Open Source runtime tool which help to detect malware code execution and run time mis-configuration change on a kubernetes cluster
APACHE-2.0 License
Kube-Knark is an open-source tracer that uses pcap & ebpf technology to perform runtime tracing on a deployed Kubernetes cluster. It is tracing the Kubernetes API execution and master node configuration files permission changes. The trace matching events are leveraged via go plugin webhooks
kube-knark tracing data are reported :
kube-Knark console:
git clone https://github.com/chen-keinan/kube-knark
cd kube-knark
make build
Execute kube-knark without plugins
./kube-knark
The Kube-knark expose 2 hooks for user plugins Example :
go build -buildmode=plugin -o=~/<plugin folder>/<plugin>.so ~/<plugin folder>/<plugin>.go
cp ~/<plugin folder>/<plugin>.so ~/.kube-knark/plugins/compile/<plugin>.so
The Kube-knark support 2 specs and can be easily extended:
both specs can be easily extended by amended the spec files under ~/.kube-knark/spec
folder