Actionable Network Observability
Kubernetes network contains significant information that can be critical for use-cases such as incident investigation, API debugging, threat hunting and threat detection. Kubernetes’ highly dynamic and distributed nature make K8s network a blindspot.
Kubeshark is a new open-source tool that provides real-time protocol-level visibility into K8s network, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters.
The network is vast and it happens all the time. While the information in the network is likely to provide clear indications of breaches and problems, it’s not realistic to process the entire network at all times.
The following short script example uses an L7 hook to detect a 500 response code in real-time and trigger a Slack alert:
Kubeshark supports three action categories:
- Alerts: Send real-time alerts to Slack, the console, the dashboard or use a webhook to send anything anywhere.
- PCAPs: Generate custom network traces (PCAPs) and upload to AWS S3.
- Telemetry: Stream user-generated and network metrics and schema-free documents (e.g. logs) to InfluxDB, Grafana and Elasticsearch.
The information in the network in conjunction with actionable automation can help devops and security engineers leverage the power of the network in the following areas:
You can read more about each use-case in the documentation.
See below some selected examples:
Use the L7 hook onItemQueried in conjunction with the test.* helpers to detect response code 500 and show alerts in the dashboard:
Build Custom Metrics
Upload PCAPs to AWS S3
Generate custom network traces (PCAPs) based on a rich filtering language and upload to AWS S3. Each network trace can consolidate numerous network fragments into a single custom network snapshot.
Here’s an example of a script that continuously monitors traffic, matching the traffic against two KFL queries:
- http and response.status == 500 - HTTP traffic with 500 response code
- dns - DNS traffic
Matching L4 streams will be added into a PCAP repository, compressed and uploaded to AWS S3.
PCAP files matching the KFL queries are uploaded and available in AWS S3:
Read more in the Cloud Forensics section.
Stream Metrics to Grafana
Stream metrics and schema-free documents.
Read more in the Telemetry & Observability section.
Real-time Alerts and Forensics Using Slack
Use Slack to send real-time alerts that include event information and forensics (e.g network trace in PCAP format).
Read more in the Slack Integration section.