Skip to content

Open Source runtime tool which help to detect malware code execution and run time mis-configuration change on a kubernetes cluster

License

Notifications You must be signed in to change notification settings

chen-keinan/kube-knark

Repository files navigation

Go Report Card License Build Status test coverage badge Gitter
kube-krank logo

Kube-Knark Project

Trace your kubernetes runtime !!

Kube-Knark is an open-source tracer that uses pcap & ebpf technology to perform runtime tracing on a deployed Kubernetes cluster. It is tracing the Kubernetes API execution and master node configuration files permission changes. The trace matching events are leveraged via go plugin webhooks

kube-knark trace the following :

kube-knark tracing data are reported :

  • Console dashboard
  • Go Plugin hooks

kube-Knark console:
kube-krank-console logo

Requirements

  • Go 1.13+
  • Linux Kernel 4.15+
  • Clang 10+
  • LLVM
  • Kernel Headers
  • Pcap

Installation

git clone https://github.com/chen-keinan/kube-knark
cd kube-knark
make build

Quick Start

Execute kube-knark without plugins

 ./kube-knark 

User Plugin Usage (via go plugins)

The Kube-knark expose 2 hooks for user plugins Example :

  • OnK8sAPICallHook - this hook accepts k8s api call event with all details (http request /response ,matching API spec)
  • OnK8sFileConfigChangeHook - this hook accepts master file configuration change event with command details (chown or chmod ,args and matching file change spec)
Compile user plugin
go build -buildmode=plugin -o=~/<plugin folder>/<plugin>.so ~/<plugin folder>/<plugin>.go
Copy plugin to folder (.kube-knark folder is created on the 1st startup)
cp ~/<plugin folder>/<plugin>.so ~/.kube-knark/plugins/compile/<plugin>.so

Supported Specs

The Kube-knark support 2 specs and can be easily extended:

both specs can be easily extended by amended the spec files under ~/.kube-knark/spec folder

Contribution

  • code contribution is welcome !! , contribution with tests and passing linter is more than welcome :)
  • /.dev folder include vagrantfile to be used for development : Dev Instruction

About

Open Source runtime tool which help to detect malware code execution and run time mis-configuration change on a kubernetes cluster

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published