https://github.com/sonichigo/kubetracer

A security monitoring solution to monitor system events on your cluster nodes.
https://github.com/sonichigo/kubetracer

ebpf k8s-cluster monitoring security

Last synced: 2 months ago
JSON representation

A security monitoring solution to monitor system events on your cluster nodes.

• Host: GitHub
• URL: https://github.com/sonichigo/kubetracer
• Owner: Sonichigo
• License: apache-2.0
• Created: 2025-05-07T09:05:03.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-05-19T07:06:02.000Z (about 1 year ago)
• Last Synced: 2025-09-29T04:47:31.483Z (9 months ago)
• Topics: ebpf, k8s-cluster, monitoring, security
• Language: Shell
• Homepage:
• Size: 30.3 KB
• Stars: 2
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# eBPF Based Kubernetes Monitoring

A security monitoring solution to monitor system events on your cluster nodes. By combining eBPF-based kernel tracing with periodic system audits in a lightweight DaemonSet, this solution offers proactive node-level security monitoring for Kubernetes clusters. It enables visibility into key events such as unauthorized process execution, privilege escalations, and suspicious mount or module activity without intrusive agents or heavyweight tools.

The modular architecture ensures ease of deployment and scalability across clusters of any size. Whether you're securing a production environment or auditing development clusters, this observability pipeline adds a powerful layer of defense.

## Architecture

![Architecture](https://github.com/Sonichigo/ebpf-k8s-monitoring/blob/main/k8s/main.svg)

Our security monitoring solution consists of four main components working together to detect, collect, and expose security-relevant events:

1. Security Monitor DaemonSet: Runs on each node to capture kernel events via kprobes and perform regular system scans

2. Monitoring Script ConfigMap: Houses the shell script that sets up kprobes and logs findings

3. Metrics Exporter Deployment: A Python container that processes events and exposes Prometheus metrics

4. ClusterIP Service: Allows Prometheus to scrape the exporter endpoints

Read More: [eBPF-based K8s Monitoring](https://blog.sonichigo.com/building-a-node-level-security-monitoring-pipeline)

## Prerequisites

- Kubernetes cluster

- kubectl

## Installation

1. Clone the repository:

   ```bash

   git clone https://github.com/sonichigo/kubeTracer.git && cd kubeTracer

   ```

2. Apply the Kubernetes manifests:

   ```bash

   bash k8s.sh

   ```

3. Verify the installation:

   ```bash

   kubectl get pods -n monitoring

   ```

4. Check the logs of the DaemonSet:

   ```bash

   kubectl logs -n monitoring -l app=security-monitor -f

   ```