Enterprise-ready • CNI-agnostic • East-west + egress
Block lateral movement. For any Kubernetes.
Turn observed east-west and egress traffic into safe, enforceable NetworkPolicy — delivered with GitOps, ITSM-grade approvals, and one-click rollback.
SIGNALS
Radar & Monitor
Kafka flow + ACL monitoring
Container Security Tools
Traffic radar + security signals
POLICY ENGINE
CONTROL PLANE
Policy Lifecycle
Recommend → manage → approve → roll out → audit. Mirrors legacy network change control.
Recommend→Govern→Operate
GitOpsApproval gatesRollback
KUBERNETES CLUSTER
NamespacesNetworkPolicy
PROD
allow: app → db
PLATFORM
deny: default
DEV
allow: dev-tools
QA
allow: test-suite
See east-west and egress traffic. In real time.
Axera builds a live map of how workloads talk inside the cluster — and what they reach outside. Then turns those flows into NetworkPolicy you can govern, version and roll back.
East-westEgressAny CNIReal-time
East-west
Pod-to-pod traffic across namespaces, with allow/deny verdicts surfaced from your CNI's flow logs.
Egress
Outbound calls to external services, FQDNs and IP ranges — observed, attributed and policy-controlled.
Read-only signal ingestion. No workload changes, no sidecars.
Live topology
Real-timeAny CNI
Allowed flowBlocked flowEgress (outside cluster)
Three deployment modes. One management plane.
Axera adapts to your environment, not the other way around. Pick the mode that fits each cluster — agentless via existing container security tools, agent-based via our eBPF DaemonSet, or hybrid. Same UI, same RBAC, same audit trail across all of them.
AgentlesseBPF agentHybridNetObserv-based
Agentless
Connect to container security tools you already run — Prisma Cloud, Red Hat ACS / StackRox. Zero Axera install in the cluster. Right for environments where adding components is hard or already governed elsewhere.
eBPF agent
Deploy a single privileged DaemonSet (NetObserv-based) for kernel-level capture — DNS resolution, packet translation and round-trip time included. No workload sidecars, no per-pod agents. Right for richer signal where you control the cluster.
Hybrid
Different modes per cluster. eBPF agent in production for richer signal, agentless in test or dev, both side by side in mixed estates. One Axera plane manages all of them.
axera-flow-agent.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: axera-flow-agent
namespace: axera-flow
spec:
template:
spec:
hostNetwork: true
containers:
- name: ebpf-agent
image: quay.io/netobserv/netobserv-ebpf-agent
env:
- { name: ENABLE_DNS_TRACKING, value: "true" }
- { name: ENABLE_RTT, value: "true" }
- { name: DIRECTION, value: "both" }
- name: flowlogs-pipeline
image: quay.io/axera/axera-flowlogs-pipeline:v1
How a flow becomes policy
01
Capture
eBPF DaemonSet on each node, or a container security tool export — depending on the mode chosen for the cluster.
02
Enrichment
FLP pipeline adds K8s metadata: pod, owner, namespace; labels subnets (cluster vs egress).
03
Routing
East-west flows → cluster topic; cluster-out egress → external-flows topic. Separate Kafka topics per direction.
04
Policy
Radar visualizes; engine generates least-privilege NetworkPolicy; Axera ships through change-control to your cluster.
Whichever mode you choose — agentless, agent, or hybrid — the management plane is the same: identical UI, RBAC, audit trail and NetworkPolicy lifecycle. Switch modes per cluster as your environment evolves.
See the actual product
Real screens from a running Axera instance — topology, policy management, monitoring, analytics. No mockups.
axera.local/network-policy/overview
Service topology
Interactive map of every namespace and pod, with allow/drop verdicts color-coded across the cluster.
axera.local/network-policy/policy-management
Policy management
Operational hub for NetworkPolicy: managed/unmanaged state, ingress/egress types, pod selectors and per-policy actions.
axera.local/network-policy/monitoring
Live policy monitoring
Real-time CNI verdicts (146+ flows in this view) with verdict-based row coloring, filters, and one-click ‘drop to rule’.
axera.local/network-policy/analytics
Analytics & anomaly detection
Cluster-level posture with total events, allow/drop trend, anomaly markers and distribution breakdown.
How it works
An end-to-end policy lifecycle in three phases — read-only ingestion, change-controlled governance, and audited day-2 operation.
01
Observe
Read-only ingestion of east-west and egress traffic, with continuous baselining and drift detection.
- 1.1Connect signalsCollect traffic, telemetry and intent from your existing network and security stack — non-intrusively.
- 1.2Observe & baselineContinuously observe service communication and egress, build baselines and surface drift before enforcement.
Read-onlyNo agentsAny CNI
02
Govern
Least-privilege recommendations, versioned policy management, and ITSM-aligned approval gates — never auto-enforced.
- 2.1Generate recommendationsLeast-privilege NetworkPolicy candidates with full diffs, risk tags and explainability.
- 2.2Policy managementVersion, own and review policies with PR-style change control, similar to legacy network rule management.
- 2.3Approval & ITSMIntegrate with Jira, ServiceNow, Linear or Azure DevOps so policy changes flow through enterprise change management.
DiffsRBACITSMGitOps
03
Operate
Deploy with rollback, monitor enforcement against runtime, and report coverage and posture to leadership.
- 3.1Rollout & enforcementPush policies directly to clusters or schedule deployments via cron — with versioned rollback for every change.
- 3.2Monitor & auditContinuously monitor enforced policies for violations, drift and unused rules with a complete audit trail.
- 3.3Analyze & reportCoverage, risk posture and compliance trends with executive-ready dashboards and audit-ready reports.
RollbackForensicsExports
Policy modes
Choose the enforcement strategy that matches your operational maturity.
●Conservative rollout
SoftConservative baseline
Start conservative — observe and validate impact across east-west and egress before enforcing strict controls.
- Start with observation + baselines
- Low-risk: tighten progressively
- Rollback-ready changes
Operational path
Soft
Restricted
Custom
Policy Management
Monitoring & Auditing
Analytics
ITSM
Policy Management
Operate NetworkPolicy with legacy-grade change control: diffs, approval gates, audit and rollback.
CHANGE CONTROL
PR-like workflow, audit-ready output
- Policy-as-CodeChanges flow through PRs with clear diffs, owners and reviews.
- Dry-run & Impact PreviewBefore apply: what gets blocked, what opens, who is impacted.
- Approval Gates & ITSMAligned with Jira, ServiceNow, Linear and Azure DevOps change requests and approval flows.
- Progressive Rollout + RollbackSafe rollout with instant rollback when needed.
GitOpsRBACITSMAudit trail
Change Set Preview
PR #1842 • prod • payments
Approvals
SecurityPlatformChange window
ITSM
JiraServiceNowLinked: TASK-21987
Policy diff
+ allow: payments/api -> payments/db : 5432 + allow: payments/worker -> kafka : 9092 ~ deny: default (scoped)
Audit trail
Approved by Security2m ago
Scheduled to change windowToday 02:00
Monitoring & Analytics
Monitor real-time east-west and egress verdicts — agentless via container security tools or via the eBPF agent — measure coverage and risk posture in a single pane.
ACL Verdicts
Stream east-west and egress allow/drop decisions from the eBPF DaemonSet or your container security tools across clusters in real time.
Drift & Violations
Detect instantly when runtime behavior diverges from enforced policy.
Coverage & Risk
Which services are protected, which remain exposed — quantify your risk surface.
Anomaly Detection
Automatically surface deviations in traffic patterns for investigation.
Comparison
Compare policy posture across time periods, clusters or namespaces.
Reports & Export
Generate audit-ready executive reports with PDF and Excel export.
Live monitoring
Gaps between enforced policy and observed traffic.
Real-time
Denied flows12last 24h
Drift events3critical services
Exceptions5needs review
Posture summary
Coverage, risk and rollout metrics at a glance.
PDFExcel
Policy coverage74%+6% WoW
Exposed paths-18%30 days
Rollout velocity+22policies/week
Designed to fit your stack
Connect to the signals you already have—telemetry, security feeds, and operational workflows—without replacing existing tools.
Container Security Tools (agentless)
Agentless mode: generate policies from radar and security signals provided by tools you already operate (Prisma Cloud, ACS / StackRox). Zero Axera-side install in the cluster.
Kafka Flow Ingestion
Ingest network flow data via Kafka per cluster, persisted and enriched by the Radar service.
GitOps: GitHub, BitBucket, GitLab
Push policy files to Git with PRs—versioned rollout with clear ownership and review.
Jira, ServiceNow, Linear, Azure DevOps
Change records, approval gates and alignment with enterprise change management processes.
eBPF flow capture (agent mode)
Agent mode: a single NetObserv-based DaemonSet captures east-west and egress flows at the kernel level — DNS, RTT and packet translation included. Independent of CNI log emission.
Multi-cluster K8s & OpenShift
Manage multiple Kubernetes and OpenShift clusters from a single pane of glass.
End-to-end operations
Existing signals → policy management → approval → progressive rollout → audit.
Enterprise change control
Evidence preview
ITSMAuditExports
Linked CRQ-21987today
Diff approved (owner)2m
Stage rollout: 10% → 50%6m
Policy coverage updated9m
Change success99.3%Rollback< 1m
Built for the enterprise
Operate Axera the way your security and platform teams already operate — with the controls, integrations and evidence enterprise change management requires.
RBAC + LDAP / AD
Admin, NetworkOperator, Auditor and AccessUser roles — with LDAP and Active Directory group mapping for centralized identity.
Multi-cluster
Onboard multiple Kubernetes and OpenShift clusters; deploy policy sets across all or progressively, cluster by cluster.
Audit & evidence
Every action is logged with user, timestamp and detail. Export change history, flow data and audit excerpts as PDF or Excel.
Change windows
Cron-scheduled deployments, ITSM-aligned approval gates, and instant versioned rollback — built around enterprise change management.
Server-side credential isolation
Cluster, Git and ITSM credentials are stored server-side and injected by the Proxy service — never exposed to the browser.
Logging & SIEM
Stream events and audit records to Splunk, Syslog or your existing observability stack.
Security outcomes
Focused on measurable risk reduction and operational confidence.
Reduced Attack Surface
Least-privilege east-west paths and controlled egress to external destinations — based on real traffic, not guesses.
Egress & Exfiltration Control
Detect and block unauthorized outbound paths; allow only sanctioned egress to known external services.
Audit-ready by Design
Change-controlled approvals, evidence trails, and exportable records for compliance.
Operationally Safe Rollout
Progressive enforcement with rollback — no surprise outages.
Faster Incident Response
Forensics-ready visibility into what changed, when, and what it impacted.
Predictable Change Velocity
Security changes that move at delivery speed — without bypassing controls.
Evidence-ready posture
Built for compliance and incident response: change, approval, impact and outcome.
AuditForensicsExports
Policy coverage74%target: 90%
Exposed paths-18%30 days
Change success rate99.3%rollout
Audit excerpt
Linked CRQ-21987today
Approved by Security2m
Progressive rollout completed8m
See Axera in action
Discover how enterprise teams adopt Kubernetes network segmentation safely—without disrupting operations.