The Kubernetes API Traffic Analyzer

Crush your Production Incidents’ MTTR!

Think Wireshark re-invented for Kubernetes (K8s), Kubeshark provides SREs and DevOps teams instant and unique insights that were previously unattainable, accelerating the diagnosis process of production incidents and ensuring rapid resolution.

Kubeshark offers real-time, cluster-wide, identity-aware, protocol-level visibility into API traffic, empowering its users to see in their own eyes what’s happening in all (hidden) corners of their K8s clusters.

Observe all traffic, including payloads, entering, exiting, and traversing containers, pods, namespaces, nodes, and clusters, with support for REST, GraphQL, gRPC, Redis, Kafka, RabbitMQ (AMQP), DNS, Websockets, TLS and mTLS.

Kubeshark UI

Kubeshark Use-cases

Visit the following sections to read more about use-cases, Kubeshark can be helpful with:

API Traffic Analysis

Kubeshark uses various packet capture technologies (e.g. eBPF, AF_XDP, PF_RING) and leverages custom kernel modules to capture cluster-wide L4 (TCP and UDP) traffic, into distributed PCAP storage and dissect the following application layer protocols:

Kubeshark recognizes gRPC over HTTP/2, GraphQL over HTTP/1.1 and GraphQL over HTTP/2.

Kubeshark uses extended BPF (eBPF) to trace function calls in both the kernel space and the user space.

Kubeshark can sniff the encrypted traffic (TLS) in your cluster using eBPF without actually doing decryption. In fact, it hooks into entry and exit points in certain functions inside the OpenSSL library and Go’s crypto/tls package.

Kubeshark can recognize service mesh solutions like Istio, Linkerd and other service mesh solutions that use Envoy Proxy under the hood.

Actionable Detection Using Scripts & L4/L7 Hooks

With a combination of a scripting language, hooks, helpers and jobs, Kubeshark can detect suspicious network behaviors and trigger actions supported by the available integrations (e.g Slack, AWS S3, InfluxDB, Elasticsearch and more).