Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/chen-keinan/kube-knark
Open Source runtime tool which help to detect malware code execution and run time mis-configuration change on a kubernetes cluster
https://github.com/chen-keinan/kube-knark
ebpf ebpf-programs golang kubernetes linux scanner security
Last synced: 8 days ago
JSON representation
Open Source runtime tool which help to detect malware code execution and run time mis-configuration change on a kubernetes cluster
- Host: GitHub
- URL: https://github.com/chen-keinan/kube-knark
- Owner: chen-keinan
- License: apache-2.0
- Created: 2021-03-11T06:23:32.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2022-01-22T18:56:49.000Z (almost 3 years ago)
- Last Synced: 2024-10-14T14:59:01.438Z (22 days ago)
- Topics: ebpf, ebpf-programs, golang, kubernetes, linux, scanner, security
- Language: Go
- Homepage:
- Size: 6.45 MB
- Stars: 34
- Watchers: 3
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
[](https://goreportcard.com/report/github.com/chen-keinan/kube-knark)
[](https://github.com/chen-keinan/beacon/blob/main/LICENSE)
[](https://travis-ci.com/chen-keinan/kube-knark)
[](https://gitter.im/kube-knark/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
# Kube-Knark Project
### Trace your kubernetes runtime !!
Kube-Knark is an open-source tracer that uses pcap & ebpf technology to perform runtime tracing on a deployed Kubernetes cluster. It is tracing the Kubernetes API execution and master node configuration files permission changes. The trace matching events are leveraged via go plugin webhooks
### kube-knark trace the following :
- The full [Kubernetes API specification](https://kubernetes.io/docs/reference/kubernetes-api/) execution calls especially mutation
- kubernetes master node configuration files permission changes [CIS Kubernetes Benchmark specification](https://www.cisecurity.org/benchmark/kubernetes/)
kube-knark tracing data are reported :
- Console dashboard
- Go Plugin hooks
kube-Knark console:
* [Requirements](#requirements)
* [Installation](#installation)
* [Quick Start](#quick-start)
* [User Plugin Usage](#user-plugin-usage)
* [Supported Specs](#supported-specs)
* [Contribution](#Contribution)
## Requirements
- Go 1.13+
- Linux Kernel 4.15+
- Clang 10+
- LLVM
- Kernel Headers
- Pcap
## Installation
```shell
git clone https://github.com/chen-keinan/kube-knark
cd kube-knark
make build
```
## Quick Start
Execute kube-knark without plugins
```shell
./kube-knark
```
## User Plugin Usage (via go plugins)
The Kube-knark expose 2 hooks for user plugins [Example](https://github.com/chen-keinan/kube-knark/tree/master/examples/plugins) :
- **OnK8sAPICallHook** - this hook accepts k8s api call event with all details (http request /response ,matching API spec)
- **OnK8sFileConfigChangeHook** - this hook accepts master file configuration change event with command details (chown or chmod ,args and matching file change spec)
##### Compile user plugin
```shell
go build -buildmode=plugin -o=~//.so ~//.go
```
##### Copy plugin to folder (.kube-knark folder is created on the 1st startup)
```shell
cp ~//.so ~/.kube-knark/plugins/compile/.so
```
## Supported Specs
The Kube-knark support 2 specs and can be easily extended:
- The full k8s API spec [Kubernetes API specification](https://github.com/chen-keinan/kube-knark/tree/master/internal/spec/api)
- master config file change spec [Master Node Config](https://github.com/chen-keinan/kube-knark/tree/master/internal/spec/filesystem)
both specs can be easily extended by amended the spec files under ```~/.kube-knark/spec``` folder
## Contribution
- code contribution is welcome !! , contribution with tests and passing linter is more than welcome :)
- /.dev folder include vagrantfile to be used for development : [Dev Instruction](https://github.com/chen-keinan/kube-knark/tree/master/.dev)