No SDK. No sidecar. No proxy. A Linux kernel module that secures every workload on the node — any language, any framework, no code changes.
Your team adopted a service mesh for mTLS. Now you spend two days a week on mesh configuration tickets. Sidecars consume 30% of your cluster CPU. When one crashes, the workload goes dark and you're debugging Envoy at 2am. The tool you deployed for security has become the thing that pages you most.
Every pod runs an Envoy proxy. If the sidecar crashes, the workload loses connectivity. Your security layer is your availability risk.
CPU, memory, and an additional network hop on every request. At scale, sidecar overhead rivals the workloads they protect.
Each language needs its own security SDK — Python, Go, Java, Node.js, Rust — each with its own configuration, upgrade cycle, and on-call runbook.
eBPF programs are sandboxed by design. They cannot generate private keys, perform TLS handshakes, inject credentials, or enforce access policy. Visibility without enforcement is a dashboard, not security.
Riptides deploys as a kernel module on each node. It handles identity, encryption, credential injection, and policy enforcement — transparently, for every process on the node. No sidecars, no SDKs, no per-app configuration.
On Kubernetes: a DaemonSet with a driver-loader init container. On bare metal or VMs: a .deb/.rpm package and a systemd service. Two components, one deployment.
The module handles mTLS, credential injection, and access policy enforcement for every process on the node. Applications are completely unaware — no code changes, no configuration per workload.
The agent connects to the control plane and pushes identity policies, certificates, and credential bindings to the kernel module. Changes take effect immediately — no workload restarts.
Each node runs its own independent kernel module. A failure on one node does not affect any other node. Not a cluster-wide event.
If the module is unloaded, workloads revert to normal TCP behavior. The security layer degrades gracefully; workloads don't go dark.
Kernel module updates follow the same DaemonSet rolling update strategy you use for everything else. Node by node, with health checks between.
Start with PERMISSIVE — accepts both plaintext and mTLS. Monitor telemetry. Enforce when ready. No big bang cutover.
Deploy Riptides on one cluster running a service mesh. Start in permissive mode — existing sidecar mTLS continues to work alongside kernel-level mTLS. Validate with telemetry, then remove the sidecars. One kernel module per node replaces hundreds of sidecar proxies.
Kernel-level identity and enforcement. No code changes. Deploy in minutes.