Go Report Card License Build Status test coverage badge Gitter
kube-krank logo

Kube-Knark Project

Trace your kubernetes runtime !!

Kube-Knark is an open source tracer uses pcap & ebpf technology to perform runtime tracing on a deployed kubernetes cluster. It tracing the kubernetes API execution and master node configuration files permission changes. The trace matching events are leveraged via go plugin webhooks

###kube-knark trace the following :

kube-knark tracing data are reported :

  • Console dashboard
  • Go Plugin hooks

kube-Knark console:
kube-krank-console logo


  • Go 1.13+
  • Linux Kernel 4.15+
  • Clang 10+
  • LLVM
  • Kernel Headers
  • Pcap


git clone https://github.com/chen-keinan/kube-knark
cd kube-knark
make build

Quick Start

Execute kube-knark without plugins


User Plugin Usage (via go plugins)

The Kube-knark expose 2 hooks for user plugins Example :

  • OnK8sAPICallHook – this hook accepts k8s api call event with all details (http request /response ,matching API spec)
  • OnK8sFileConfigChangeHook – this hook accepts master file configuration change event with command details (chown or chmod ,args and matching file change spec)

Copy plugin to folder (.kube-knark folder is created on the 1st startup)

cp <plugin>.go ~/.kube-knark/plugins/source/<plugin>.go

Supported Specs

The Kube-knark support 2 specs and can be easily extended:

both specs can be easily extended by amended the spec files under ~/.kube-knark/spec folder


  • code contribution is welcome !! , contribution with tests and passing linter is more than welcome 🙂
  • /.dev folder include vagrantfile to be used for development : Dev Instruction