Micromize

micromize uses BPF LSM to reduce the kernel surface exposed to containers. It replaces per-app Seccomp/SELinux profiles with universal restrictions that block rarely needed, high-risk kernel flows.

Comment

Inspiration

Micromize began while I was experimenting with BPF LSM and trying to build yet another application-specific LSM. At KubeCon NA, I realized the real problem wasn’t “designing another DSL to restrict apps,” but creating a simple, universal control that makes containers safer. Shifting from fine-grained profiling to coarse-grained hardening instantly simplified the entire space. It stopped being about detections or complex policies and became about enforcing a few well-known, high-impact restrictions that eliminate common container-escape paths.

What it does

Micromize applies a small set of powerful controls that prevent containers from performing actions they should never need. Unlike traditional Seccomp/SELinux-style tools, micromize strives to provide a modern audit mode with metrics, focuses specifically on containerized workloads (not generic Linux), and uses eBPF for low overhead and flexibility. For the hackathon version, it includes four controls: blocking ptrace, blocking kernel-module interactions, and restricting dangerous procfs manipulation and a control that blocks process execution from outside a container’s root filesystem.

How we built it

Micromize is built using Inspektor Gadget, a framework designed for writing container-aware eBPF programs. The LSM hooks and BPF logic run inside IG’s infrastructure, while a lightweight user-space component helps bootstrap and experiment quickly. Most of the effort went into inspecting kernel source code and identifying the precise control paths needed to implement the restrictions safely.

Challenges we ran into

The biggest challenge was ensuring that restricting kernel behavior doesn’t break legitimate workloads. Picking the right choke points, validating them against real applications, and making sure nothing explodes required deep dives into kernel internals. Mapping procfs behaviors, LSM hooks, and execution paths meant a lot of time reading kernel code, and even then, there’s always uncertainty until it matures across environments.

Accomplishments that we're proud of

One of the highlights was the “no execution outside rootfs” control. It’s not something commonly implemented elsewhere, and arriving at an elegant, lightweight mechanism after starting with a much more complex design felt like a breakthrough. It demonstrated that coarse-grained, well-chosen controls can give strong protection without adding complexity.

What we learned

The biggest lesson was how much easier a problem becomes when viewed from the right angle. Instead of building another fine-grained policy system, thinking in terms of coarse-grained hardening opened up a simpler, more reliable model. It also reinforced how powerful BPF LSM can be when you stop trying to replicate existing frameworks and instead focus on a few high-impact kernel flows.

What's next for Micromize

Next steps include adding more controls, exposing events and metrics through OpenTelemetry so users can visualize and track violations in any dashboard, and offering a clean, fast installation path. The long-term vision is for Micromize to become a standard, widely-adopted hardening control for container environments. Something as fundamental as seccomp, but far simpler to adopt and operate.

Built With

  • ebpf
  • go
  • inspektorgadget
Share this project:

Updates