Anatomy of Kubeshark

Distributed packet capture with minimal footprint, built for large scale production clusters.

Anatomy of Kubeshark

Kubeshark consists of four software components that work together harmoniously:

CLI

The binary distribution of the Kubeshark client and it is written in Go language.

It communicates with your cluster through K8s API to deploy the Hub and Worker pods.

Source code: kubeshark/kubeshark

Hub

The Hub is a pod that acts as a gateway to the Workers. It hosts an HTTP server and serves to these purposes:

  • Accepts WebSocket connections and accompanying filter.
  • Establishes new WebSocket connections to the workers.
  • Receives the dissected traffic from the workers.
  • Streams the results back to the requester.
  • Configure worker states through HTTP calls.

Source code: kubeshark/hub

Pod name: kubeshark-hub

Worker

It’s deployed into your cluster as a DaemonSet to ensure each node in your cluster are covered by Kubeshark.

The worker contains the implementations of network sniffer and kernel tracer. It captures the packets from all network interfaces, reassembles the TCP streams and if they are dissectable then stores them as PCAP files. Workers transmit the collected traffic to Hub via WebSocket connections.

Kubeshark stores raw packets and dissects them on demand upon filtering.

The worker by itself can be used as a network sniffer on your computer without requiring a Kubernetes cluster.

Source code: kubeshark/worker

Pod name: kubeshark-worker-daemon-set-<id>

Distributed Protocol Dissectors

The dissection of application layer protocols are distributed throughout the cluster by the nature of DaemonSet configuration.

Distributed PCAP-based Storage

Kubeshark uses a distributed PCAP-based storage where each of the workers store the captured TCP streams in the root file system of the node.

Kubeshark’s configuration includes a storage limit that is set to 200MB by default. That limit can be changed through CLI options.

NOTE: See Worker Storage Limit section for more info.

Low Network Overhead

To reduce potential network overhead, only a fraction of the traffic is sent over the network upon request.

The Dashboard

Kubeshark’s dashboard is a React app that communicates with the Hub via WebSocket and displays the captured traffic in a scrolling feed.

Kubeshark UI

Source code: kubeshark/front

Pod name: kubeshark-front

NOTE: Read more in the dashboard section.