Investigation & API Debugging
Kubeshark provides real-time protocol-level visibility to K8s traffic, coupled with a rich query language, a service map and a dashboard.
Whether you are troubleshooting an infrastructure problem, modeling new threats or investigating a security incident, Kubeshark can be very helpful in identifying culprits.
Kubeshark captures, dissects and monitors all traffic and payloads going in, out and across containers, pods, nodes and clusters. You can view the dissected protocol messages in the dashboard all the way to the payload level.
Kubeshark Filter Language (KFL)
As K8s network is massive, filtering enables you to find the `needle in the haystack`.
Here are a few examples:
Filtering traffic that uses a specific token (or tokens in general)
request.headers["Authorization"] == r"Token.*"
Focusing on a Certain Node
When you’d like to analyze the traffic at a specific node or set of nodes.
Historic Traffic Snapshot Analysis
Kubeshark can retain the captured traffic over a long period of time, enabling Kubeshark to present a historic traffic snapshot.
The example below presents traffic captured between two timestamps:
Identity-aware Service Map
Kubeshark offers an instant, identity-aware Service Map that updates in real-time, and can be used to focus your analysis on specific parts of the cluster.
In conjunction with its filtering language (KFL), Kubeshark enables you to focus on specific parts of your cluster and reduce the scope of analysis to only a subset of your cluster’s traffic.
For example, the following query will analyze the ingress traffic of two pods and the egress traffic of a third pod:
The resulting query will show the following service map: