kfeatures
A pure-Go library that probes kernel capabilities at runtime and returns actionable diagnostics — not just "unsupported", but why and how to fix it.
if err := kfeatures.Check(kfeatures.FeatureBPFLSM, kfeatures.FeatureBTF); err != nil {
var fe *kfeatures.FeatureError
if errors.As(err, &fe) {
log.Fatalf("%s — %s", fe.Feature, fe.Reason)
// Output: BPF LSM — CONFIG_BPF_LSM=y but 'bpf' not in active LSM list
}
}Why not cilium/ebpf/features or bpftool?§
Neither tells you whether your tool can actually run. For example, BPF LSM requires three things simultaneously: CONFIG_BPF_LSM=y in the kernel config, bpf in the active LSM boot parameter list, and the LSM program type supported by the running kernel. cilium/ebpf/features can only check the last one. bpftool can check the first and last, but not the second. Neither provides remediation guidance.
kfeatures fills the gap: composite feature validation with actionable diagnostics, as a standalone Go library with no CGO.
What it detects§
| Category | Features |
|---|---|
| Program types | LSM, kprobe, kprobe.multi, tracepoint, fentry |
| Core | BTF availability (CO-RE) |
| Security | BPF LSM enabled, IMA enabled, active LSM list |
| Capabilities | CAP_BPF, CAP_SYS_ADMIN, CAP_PERFMON, unprivileged BPF |
| Syscalls | bpf(), perf_event_open() |
| JIT | enabled, hardened, kallsyms, memory limit |
| Filesystems | tracefs, debugfs, securityfs, bpffs |
| Namespaces | initial user namespace, initial PID namespace |
| Workload requirements | program type, map type, helper-per-program-type |
| Kernel config | any CONFIG_* |
CLI§
A CLI tool is included for operator diagnostics and CI/CD gating:
go install github.com/leodido/kfeatures/cmd/kfeatures@latest
# Probe all features
kfeatures probe
# Check specific requirements (exit 0 if met, 1 if not)
kfeatures check --require bpf-lsm,btf,cap-bpf
# JSON output
kfeatures probe --jsonThank you for getting this far...
This website doesn't allow commenting. The comments policy explains why.