{"id":34142512,"url":"https://github.com/intelops/kubviz","last_synced_at":"2026-03-12T19:33:30.642Z","repository":{"id":40249715,"uuid":"439791344","full_name":"intelops/kubviz","owner":"intelops","description":"Visualize Kubernetes \u0026 DevSecOps Workflows. Tracks changes/events real-time across your entire K8s clusters, git repos, container registries, SBOM, Vulnerability foot print, etc. , analyzing their effects and providing you with the context you need to troubleshoot efficiently. Get the Observability you need, easily.","archived":false,"fork":false,"pushed_at":"2025-02-18T14:21:50.000Z","size":8212,"stargazers_count":42,"open_issues_count":35,"forks_count":16,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-12-17T15:54:05.198Z","etag":null,"topics":["cloudnative","devops","devsecops","helm","helm-charts","kubernetes","monitoring","observability","troubleshooting"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/intelops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-12-19T06:21:54.000Z","updated_at":"2025-07-05T21:28:19.000Z","dependencies_parsed_at":"2023-12-18T16:28:21.992Z","dependency_job_id":"f611551b-d621-4174-a6e6-e59d0480e6db","html_url":"https://github.com/intelops/kubviz","commit_stats":null,"previous_names":["intelops/kubviz","kube-tarian/kubviz"],"tags_count":133,"template":false,"template_full_name":null,"purl":"pkg:github/intelops/kubviz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intelops%2Fkubviz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intelops%2Fkubviz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intelops%2Fkubviz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intelops%2Fkubviz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/intelops","download_url":"https://codeload.github.com/intelops/kubviz/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intelops%2Fkubviz/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30439914,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-12T14:34:45.044Z","status":"ssl_error","status_checked_at":"2026-03-12T14:09:33.793Z","response_time":114,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudnative","devops","devsecops","helm","helm-charts","kubernetes","monitoring","observability","troubleshooting"],"created_at":"2025-12-15T03:05:19.323Z","updated_at":"2026-03-12T19:33:30.634Z","avatar_url":"https://github.com/intelops.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\".readme_assets/logowithName.png\" alt=\"KubViz\" /\u003e\n\u003c/p\u003e\n\n\n\u003cp align=\"center\"\u003e\n  The open-source platform for Visualize Kubernetes \u0026 DevSecOps Workflows\n\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[![Docker Image CI](https://github.com/kube-tarian/kubviz/actions/workflows/agent-kubviz-image.yml/badge.svg)](https://github.com/kube-tarian/kubviz/actions/workflows/agent-kubviz-image.yml)\n[![Client Docker Image CI](https://github.com/kube-tarian/kubviz/actions/workflows/client-image.yml/badge.svg)](https://github.com/kube-tarian/kubviz/actions/workflows/client-image.yml)\n[![CodeQL](https://github.com/kube-tarian/kubviz/actions/workflows/codeql.yml/badge.svg)](https://github.com/kube-tarian/kubviz/actions/workflows/codeql.yml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/kube-tarian/kubviz)](https://goreportcard.com/report/github.com/kube-tarian/kubviz)\n\n[![Price](https://img.shields.io/badge/price-FREE-0098f7.svg)](https://github.com/kube-tarian/kubviz/blob/main/LICENSE)\n[![Discussions](https://badgen.net/badge/icon/discussions?label=open)](https://github.com/kube-tarian/kubviz/discussions)\n[![Code of Conduct](https://badgen.net/badge/icon/code-of-conduct?label=open)](./code-of-conduct.md)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n\n\u003c/div\u003e\n\n\u003chr\u003e\n\n\n## KubViz\n\nVisualize Kubernetes \u0026 DevSecOps Workflows. Tracks changes/events real-time across your entire K8s clusters, git repos, container registries, Container image Vulnerability scanning, misconfiguration, SBOM etc. , analyzing their effects and providing you with the context you need to troubleshoot efficiently. Get the Observability you need, easily.\n\n## Table of Contents\n- [How KubViz works](#how-kubviz-works)\n- [Architecture diagram](#architecture-diagram)\n- [How to install and run Kubviz](#how-to-install-and-run-kubviz)\n- [Use Cases](#use-cases)\n- [Contributing](#contributing)\n- [Code of Conduct](#code-of-conduct)\n- [Community](#community)\n- [License](#license)\n\n## How KubViz works\n\nKubViz client can be installed on any Kubernetes cluster. KubViz agent runs in a kubernetes cluster where the changes/events need to be tracked. The agent detects the changes in real time and send those events via NATS JetStream and the same is received in the KubViz client.\n\nKubViz client receives the events and passes it to Clickhouse database. The events present in the Clickhouse database can be visualized through Grafana.\n\nKubViz's event tracking component provides comprehensive visibility into the changes and events occurring within your Kubernetes clusters.\n\nKubViz offers a seamless integration with Git repositories, empowering you to effortlessly track and monitor changes that occur within your codebase. By capturing events such as commits, merges, and other Git activities.\n\nKubViz also monitors changes in your container registry, providing visibility into image updates. By tracking these changes, KubViz helps you proactively manage container security and compliance.\n\nIt comprehensively scans Kubernetes containers for security flaws, such as vulnerabilities and misconfigurations, and creates an SBOM (Software Bill of Materials).\n\n## Architecture diagram\n\n![Arch. Diagram](.readme_assets/kubviz.png)\n\n## How to install and run Kubviz\n\n#### Prerequisites\n* A Kubernetes cluster\n* Helm binary\n\n#### Prepare Namespace\n\nThis command will create a new **namespace** for your cluster.\n\n```bash\nkubectl create namespace kubviz\n```\n\n#### Client Installation\n\n```bash\nhelm repo add kubviz https://intelops.github.io/kubviz/\nhelm repo update\n```\n\nThe following command will generate a token. Please make sure to take note of this token as it will be used for both client and agent installation purposes.\n\n```bash\ntoken=$(openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)\n```\n\n```bash\nhelm upgrade -i kubviz-client kubviz/client -n kubviz --set \"nats.auth.token=$token\"\n```\n\n**NOTE:**\n- If you want to get a token from a secret, use a secret reference with the secret's name and key.\n\n**NOTE:**\n- If you want to enable Grafana with the client deployment, add `--set grafana.enabled=true` to the helm upgrade command.\n\n- Kubviz provides a setup for Grafana with Postgres data persistence, ensuring that even if the grafana pod/service goes down, the data will persist, safeguarding crucial information for visualization and analysis.\n\n```bash\nhelm upgrade -i kubviz-client kubviz/client -n kubviz --set \"nats.auth.token=$token\" --set grafana.enabled=true --set grafana.postgresql=true\n```\n\n- If grafana already exist use the same upgrade command without --set grafana.enabled=true flag.\n\n```bash\nhelm upgrade -i kubviz-client kubviz/client -n kubviz --set \"nats.auth.token=$token\" --set grafana.enabled=true\n```\n\nParameter | Description | Default\n--------- | ----------- | -------\n`grafana.enabled` | If true, create grafana | `false`\n`grafana.postgresql` | If true, create postgresql | `false`\n\n- The KubViz client will also install NATS and Clickhouse. The NATS service is exposed as a LoadBalancer, and you need to note the external IP of the service **kubviz-client-nats-external** and pass it during the KubViz agent installation.\n\nThe following command will retrieve the IP address. Please make sure to take note of this IP address as it will be used for agent installation if your agent is located in a different cluster.\n\n```bash\nkubectl get services kubviz-client-nats-external -n kubviz --output jsonpath='{.status.loadBalancer.ingress[0].ip}'\n```\n**NOTE:**\n- Kubviz-client pod is in a CrashLoopBackOff state, installing the Kubviz-agent will bring it back up and running.\n\n#### Agent Installation\n\n##### Deploying Agent on the Same Kubernetes Cluster as kubeviz Client:\n1. Make sure you have the KubViz client running on your Kubernetes cluster.\n2. Run the following command to deploy the KubViz agent:\n\n```bash\nhelm upgrade -i kubviz-agent kubviz/agent -n kubviz \\\n  --set \"nats.auth.token=$token\" \\\n  --set git_bridge.enabled=true \\\n  --set \"git_bridge.ingress.hosts[0].host=\u003cINGRESS HOSTNAME\u003e\",git_bridge.ingress.hosts[0].paths[0].path=/,git_bridge.ingress.hosts[0].paths[0].pathType=Prefix,git_bridge.ingress.tls[0].secretName=\u003cSECRET-NAME\u003e,git_bridge.ingress.tls[0].hosts[0]=\u003cINGRESS HOSTNAME\u003e \\\n  --set container_bridge.enabled=true \\\n  --set \"container_bridge.ingress.hosts[0].host=\u003cINGRESS HOSTNAME\u003e\",container_bridge.ingress.hosts[0].paths[0].path=/,container_bridge.ingress.hosts[0].paths[0].pathType=Prefix,container_bridge.ingress.tls[0].secretName=\u003cSECRET-NAME\u003e,container_bridge.ingress.tls[0].hosts[0]=\u003cINGRESS HOSTNAME\u003e\n```\n\n**NOTE:**\nIf you want to get a token from a secret, use a secret reference with the secret's name and key.\n\n3. Replace \"INGRESS HOSTNAME\" with the desired hostname for the Git Bridge and Container Bridge Ingress configurations.\n4. Replace \"SECRET-NAME\" with the desired secretname for the Git Bridge and Container Bridge Ingress configurations.\n\nParameter | Description | Default\n--------- | ----------- | -------\n`nats.host` | nats host | `kubviz-client-nats`\n`git_bridge.enabled` | If true, create git_bridge | `false`\n`git_bridge.ingress.hosts[0].host` | git_bridge ingress host name | `gitbridge.local`\n`git_bridge.ingress.hosts[0].paths[0].path` | git_bridge ingress host path | `/`\n`git_bridge.ingress.hosts[0].paths[0].pathType` | git_bridge ingress host path type | `Prefix`\n`container_bridge.enabled` | If true, create container_bridge | `false`\n`container_bridge.ingress.hosts[0].host` | container_bridge ingress host name | `containerbridge.local`\n`container_bridge.ingress.hosts[0].paths[0].path` | container_bridge ingress host path | `/`\n`container_bridge.ingress.hosts[0].paths[0].pathType` | container_bridge ingress host path type | `Prefix`\n`git_bridge.ingress.tls` | git_bridge ingress tls configuration | []\n`container_bridge.ingress.tls` | container_bridge ingress tls configuration | []\n\n**NOTE:**\n\n- Default Annotations for Ingress\n\nBy default, this Helm chart includes the following annotations for the git bridge and container bridge ingress resource:\n\n```yaml\nannotations:\n  cert-manager.io/cluster-issuer: letsencrypt-prod-cluster\n  kubernetes.io/force-ssl-redirect: \"true\"\n  kubernetes.io/ssl-redirect: \"true\"\n  kubernetes.io/tls-acme: \"true\"\n...\n```\n\nIf you do not want to use the default value, you can modify the annotation in [values.yaml](https://github.com/intelops/kubviz/blob/main/charts/agent/values.yaml#L60) and execute the following command:\n\n```bash\nhelm upgrade -i kubviz-agent kubviz/agent -f values.yaml -n kubviz\n```\n\n##### Deploying Agent on a Different Kubernetes Cluster:\n1. Run the following command to deploy the KubViz agent:\n\n```bash\nhelm upgrade -i kubviz-agent kubviz/agent -n kubviz --set nats.host=\u003cNATS IP Address\u003e --set \"nats.auth.token=$token\"\n```\n2. Replace \"\u003cNATS IP Address\u003e\" with the IP address of your NATS service **kubviz-client-nats-external**.\n\n**NOTE:**\n\nThe time-based job scheduler is added for each plugin, allowing you to schedule and automate the execution of plugins at specific times or intervals. To activate this scheduler, set 'enabled' to 'true.' Once enabled, each plugin's execution can be configured to run at a precise time or at regular intervals, based on the provided settings. Additionally, if you set the 'schedulingInterval' to '0', it will disable the plugins.\n\n#### How to Verify if Everything is Up and Running\n\nAfter completing the installation of both the client and agent, you can use the following command to verify if they are up and running.\n\n```bash\nkubectl get all -n kubviz\n```\n\n#### Configuration\n\nOnce everything is up and running, you need to perform additional configurations to monitor git repository events and container registry events.\n\nTo ensure that these events are sent to KubViz, you need to create a webhook for your repository. This webhook will transmit the event data of the specific repository or registry to KubViz.\n\nTo set up a webhook in your repository, [please follow these steps](docs/CONFIGURATION.md)\n\n#### How to View Event Data in Grafana\n\n1. Retrieve your Grafana login password by running the following command:\n\n```bash\nkubectl get secret --namespace kubviz kubviz-client-grafana -o jsonpath=\"{.data.admin-password}\" | base64 --decode ; echo\n```\n\n2. Get the Grafana URL to visit by running these commands in the same shell:\n\n```bash\nexport POD_NAME=$(kubectl get pods --namespace kubviz -l \"app.kubernetes.io/name=grafana,app.kubernetes.io/instance=kubviz-client\" -o jsonpath=\"{.items[0].metadata.name}\")\n```\n```bash\nkubectl --namespace kubviz port-forward $POD_NAME 3000\n```\n\n3. Access \"localhost:3000\" in your web browser, where you'll be prompted to enter your credentials. Utilize the username \"admin\" and the password obtained from step 1 to proceed.\n\n#### mTLS - mutual TLS Feature\n\nMutual TLS (mTLS) is an extension of standard Transport Layer Security (TLS) that enhances security by requiring both the client and server to authenticate and verify each other's identities during the SSL/TLS handshake process. This mutual authentication helps ensure that both parties are who they claim to be, providing a higher level of security for sensitive data exchanges.\n\nIn our kubviz setup, we use mTLS for secure communication with the NATS server. Both the agent and the client connect to the NATS server using mTLS. The agent sends data to the NATS server securely, and the client also uses mTLS to receive data from the NATS server.\n\n#### Why Use mTLS?\n\n- **Enhanced Security:** mTLS ensures that both the client and server are authenticated, mitigating the risk of man-in-the-middle attacks.\n\n- **Data Integrity:** By verifying identities, mTLS ensures that data is exchanged between trusted entities only.\n\n- **Regulatory Compliance:** For many industries, mTLS is a requirement for compliance with regulations that mandate secure communication.\n\n#### Configuring mTLS\n\nTo enable mTLS in your application for agent-to-NATS communication, [follow these steps:](docs/CONFIGURATION_MTLS.md)\n\n#### TTL - Time-To-Live Feature\n\nWe've implemented a Time-To-Live (TTL) feature to streamline the management of data within your ClickHouse tables. With TTL, historical data can be automatically relocated to alternative storage or purged to optimize storage space. This feature is particularly valuable for scenarios like time-series data or logs where older data gradually loses its relevance over time.\n\n#### Configuring TTL\n\nThe TTL value is customizable, empowering you to define the specific duration after which data is marked as 'expired'.\n\nTo guide you through the process of setting up a TTL, [please follow these steps](docs/CONFIGURATION_TTL.md)\n\n#### Customizing Security Scanning\n\nKubViz enables you to perform cluster scans, image scans, and SBOM creation in CycloneDX format. Utilizing this scan, vulnerabilities can be identified.\n\nYou can customize the security scans by changing the chart values.\n\n- To [Disable](https://github.com/intelops/kubviz/blob/main/charts/agent/values.yaml#L186) the cluster scan you can pass 0 or empty string\n\n```yaml\nschedule:\n  enabled: true\n  trivyclusterscanInterval: 0\n...\n```\n- For changing the interval, pass the interval time\n\n```yaml\nschedule:\n  enabled: true\n  trivyclusterscanInterval: \"@every 24h\"\n...\n```\n\nSame you can change for [image-scan](https://github.com/intelops/kubviz/blob/main/charts/agent/values.yaml#L184) and [sbom](https://github.com/intelops/kubviz/blob/main/charts/agent/values.yaml#L185)\n\n## Health Check\n\nYou can run different types of checks against your Kubernetes cluster to detect any issues or potential problems before they cause any downtime or service disruptions. Check will run in the background and sends data to kubviz. After analysing the data from dashboard you can take corrective action quickly, if any issues are detected.\n\nPlease check the [configuration](docs/CONFIGURATION_HEALTHCHECK.md) for health checks\n\n## Use Cases\n\n### Cluster Event Tracking\n\n\u003cimg src=\".readme_assets/kubeDataNew.jpeg\" alt=\"Cluster Events\" width=\"525\" align=\"right\"\u003e\n\n\u003cbr\u003e\n\nUse KubViz to monitor your cluster events, including:\n\n- State changes\n- Errors\n- Other messages that occur in the cluster\n\n\u003cbr\u003e\n\n\u003cbr clear=\"all\"\u003e\n\n\u003cimg src=\".readme_assets/depricatedAPINew.jpeg\" alt=\"Deprecated Kubernetes APIs\" width=\"525\" align=\"right\"\u003e\n\n\u003cbr\u003e\n\n- Visualize Deprecated Kubernetes APIs: KubViz provides a clear visualization of deprecated Kubernetes APIs, allowing users to easily identify and update their usage to comply with the latest Kubernetes versions\n- Track Outdated Images: With KubViz, you can track and monitor outdated images within your clusters, ensuring that you are using the most up-to-date and secure versions.\n- Identify Deleted APIs: KubeViz helps you identify any deleted APIs in your clusters, guiding you to find alternative approaches or replacements to adapt to changes in Kubernetes APIs.\n\n\u003cbr\u003e\n\n\u003cbr clear=\"all\"\u003e\n\n### Git Repository Events Tracking\n\n\u003cimg src=\".readme_assets/GitBridgeNew.jpeg\" alt=\"gitBridge\" width=\"525\" align=\"right\"\u003e\n\n\u003cbr\u003e\n\n- KubViz allows you to track and observe all the events in your git repository..\n\n- By capturing events such as commits, merges, and other Git activities, KubViz provides valuable insights into the evolution of your code. This comprehensive change tracking capability allows you to analyze the effects of code modifications on your development and deployment workflows, facilitating efficient collaboration among teams.With this feature, you can easily identify the root causes of issues, ensure code integrity, and maintain a clear understanding of the changes happening within your Git repositories\n\n\u003cbr\u003e\n\n\u003cbr clear=\"all\"\u003e\n\n### Container Registry Events Tracking\n\n\u003cimg src=\".readme_assets/gitcontainerNew.jpeg\" alt=\"Container Registry Events Tracking\" width=\"525\" align=\"right\"\u003e\n\n\u003cbr\u003e\n\n- Using KubViz you can also monitors changes in your container registry, providing visibility into image updates. By tracking these changes, KubViz helps you proactively manage container registries.\n\n\u003cbr\u003e\n\n\u003cbr clear=\"all\"\u003e\n\n### Kubernetes Container Security Tracking\n\n\u003cimg src=\".readme_assets/trivyk8sNew.jpeg\" alt=\"Kubernetes Container Security Tracking\" width=\"525\" align=\"right\"\u003e\n\n\u003cbr\u003e\n\n- Using KubViz you can comprehensively scan the kubernetes containers for the security flaws such as vulnerabilities and misconfigurations.\n- Detects comprehensive vulnerabilities in OS packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless).\n- Detects configuration issues in Kubernetes cluster\n\u003cbr\u003e\n\n\u003cimg src=\".readme_assets/vul-misconfig.jpeg\" alt=\"Kubernetes Container Security Tracking\" width=\"525\" align=\"right\"\u003e\n\n\u003cbr clear=\"all\"\u003e\n\n### SBOM\n\n\u003cimg src=\".readme_assets/sbom.jpeg\" alt=\"sbom\" width=\"525\" align=\"right\"\u003e\n\n\u003cbr\u003e\n\n- Generate reports for Software Bill of Materials (SBOM) from images within your Kubernetes cluster using KubViz in the CycloneDX format. These reports will be available in JSON format.\n\n\u003cbr\u003e\n\n\u003cbr clear=\"all\"\u003e\n\n## Contributing\n\nYou are warmly welcome to contribute to KubViz.\nPlease refer the detailed guide [CONTRIBUTING.md](docs/CONTRIBUTING.md).\n\n## Code of Conduct\n\nSee [CODE_OF_CONDUCT.md](docs/CODE_OF_CONDUCT.md)\n\n## Community\n\nActive communication channels\n- Discord\n\n## License\n\nRefer the licence - [LICENCE](docs/LICENSE.md).\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fintelops%2Fkubviz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fintelops%2Fkubviz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fintelops%2Fkubviz/lists"}