Kube-Knark Project
Trace your kubernetes runtime !!
Kube-Knark is an open-source tracer that uses pcap & ebpf technology to perform runtime tracing on a deployed kubernetes cluster. It tracing the kubernetes API execution and master node configuration files permission changes. The trace matching events are leveraged via go plugin webhooks
###kube-knark trace the following :
- The full Kubernetes API specification execution calls especially mutation
- kubernetes master node configuration files permission changes CIS Kubernetes Benchmark specification
kube-knark tracing data are reported :
- Console dashboard
- Go Plugin hooks
kube-Knark console:
Installation
git clone https://github.com/chen-keinan/kube-knark
cd kube-knark
make build
Use
Execute kube-knark without plugins
./kube-knark
User Plugin Usage (via go plugins)
The Kube-knark expose 2 hooks for user plugins Example :
- OnK8sAPICallHook – this hook accepts k8s api call event with all details (http request /response, matching API spec)
- OnK8sFileConfigChangeHook – this hook accepts master file configuration change event with command details (chown or chmod, args and matching file change spec)
Compile user plugin
go build -buildmode=plugin -o=~/<plugin folder>/<plugin>.so ~/<plugin folder>/<plugin>.go
Copy plugin to folder (the .kube-knark folder is created on the 1st startup)
cp ~/<plugin folder>/<plugin>.so ~/.kube-knark/plugins/compile/<plugin>.so
Supported Specs
The Kube-knark support 2 specs and can be easily extended:
- The full k8s API spec Kubernetes API specification
- master config file change spec Master Node Config
both specs can be easily extended by amended the spec files under ~/.kube-knark/spec folder
Copyright (C) 2021 chen-keinan
Source: https://github.com/chen-keinan/
