kubeshark

Kubeshark is an API Traffic Analyzer for Kubernetes providing real-time, protocol-level visibility into Kubernetes’ internal network, capturing and monitoring all traffic and payloads going in, out, and across containers, pods, nodes, and clusters.

Think TCPDump and Wireshark re-invented for Kubernetes

Network Analysis

Kubeshark can sniff parts or all OSI L4 (TCP and UDP) traffic in your cluster, record it into PCAP files and dissect the following application layer protocols:

Kubeshark recognizes gRPC over HTTP/2GraphQL over HTTP/1.1, and GraphQL over HTTP/2.

Kubeshark uses extended BPF (eBPF) to trace function calls in both the kernel space and the user space.

Kubeshark can sniff the encrypted traffic (TLS) in your cluster using eBPF without actually doing decryption. In fact, it hooks into entry and exit points in certain functions inside the OpenSSL library and Go’s crypto/tls package.

Kubeshark can recognize service mesh solutions like IstioLinkerd, and other service mesh solutions that use Envoy Proxy under the hood.

Actionable Automation, Scripts & L4/L7 Hooks

With a combination of a scripting languagehookshelpers, and jobsKubeshark can detect suspicious network behaviors and trigger actions supported by the available integrations (e.g. SlackAWS S3InfluxDBElasticsearch, and more).

Changelog v50.0

Release Highlights

Keywords: Helm, License, PF_RING, AF_XDP,

In addition to numerous bug fixes, we enhanced our Helm chart by transitioning from Pods to Deployments for the Hub and Front containers. Our licensing approach has evolved, enabling all features to function freely in clusters with fewer than 10 nodes. Authentication has been dissociated from Ingress. Moreover, we introduced compatibility with PF_RING and AF_XDP for high-throughput computing environments.

Breaking Changes

  • Configuration file format has changed slightly, namely to separate Ingress from Authentication
  • Pro License is required when using more than 10 nodes

Additional Enhancements and Changes

  • Changed Hub’s and Front’s resource type from Pod to Deployment
    (f95db49)
  • Availability of PF_RING and AF_XDP support for high throughput computing environments
  • Authentication is now a standalone feature, independent from Ingress. Both features do not require a Pro license.
  • New SAML support
  • As part of authentication, added approved individual emails to the approved domains in case SAML isn’t used
  • Ingress can now use TLS

Install & Use

Copyright 2022 Kubeshark