The Kubernetes API Traffic Analyzer

See with your own eyes what’s happening in every corner of your K8s cluster!

Think Wireshark re-invented for Kubernetes (K8s). Kubeshark provides SREs and DevOps teams instant and unique insights that were previously unattainable, accelerating the diagnosis process of production incidents and ensuring rapid resolution.

Kubeshark offers real-time, cluster-wide, identity-aware, protocol-level visibility into API traffic, empowering its users to see with their own eyes what’s happening in all (hidden) corners of their K8s clusters.

Observe all traffic, including encrypted traffic (TLS) and payloads, entering, exiting, and traversing containers, pods, namespaces, nodes, and clusters, with support for REST, GraphQL, gRPC, Redis, Kafka, RabbitMQ (AMQP) and DNS.

Kubeshark UI

API Traffic Analysis

Kubeshark employs various packet capture technologies (e.g. eBPF, AF_XDP, PF_RING) and leverages custom kernel modules to capture cluster-wide L4 (TCP and UDP) traffic, directing it into distributed PCAP storage, and dissecting the following application layer protocols:

Kubeshark recognizes gRPC over HTTP/2, GraphQL over HTTP/1.1, and GraphQL over HTTP/2.

Using extended BPF (eBPF), Kubeshark traces function calls in both the kernel and user spaces.

Kubeshark can sniff the encrypted traffic (TLS) in your cluster without actually performing decryption. In essence, it hooks into entry and exit points of certain functions within the OpenSSL library and Go’s crypto/tls package.

Kubeshark recognizes service mesh solutions like Istio, Linkerd, and other service mesh implementations that utilize Envoy Proxy underneath.

Traffic Recording & Offline Analysis

When issues are not immediately apparent during observation, you have the option to record traffic either on a schedule or in response to specific events or behaviors. This traffic is captured in PCAP format and stored in immutable file storage, allowing for extended retention and offline analysis at your convenience.

You can tailor traffic recording to capture specific patterns, enabling detailed offline analysis of this recorded data.

Collaborative API Debugging

Kubeshark provides developers with secure, direct access to live API traffic, facilitating the real-time diagnosis of production incidents. This feature significantly reduces the reliance on DevOps teams to replicate bug evidence and performance issues.

Developers can access Kubeshark via their browser using a secure TLS connection, authenticating with their corporate identity. This ensures access is restricted to authorized information and functionality only.

Monitoring & Alerts Using L4/L7 Hooks

Kubeshark leverages a mix of scripting language, hooks, helpers, and jobs to identify unusual network activities and trigger responses through various integrations, including Slack, AWS S3, InfluxDB, and Elasticsearch, among others. This enables proactive monitoring and immediate alerting on potential issues.