Compass picks up traces, RPS, and error rates from your existing Envoy and Linkerd proxies using eBPF — no code changes, no sidecar redeploys. Sub-1% CPU overhead per pod.
Topology, traces, latency, and saturation — joined on workload labels, not service names. Works on EKS, GKE, AKS, on-prem k3s.
Drilled to span; colored by service. The slow leg of every request is one click away.
P95 latency per service, binned in 15-second buckets.
Pair-wise cert status across the mesh — one yellow flags an expiring cert before Istio does.
# retries.yaml budget: ratio: 0.2 min_per_sec: 10 ttl: "5s" backoff: exponential cap: 3
eBPF agent runs as a DaemonSet, not a sidecar. Average CPU 0.6%, memory 38 MB resident — measured across 24h on a 12-node EKS cluster.
Compass attaches at the kernel — eBPF tracepoints on the socket layer pick up every TLS-terminated request inside the mesh. No SDK, no instrumentation library, no rebuild.
Run as many pods as you like. Compass charges by cluster footprint and span retention, not node count.
For one cluster up to 30 services.
For teams running 2–10 clusters per region.
For platform teams with 50+ clusters and regulated workloads.
"We rolled Compass out across 31 EKS clusters in three hours. No code changes. The CPU overhead on our 8k-pod fleet is 0.6%, end of story."
"The eBPF approach means our app teams don't need to touch their dockerfiles. Compass detected a retry storm in pricing 14 seconds before our SLO burn alarm did."
"Our previous mesh dashboard required redeploying every sidecar. Compass dropped in as a DaemonSet and we got better fidelity that night."
Most of our team is ex-Cilium and ex-Datadog. If something here doesn't satisfy, ping [email protected].
Neither is required. The agent runs as a DaemonSet and reads kernel events directly. If you already have Envoy or Linkerd injected, Compass also consumes their stats endpoint for richer L7 metadata — but it's strictly additive. A pod with no proxy still gets full topology and RPS coverage.
The agent itself is per-node, not per-pod. On a typical mixed workload we measure 0.6% CPU and 38 MB RSS per node averaged over 24h, and a P99 hook latency of 14µs. There is zero overhead added to the application pods themselves — they don't run any Compass code.
Yes. The agent's primary protocol is OTLP — point it at Jaeger, Tempo, Honeycomb, or any OTLP-compatible collector and you can use Compass purely as a capture layer. Our UI is optional and you only pay for what you query.
Namespaces are the tenant boundary. The agent applies a tenant label to every span based on the source pod's namespace, and our RBAC enforces row-level filters at query time. You can scope an API token to a single namespace, multiple, or the whole cluster.
Fargate denies kernel-level access, so eBPF mode is out. We ship a Fargate-compatible userspace agent that consumes the Envoy admin endpoint and proxy access logs. Coverage is slightly lower (no DB-protocol parsing without proxy support) but topology, RPS, and HTTP latency are intact.
Free for a single cluster, forever. No credit card, no contract — just a Helm chart and a topology graph in your browser.