Micromize doesn't care what happens inside the container. Instead, it enforces the boundaries. We don't scan for cryptominers because with Micromize, unauthorized binaries can't execute in the first place. You can't effectively protect against every poorly written application, but you can guarantee that nothing runs unless it was part of the original image.

Micromize assumes containers are immutable, disposable, non-host-mutating, and explicit about privilege. If your workload violates those assumptions, Micromize blocks it or forces an explicit posture decision.