Kubeshark — API Traffic Viewer for Kubernetes

Introduction

Kubeshark is like Wireshark for Kubernetes: a real-time, service-mesh-free traffic viewer that captures L4/L7 traffic between pods and renders it in a browser with full decoding for HTTP, gRPC, Kafka, Redis, AMQP, DNS, and more. Because it taps at the node level with eBPF and pcap, you do not need to modify your workloads or install a sidecar.

What Kubeshark Does

• Taps pod-to-pod, pod-to-service, and external traffic at line rate across a cluster.
• Decodes application protocols (HTTP/1.1, HTTP/2, gRPC, Kafka, Redis, AMQP, MongoDB wire, DNS, TCP).
• Offers a query language (KFL) to filter, alert, and redact in flight.
• Records traffic to PCAP files for offline analysis in Wireshark.
• Detects ingress anomalies, slow endpoints, and suspicious cross-namespace calls.

Architecture Overview

Two main components run in-cluster: a Hub (single-replica) and a Worker DaemonSet. Workers attach BPF programs and raw sockets to each node's network namespace, decode traffic streams per connection, and push protocol-decoded events to the Hub over gRPC. The Hub stores the live buffer, serves the UI/API, and coordinates capture filters. Because capture happens at the kernel, encrypted TLS traffic can also be decoded if the workloads opt-in via eBPF uprobes on OpenSSL/boringssl.

Self-Hosting & Configuration

• Helm chart: helm install kubeshark kubeshark/kubeshark.
• Configure namespaces, label selectors, and resource limits via values.yaml.
• Persist captures with tap.persistentStorage.enabled=true and a PVC.
• Enable TLS master-key capture with tap.tls=true (requires eBPF permissions).
• Set KFL scripts under scripting to auto-alert on patterns like elapsedTime > 500.

Key Features

• No sidecars, no service mesh requirement — taps via eBPF and raw sockets.
• Protocol dissectors beyond HTTP (Kafka, Redis, AMQP, DNS, gRPC, Postgres preview).
• Live query DSL with scripting for alerts, redaction, and augmentation.
• UI replay of any request/response pair as a curl command.
• Can export traffic to S3, Elasticsearch, webhooks, or PCAP.

Comparison with Similar Tools

• Wireshark — host-level, no Kubernetes awareness; Kubeshark is cluster-native.
• mizu — the predecessor project; Kubeshark is its modern, maintained fork.
• Pixie — deep eBPF observability and auto-telemetry; broader, heavier footprint.
• tcpdump + ksniff — low-level and manual; no UI, no decoding beyond TCP.
• Istio + Kiali — mesh-dependent; Kubeshark needs no mesh and decodes more protocols.

FAQ

Q: Does Kubeshark need a service mesh? A: No. It captures directly at the kernel with eBPF.

Q: Can it decode TLS? A: Yes, via eBPF uprobes on common TLS libraries inside the pod process.

Q: What is the performance overhead? A: CPU overhead grows with packet volume; default config is tuned for development clusters.

Q: Can I run it on production? A: Yes, but scope it with selectors and disable TLS sniffing unless you truly need payload inspection.

Sources

• https://github.com/kubeshark/kubeshark
• https://docs.kubeshark.co/