Kube-Knark is an open source tracer uses pcap & ebpf technology to perform runtime tracing on a deployed kubernetes cluster. It tracing the kubernetes API execution and master node configuration files permission changes. The trace matching events are leveraged via go plugin webhooks

###kube-knark trace the following :

• The full Kubernetes API specification execution calls especially mutation
  
• kubernetes master node configuration files permission changes CIS Kubernetes Benchmark specification

kube-knark tracing data are reported :

• Console dashboard
• Go Plugin hooks

kube-Knark console:

• Requirements
• Installation
• Quick Start
• User Plugin Usage
• Supported Specs

• Go 1.13+
• Linux Kernel 4.15+
• Clang 10+
• LLVM
• Kernel Headers
• Pcap

git clone https://github.com/chen-keinan/kube-knark
cd kube-knark
make build

Execute kube-knark without plugins

 ./kube-knark 

The Kube-knark expose 2 hooks for user plugins Example :

• OnK8sAPICallHook - this hook accepts k8s api call event with all details (http request /response ,matching API spec)
• OnK8sFileConfigChangeHook - this hook accepts master file configuration change event with command details (chown or chmod ,args and matching file change spec)

go build -buildmode=plugin -o=~/<plugin folder>/<plugin>.so ~/<plugin folder>/<plugin>.go

cp ~/<plugin folder>/<plugin>.so ~/.kube-knark/plugins/compile/<plugin>.so

The Kube-knark support 2 specs and can be easily extended:

• The full k8s API spec Kubernetes API specification
• master config file change spec Master Node Config

both specs can be easily extended by amended the spec files under ~/.kube-knark/spec folder

• code contribution is welcome !! , contribution with tests and passing linter is more than welcome :)
• /.dev folder include vagrantfile to be used for development : Dev Instruction