Rust + eBPF runtime observability

Evidence-first signals for Linux and Kubernetes.

E-Navigator collects node-local runtime observations, attributes them to workloads, derives bounded metrics and spans, and keeps every public claim tied to explicit proof.

Install with Helm Read proof status Run synthetic demo
  • Static Rust pipeline
  • eBPF sources
  • Versioned signals
  • Curated proof report
  • Pre-release 0.1.0
E-Navigator compass and Kubernetes signal logo

Capabilities

Runtime signals without application SDKs.

The current foundation turns process, network, DNS, HTTP, resource, trace, profile, and security observations into bounded native E-Navigator signals.

Pipeline

Source -> Processor -> Generator -> Sink

Static module registration keeps runtime behavior inspectable and testable.

Attribution

Host, process, container, Kubernetes

Signals carry context when evidence exists and warnings when it does not.

Export

JSON, Prometheus, OTLP

JSON stdout is the default. Prometheus and OTLP are opt-in and bounded.

Boundaries

No hidden production claims

Storage, UI, pprof, broad collector compatibility, reduced privilege, and reduced overhead stay non-claims until directly proven.

Proof status

Public evidence is curated, not dumped.

E-Navigator separates local tests, Docker smoke, Helm rendering, and privileged runtime proof. The proof report is the current public evidence map.

Proven locally

Static runtime, envelopes, parsers, generators, synthetic CLI, Docker smoke, and chart rendering.

Runtime-proven slices

Selected exec, network, DNS, HTTP, profile, resource, Prometheus, OTLP, and seccomp paths.

Still partial

Native flow-byte live export, symmetric DNS/HTTP capture, production backend proof, and reduced privilege.

Open proof report Read boundaries

Benchmarks

Methodology before numbers.

Local Criterion runs are hot-path hygiene. Runtime overhead, collector, and Kubernetes claims require guarded live proof with recorded artifacts.

5 evidence tiers kept separate
0 public raw proof dumps in the reader path
1 curated proof report for current claims
Read benchmark methodology

Install paths

Run locally, then verify releases before production.

Synthetic local run

Exercise the pipeline without privileged Linux or Kubernetes dependencies.

cargo run --locked -p e-navigator-cli -- --source synthetic

Helm OCI chart

Install the published chart, then pin digest-backed images after verification.

helm upgrade --install e-navigator oci://ghcr.io/e-navigator/charts/e-navigator \
  --version 0.1.0 \
  --namespace e-navigator-system \
  --create-namespace

Verify release artifacts

Check release manifest, checksums, Cosign signatures, SBOMs, image digest, and chart digest.

gh release download v0.1.0 --repo e-navigator/e-navigator --dir e-navigator-release
jq -r '.images[0].reference' e-navigator-release/release-manifest.json

White-paper ready docs

A clean evidence base for the follow-on paper.

Capabilities Boundaries Proof report Benchmarks Release verification