{"id":30351564,"url":"https://github.com/san7o/kivebpf","last_synced_at":"2025-08-18T23:09:36.056Z","repository":{"id":279665149,"uuid":"939513193","full_name":"San7o/kivebpf","owner":"San7o","description":"Kive is a free and open source eBPF-powered file access monitoring Kubernetes operator. Kivebpf provides a stable API  to place inode-based traps on files and receive alerts when a file is accessed.","archived":false,"fork":false,"pushed_at":"2025-08-13T17:21:42.000Z","size":1798,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-08-13T17:36:57.641Z","etag":null,"topics":["ebpf","kubernetes"],"latest_commit_sha":null,"homepage":"https://san7o.github.io/kivebpf/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/San7o.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-26T16:57:11.000Z","updated_at":"2025-08-13T17:21:47.000Z","dependencies_parsed_at":"2025-04-08T10:23:58.192Z","dependency_job_id":"83d76309-1b2b-44c0-967c-4c989d73e8f8","html_url":"https://github.com/San7o/kivebpf","commit_stats":null,"previous_names":["san7o/hive-operator","san7o/kivebpf"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/San7o/kivebpf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/San7o%2Fkivebpf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/San7o%2Fkivebpf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/San7o%2Fkivebpf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/San7o%2Fkivebpf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/San7o","download_url":"https://codeload.github.com/San7o/kivebpf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/San7o%2Fkivebpf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271073387,"owners_count":24694538,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-18T02:00:08.743Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","kubernetes"],"created_at":"2025-08-18T23:09:35.241Z","updated_at":"2025-08-18T23:09:36.040Z","avatar_url":"https://github.com/San7o.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kivebpf\n\nKive is a free and open source eBPF-powered file access monitoring\nKubernetes operator.\n\n# Basic Usage\n\nYou can specify a path to monitor and in which containers by\ncreating a `KivePolicy`. The following is an example policy:\n\n```yaml\napiVersion: kivebpf.san7o.github.io/v1\nkind: KivePolicy\nmetadata:\n  labels:\n    app.kubernetes.io/name: kivebpf\n  name: kive-sample-policy\n  namespace: kivebpf-system\nspec:\n  alertVersion: v1\n  traps:\n  - path: /secret.txt\n    create: true\n    mode: 444\n    callback: \"http://my-callback.com/alerts\"\n    matchAny:\n    - pod: nginx-pod\n      namespace: default\n      containerName: \"rgex:nginx-.*\"\n      matchLabels:\n        security-level: high\n    metadata:\n      alert-level: critical\n```\n\nThis sets up a trap on the path `/secret.txt` in the matched\ncontainers, creating it with `mode` permissions if it does not\nexist. The match groups under the `matchAny` field will be matched via\na logical OR, and each field in a match group is matched with a\nlogical AND. All the match fields are optional, but there must be at\nleast one match group under `matchAny`.\n\nWhen a file gets accessed, the operator will generate an `KiveAlert`\nand print the information to standard output in json format. The\nfollowing is an example alert:\n\n```json\n{\n  \"kive-alert-version\": \"v1\",\n  \"kive-policy-name\": \"kive-sample-policy\",\n  \"timestamp\": \"2025-08-02T16:51:19Z\",\n  \"metadata\": {\n    \"path\": \"/secret.txt\",\n    \"inode\": 16256084,\n    \"mask\": 36,\n    \"kernel-id\": \"2c147a95-23e5-4f99-a2de-67d5e9fdb502\"\n  },\n  \"custom-metadata\": {\n    \"alert-level\": \"critical\"\n  },\n  \"pod\": {\n    \"name\": \"nginx-pod\",\n    \"namespace\": \"default\",\n    \"container\": {\n      \"id\": \"containerd://0c37512624823392d71e99a12011148db30ba7ea2a74fc7ff8bd5f85bc7b499c\",\n      \"name\": \"nginx\"\n    }\n  },\n  \"node\": {\n    \"name\": \"kive-worker\"\n  },\n  \"process\": {\n    \"pid\": 176928,\n    \"tgid\": 176928,\n    \"uid\": 0,\n    \"gid\": 0,\n    \"binary\": \"/usr/bin/cat\",\n    \"cwd\": \"/\",\n    \"arguments\": \"/secret.txt -\"\n  }\n}\n```\n\nIf you specify a `callback` in the `KivePolicy`, then the data will be\nsent to the URL of the callback through an HTTP POST request.\n\nPlease, read the [USAGE](./docs/USAGE.md) document to learn how to use\nthe operator in more detail. You can find more examples in\n[config/samples](./config/samples/).\n\n## Quick deploy\n\nTo deploy the operator, first make sure you have `cert-manager`\ninstalled for secure TLS connections (required):\n\n```bash\nkubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml\n```\n\nThen simply install the operator with from the [official docker\nrepository](https://hub.docker.com/repository/docker/giovann103/kivebpf/general):\n\n```bash\nkubectl apply -f https://raw.githubusercontent.com/San7o/kivebpf/refs/heads/main/dist/install-remote.yaml\n```\n\n## Supported Environments\n\n\n| Component           | Supported Version(s)      | Notes                                                  |\n|---------------------|---------------------------|--------------------------------------------------------|\n| Kubernetes          | v1.33.x                   | Officially tested.                                     |\n| Container Runtime   | containerd                | Only `containerd` is supported at the moment.          |\n| Go (for dev build)  | 1.24                      | Required for building the operator.                    |\n| Linux Version       | 6.14                      | Tested on linux 6.14.                                  |\n| Architectures       | x86_64                    | The eBPF program works only on x86_64.                 |\n\n# Development\n\nThe [DESIGN](./docs/DESIGN.md) document contains all the information\nabout the internals of the operator.\n\nPlease read the [DEVELOPMENT](./docs/DEVELOPMENT.md) document to build\nand get started with Kive's\ndevelopment. [EBPF-TESTING](./docs/EBPF-TESTING.md) has instructions\nto build and test the eBPF program without running the kubernetes\noperator. To run a local cluster, take a look at\n[k8s-lab](./k8s-lab/README.md) or simply use the script\n[registry-cluster.sh](./hack/registry-cluster.sh).\n\nThe [status](./docs/status.org) contains information about the current\nstatus of development and future work.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsan7o%2Fkivebpf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsan7o%2Fkivebpf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsan7o%2Fkivebpf/lists"}