kubeshark

mirror of https://github.com/kubeshark/kubeshark.git synced 2026-05-14 13:53:05 +00:00

Go to file

Volodymyr Stoiko 7b5954ea00 helm: grant hub tokenreviews and label worker pods for internal auth (#1926 )

* helm: grant hub tokenreviews and pass trusted controllers

Adds RBAC for hub to call the authentication.k8s.io/v1 TokenReview
endpoint, used by the new internalauth middleware to validate projected
ServiceAccountTokens presented by in-cluster gRPC callers.

Adds tap.internalAuth.trustedControllers value (empty by default),
threaded through to hub's -trusted-controllers flag as a CSV. Listing
a controller here lets pods owned by it authenticate to hub via the
projected SA token (audience kubeshark-hub). Hub-spawned Jobs are
always trusted regardless of this list. Hub matches OwnerReferences
by name AND UID, so a name-only forgery does not grant trust.

Sub-issue of kubeshark/hub#656.

* helm: inline trusted controllers in hub deployment template

The chart already knows its own controller names (worker DaemonSet
metadata.name is the literal "kubeshark-worker-daemon-set" in
09-worker-daemon-set.yaml). Pasting the same literal into a user-facing
tap.internalAuth.trustedControllers value adds a step without buying
anything — if the worker DS rename, the deployment template would have
to change in lockstep regardless.

Drop the values knob, render the flag unconditionally with the literal
worker DS name (matching the convention used elsewhere in this chart,
e.g. the hub deployment's {{ include "kubeshark.name" . }}-hub).

* helm: drop redundant comment on tokenreviews RBAC

* helm: drop -trusted-controllers flag (no caller today)

The flag was wiring forward-prep for a hypothetical worker->hub gRPC
caller from the DaemonSet. Hub-spawned Jobs (dissection-job) are
admitted via internalauth.RegisterSpawnedJob, not via this flag.
Re-add when an actual DaemonSet-deployed caller materializes.

* helm: label worker DS pods for hub internal auth

Worker pods don't call hub gRPC today, but pre-labeling the DS pod
template means a future worker->hub gRPC caller is one PR (worker-side)
away from working — no chart change required. Matches the generic
label-driven trust model in hub#783.

* helm: rename trust label to kubeshark.io/internal-auth

Matches the hub rename. Generic name so the same label can mark pods
trusted by future kubeshark services beyond hub.

2026-05-13 10:53:20 -07:00

.claude-plugin

Add KFL and Network RCA skills (#1875 )

2026-03-18 15:31:32 -07:00

.github

Add gcs cloudstorage configuration docs (#1862 )

2026-03-09 07:48:17 -07:00

cmd

refactor: replace Split in loops with more efficient SplitSeq and gofmt the code (#1888 )

2026-04-06 21:07:50 -07:00

config

Authz refactoring (helm chart + CLI) (#1921 )

2026-05-06 09:08:21 -07:00

debounce

🔨 Move cli folder contents into project root (#1253 )

2022-11-26 01:17:50 +03:00

errormessage

chore: fix some minor issues in the comments (#1767 )

2025-07-28 12:10:50 -07:00

helm-chart

helm: grant hub tokenreviews and label worker pods for internal auth (#1926 )

2026-05-13 10:53:20 -07:00

integration

Add MCP registry metadata for official registry submission (#1835 )

2026-02-06 10:39:42 -08:00

internal/connect

Make the scritps command directly use the K8s API without requiring a connector to Hub (#1615 )

2024-09-23 10:11:44 -07:00

kubernetes

Add --release-helmChartPath CLI flag for local Helm chart support (#1851 )

2026-03-04 08:29:04 -08:00

manifests

🔖 Bump the Helm chart version to 53.2.5 (#1920 )

2026-05-01 13:36:38 -07:00

mcp

Add KFL and Network RCA skills (#1875 )

2026-03-18 15:31:32 -07:00

misc

Migrate kubehq.com to kubeshark.com domain (#1824 )

2026-01-21 19:23:50 -08:00

semver

🔨 Move cli folder contents into project root (#1253 )

2022-11-26 01:17:50 +03:00

skills

🔖 Bump the Helm chart version to 53.2.5 (#1920 )

2026-05-01 13:36:38 -07:00

utils

Fix method name

2024-08-19 21:14:31 +03:00

.gitignore

updated gitignore (#1849 )

2026-02-18 11:52:13 -08:00

.goreleaser.yml

👷 Add GoReleaser job for automatically generating the Homebrew formulae (#1258 )

2022-12-09 19:19:06 +03:00

.mcp.json

Add KFL and Network RCA skills (#1875 )

2026-03-18 15:31:32 -07:00

CODE_OF_CONDUCT.md

📚 Move CODE_OF_CONDUCT.md and CONTRIBUTING.md to project root (#1251 )

2022-11-25 04:37:58 +03:00

codecov.yml

codecov yml for tests threshold (#214 )

2021-08-15 12:19:00 +03:00

CONTRIBUTING.md

Migrate kubehq.com to kubeshark.com domain (#1824 )

2026-01-21 19:23:50 -08:00

go.mod

CVE-2025-53547: Update helm to latest (#1774 )

2025-07-28 12:17:53 -07:00

go.sum

CVE-2025-53547: Update helm to latest (#1774 )

2025-07-28 12:17:53 -07:00

install.sh

Remove brew version before installing with script (#1503 )

2024-02-28 11:48:43 -08:00

kubectl.sh

🔧 Add some useful kubectl commands to Makefile

2023-04-10 01:09:34 +03:00

kubeshark.go

🐛 Have a short caller (file:line) log

2022-12-30 08:30:48 +03:00

LICENSE

📜 Update LICENSE

2022-11-30 04:50:12 +03:00

Makefile

fix(release-pr): sync bumped Chart.yaml to kubeshark.github.io (#1913 )

2026-05-01 10:07:20 -07:00

README.md

💄 Improve README with AI skills, KFL semantics, and cloud storage (#1892 )

2026-04-02 18:38:13 -07:00

RELEASE.md.TEMPLATE

Update RELEASE.md.TEMPLATE

2025-03-01 22:23:24 +02:00

README.md

Network Observability for SREs & AI Agents

Live Demo · Docs

Kubeshark indexes cluster-wide network traffic at the kernel level using eBPF — delivering instant answers to any query using network, API, and Kubernetes semantics.

What you can do:

Download Retrospective PCAPs — cluster-wide packet captures filtered by nodes, time, workloads, and IPs. Store PCAPs for long-term retention and later investigation.
Visualize Network Data — explore traffic matching queries with API, Kubernetes, or network semantics through a real-time dashboard.
See Encrypted Traffic in Plain Text — automatically decrypt TLS/mTLS traffic using eBPF, with no key management or sidecars required.
Integrate with AI — connect your favorite AI assistant (e.g. Claude, Copilot) to include network data in AI-driven workflows like incident response and root cause analysis.

Get Started

helm repo add kubeshark https://helm.kubeshark.com
helm install kubeshark kubeshark/kubeshark
kubectl port-forward svc/kubeshark-front 8899:80

Open http://localhost:8899 in your browser. You're capturing traffic.

For production use, we recommend using an ingress controller instead of port-forward.

Connect an AI agent via MCP:

brew install kubeshark
claude mcp add kubeshark -- kubeshark mcp

MCP setup guide →

Network Data for AI Agents

Kubeshark exposes cluster-wide network data via MCP — enabling AI agents to query traffic, investigate API calls, and perform root cause analysis through natural language.

"Why did checkout fail at 2:15 PM?" "Which services have error rates above 1%?" "Show TCP retransmission rates across all node-to-node paths" "Trace request abc123 through all services"

Works with Claude Code, Cursor, and any MCP-compatible AI.

MCP setup guide →

AI Skills

Open-source, reusable skills that teach AI agents domain-specific workflows on top of Kubeshark's MCP tools:

Skill	Description
Network RCA	Retrospective root cause analysis — snapshots, dissection, PCAP extraction, trend comparison
KFL	KFL (Kubeshark Filter Language) expert — writes, debugs, and optimizes traffic filters

Install as a Claude Code plugin:

/plugin marketplace add kubeshark/kubeshark
/plugin install kubeshark

Or clone and use directly — skills trigger automatically based on conversation context.

AI Skills docs →

Query with API, Kubernetes, and Network Semantics

Kubeshark indexes cluster-wide network traffic by parsing it according to protocol specifications, with support for HTTP, gRPC, Redis, Kafka, DNS, and more. A single KFL query can combine all three semantic layers — Kubernetes identity, API context, and network attributes — to pinpoint exactly the traffic you need. No code instrumentation required.

KFL reference → · Traffic indexing →

Workload Dependency Map

A visual map of how workloads communicate, showing dependencies, traffic volume, and protocol usage across the cluster.

Learn more →

Traffic Retention & PCAP Export

Capture and retain raw network traffic cluster-wide, including decrypted TLS. Download PCAPs scoped by time range, nodes, workloads, and IPs — ready for Wireshark or any PCAP-compatible tool. Store snapshots in cloud storage (S3, Azure Blob, GCS) for long-term retention and cross-cluster sharing.

Snapshots guide → · Cloud storage →

Features

Feature	Description
Traffic Snapshots	Point-in-time snapshots with cloud storage (S3, Azure Blob, GCS), PCAP export for Wireshark
Traffic Indexing	Real-time and delayed L7 indexing with request/response matching and full payloads
Protocol Support	HTTP, gRPC, GraphQL, Redis, Kafka, DNS, and more
TLS Decryption	eBPF-based decryption without key management, included in snapshots
AI Integration	MCP server + open-source AI skills for network RCA and traffic filtering
KFL Query Language	CEL-based query language with Kubernetes, API, and network semantics
100% On-Premises	Air-gapped support, no external dependencies

Install

Method	Command
Helm	`helm repo add kubeshark https://helm.kubeshark.com && helm install kubeshark kubeshark/kubeshark`
Homebrew	`brew install kubeshark && kubeshark tap`
Binary	Download

Installation guide →

Contributing

We welcome contributions. See CONTRIBUTING.md.

License

Apache-2.0

Description

The API traffic analyzer for Kubernetes providing real-time K8s protocol-level visibility, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. Inspired by Wireshark, purposely built for Kubernetes

amqp cloud-native devops devops-tools docker forensics go golang grpc incident-response kafka kubernetes microservice microservices microservices-application observability redis rest sniffer wireshark

Readme 166 MiB