Kube-Knark is an open-source tracer that uses pcap & ebpf technology to perform runtime tracing on a deployed Kubernetes cluster. It is tracing the Kubernetes API execution and master node configuration files permission changes. The trace matching events are leveraged via go plugin webhooks
- The full Kubernetes API specification execution calls especially mutation
- kubernetes master node configuration files permission changes CIS Kubernetes Benchmark specification
kube-knark tracing data are reported :
- Console dashboard
- Go Plugin hooks
kube-Knark console:
- Go 1.13+
- Linux Kernel 4.15+
- Clang 10+
- LLVM
- Kernel Headers
- Pcap
git clone https://github.com/chen-keinan/kube-knark
cd kube-knark
make buildExecute kube-knark without plugins
./kube-knark The Kube-knark expose 2 hooks for user plugins Example :
- OnK8sAPICallHook - this hook accepts k8s api call event with all details (http request /response ,matching API spec)
- OnK8sFileConfigChangeHook - this hook accepts master file configuration change event with command details (chown or chmod ,args and matching file change spec)
go build -buildmode=plugin -o=~/<plugin folder>/<plugin>.so ~/<plugin folder>/<plugin>.gocp ~/<plugin folder>/<plugin>.so ~/.kube-knark/plugins/compile/<plugin>.soThe Kube-knark support 2 specs and can be easily extended:
- The full k8s API spec Kubernetes API specification
- master config file change spec Master Node Config
both specs can be easily extended by amended the spec files under ~/.kube-knark/spec folder
- code contribution is welcome !! , contribution with tests and passing linter is more than welcome :)
- /.dev folder include vagrantfile to be used for development : Dev Instruction