The Kubernetes API Traffic Analyzer

See with your own eyes what’s happening in every corner of your K8s cluster!

Think Wireshark re-invented for Kubernetes (K8s). Kubeshark provides SREs and DevOps teams instant and unique insights that were previously unattainable, accelerating the diagnosis process of production incidents and ensuring rapid resolution.

Kubeshark offers real-time, cluster-wide, identity-aware, protocol-level visibility into API traffic, empowering its users to see with their own eyes what’s happening in all (hidden) corners of their K8s clusters.

Observe all traffic, including encrypted traffic (TLS) and payloads, entering, exiting, and traversing containers, pods, namespaces, nodes, and clusters, with support for REST, GraphQL, gRPC, Redis, Kafka, RabbitMQ (AMQP) and DNS.

API Traffic Analysis

Kubeshark employs various packet capture technologies (e.g. eBPF, AF_PACKET, AF_XDP, PF_RING) to capture cluster-wide L4 (TCP and UDP) traffic, directing it into distributed PCAP storage, and dissecting the following application layer protocols:

• HTTP/1.0
• HTTP/1.1
• HTTP/2
• AMQP
• Apache Kafka
• Redis
• DNS
• ICMP
• TCP (to diagnose TCP errors)
• gRPC over HTTP/2
• GraphQL over HTTP/1.1; and
• GraphQL over HTTP/2
• SCTP (partial support)

Using extended BPF (eBPF), Kubeshark traces function calls in both the kernel and user spaces.

Kubeshark can sniff the encrypted traffic (TLS) in your cluster without actually performing decryption. In essence, it hooks into entry and exit points of certain functions within the OpenSSL library and Go’s crypto/tls package.

Kubeshark recognizes service mesh solutions like Istio, Linkerd, and other service mesh implementations that utilize Envoy Proxy underneath.

Traffic Recording & Offline Analysis

When issues are not immediately apparent during observation, you have the option to record traffic either on a schedule or in response to specific events or behaviors. This traffic is captured in becomes available for offline analysis at the user’s discretion. Traffic can optionally upload to an immutable file storage (e.g. AWS S3, GCS), allowing for extended retention.

Collaborative API Debugging

Developers can access Kubeshark via their browser using a secure TLS connection, authenticating with their corporate identity. This ensures access is restricted to authorized information and functionality only.

Monitoring & Alerts Using L4/L7 Hooks

Kubeshark leverages a mix of scripting language, hooks, helpers, and jobs to identify unusual network activities and trigger responses through various integrations, including Slack, AWS S3, InfluxDB, and Elasticsearch, among others. This enables proactive monitoring and immediate alerting on potential issues.