Wednesday, January 8, 2025
Google search engine
HomeGuest BlogsView and Analyze Kubernetes API Traffic using Kubeshark

View and Analyze Kubernetes API Traffic using Kubeshark

Containerization is one of the highly adopted technologies in the past decade. It allows one to run applications in a lightweight executable known as a container. These containers can be run using tools such as docker, Podman, Openshift, Kubernetes e.t.c.

Kubernetes is one of the preferred tools that makes it easy to manage and scale containerized applications. It works by distributing the workloads across a cluster and automates the container storage, persistent volumes, and networking needs. By doing so the desired state of container applications is continuously maintained.

As a system admin, once you deploy your workload, you need to troubleshoot these Kubernetes containers in case of errors. You can obtain insights using kubectl commands such as kubectl logs, kubectl describe, and kubectl exec. In most cases, these commands do not provide enough information to identify the root cause of a problem. This creates a high need for monitoring and logging tools in complex environments.

“In the past, troubleshooting through traffic inspection was table stakes, it was easy. With Kubernetes, it’s not easy anymore,” said Alon Girmonsky, Up9 founder and CEO. This complexity led to the development of a simple-yet-powerful API debug and troubleshooting tool for Kubernetes known as Kubeshark. This is an open-source tool from UP9 to enable developers to obtain and visualize the Kubernetes API traffic in a WebUI.

When talking about Kubeshark , think of it as TCPDump and Wireshark re-invented for Kubernetes. This is because it injects a container that performs a tcpdump-like operation at the node level of a Kubernetes cluster. The operation can be executed on demand using a CLI built on Golang without preparation.

The below diagram illustrates how Kubeshark works.

Mizu architecture

The most amazing features of Kubeshark are:

  • No Installation is necessary. No Code instrumentation and is not a proxy it just performs a tcpdump-like operation at the node level of a Kubernetes cluster.
  • Supports HTTP/1.x, HTTP/2, AMQP, Apache Kafka, and Redis protocols
  • It allows the use of regular expressions, to observe all traffic or specific pods.
  • Free and open-source. It is available for download on the GitHub repository.
  • Kubeshark uses kubectl and therefore can be run on any node with kubectl configured.

In this guide, we will learn how to view and analyze Kubernetes API Traffic using Kubeshark.

Step 1 – Set up a Kubernetes Cluster

This guide requires you to have a Kubernetes cluster configured. The guides below can be used to set up a Kubernetes cluster.

Once the cluster has been set up, ensure kubectl is installed.

curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x kubectl
sudo mv kubectl /usr/local/bin

Next, export the admin config to be able to use the tool.

##For RKE2
export PATH=$PATH:/var/lib/rancher/rke2/bin export KUBECONFIG=/etc/rancher/rke2/rke2.yaml

##For K0s
export KUBECONFIG=/var/lib/k0s/pki/admin.conf

Verify if the tool is working:

$ kubectl get nodes
NAME     STATUS   ROLES           AGE     VERSION
master   Ready    control-plane   5m59s   v1.25.2+k0s
node1    Ready    <none>          4m37s   v1.25.2+k0s
node2    Ready    <none>          4m28s   v1.25.2+k0s

Step 2 – Install Kubeshark on Your System

To install Kubeshark, first, download the executable and set the correct permissions as shown.

sh <(curl -Ls https://kubeshark.co/install)

Installation output:

🦈  Started to download Kubeshark
############################################################################################################################################################################################### 100.0%

⬇️  Kubeshark is downloaded into /tmp/kubeshark
Do you want to install system-wide? Requires sudo 😇 (y/N)? y
Kubeshark is installed into /usr/local/bin/kubeshark

Do you want to add 'ks' alias for Kubeshark? (y/N)? y
✅ You can use the  ks  command now.

Please give us a star 🌟 on https://github.com/kubeshark/kubeshark if you ❤️  Kubeshark!

Once the command has been executed and you have kubectl configured and points to your Kubernetes cluster, you are set to use Kubeshark.

Step 3 – Run Kubeshark on Your System

Kubeshark provides a CLI tool that can be used to obtain your Kubernetes API traffic. The CLI provides several commands that include:

  • check: checks the prerequisites for Kubeshark and verifies the Kubeshark deployment health
  • clean: removes all Kubeshark resources
  • completion: generates the autocompletion script for the specified shell
  • config: generates config with default values
  • install: installs Kubeshark PRO components
  • logs: creates a zip file with logs for Github issues or troubleshooting
  • tap: records incoming traffic of a Kubernetes pod.
  • view: connects to an existing Kubeshark deployment and opens Kubeshark UI in the browser.
  • version: prints version info.

To get more help when using the CLI, use the command:

$ kubeshark help
A web traffic viewer for kubernetes
Further info is available at https://github.com/kubeshark/kubeshark

Usage:
  kubeshark [command]

Available Commands:
  check       Check the Kubeshark installation for potential problems
  clean       Removes all kubeshark resources
  completion  Generate the autocompletion script for the specified shell
  config      Generate config with default values
  help        Help about any command
  install     Installs kubeshark components
  logs        Create a zip file with logs for Github issue or troubleshoot
  tap         Record ingoing traffic of a kubernetes pod
  version     Print version info
  view        Open GUI in browser

Flags:
      --config-path string   Override config file path using --config-path (default "/Users/jkmutai/.kubeshark/config.yaml")
  -h, --help                 help for kubeshark
      --set strings          Override values using --set

Use "kubeshark [command] --help" for more information about a command.

To view Kubernetes metrics of all namespaces, use:

kubeshark tap -A

Sample Output:

Kubeshark will store up to 200MB of traffic, old traffic will be cleared once the limit is reached.
Tapping pods in all namespaces
+calico-node-58sb5
+calico-node-5cz2k
+calico-node-8mp4v
+calico-node-9m5tz
+calico-node-gnr26
+calico-node-jgfrm
....
+prometheus-adapter-678b454b8b-6bgqt
+prometheus-adapter-678b454b8b-974x6
+prometheus-k8s-0
+prometheus-k8s-1
+prometheus-operator-8577bd4db6-v2ngt
+nfs-provisioner-01-nfs-subdir-external-provisioner-669d6f8tqskt
Waiting for Kubeshark Agent to start...
Kubeshark is available at http://localhost:8899

Access the WebUI at http://localhost:8899

Analyze Kubernetes API Traffic using Mizu

From this web Interface, you can view the service catalog

Analyze Kubernetes API Traffic using Mizu 1

How the services are mapped in the service map tab

Analyze Kubernetes API Traffic using Mizu 2

You can also view the traffic stats

Analyze Kubernetes API Traffic using Mizu 3

To stop Kubeshark, use CTRL+C to stop and remove all Kubeshark resources. You can also remove the resource manually with the command:

kubeshark clean

With the tap command, you can perform many other functions.

  • View traffic of a Pod

To view traffic on a specific pod say coredns-5d5b5b96f9-9hchn in the kube-system namespace, issue the command:

kubeshark tap coredns-5d5b5b96f9-9hchn -n kube-system

You will be able to view traffic on the specified pod.

Analyze Kubernetes API Traffic using Mizu 5

To view traffic on several pods from different namespaces, you can use the command:

kubeshark tap "(catalo*|front-end*) -A"

Where the names of the pods are:

  • catalogue-6676dc489b-6tx9h
  • catalogue-db-69bd898747-7p8rq
  • front-end-946fd755f-8t6gp

You can also view traffic in a specific namespace say “nginx” with the command:

kubeshark tap ".*" -n nginx

To understand subcommands for a given command say tap, use the command:

$ kubeshark tap --help
Record the ingoing traffic of a kubernetes pod.
Supported protocols are HTTP and gRPC.

Usage:
  kubeshark tap [POD REGEX] [flags]

Flags:
  -A, --all-namespaces               Tap all namespaces
      --dry-run                      Preview of all pods matching the regex, without tapping them
  -p, --gui-port uint16              Provide a custom port for the web interface webserver (default 8899)
  -h, --help                         help for tap
      --insertion-filter string      Set the insertion filter. Accepts string or a file path.
      --max-entries-db-size string   Override the default max entries db size (default "200MB")
      --max-live-streams int         Maximum live tcp streams to handle concurrently (default 500)
  -n, --namespaces strings           Namespaces selector
      --profiler                     Run pprof server
      --redact                       Enables redaction of potentially sensitive request/response headers and body values
      --service-mesh                 Record decrypted traffic if the cluster is configured with a service mesh and with mtls
      --tls                          Record tls traffic

Global Flags:
      --config-path string   Override config file path using --config-path (default "/root/.kubeshark/config.yaml")
      --set strings          Override values using --set

Books For Learning Kubernetes Administration:

Closing Thoughts

That marks the end of this guide on how to view and analyze Kubernetes API Traffic using Kubeshark. You can now get comprehensive microservice traffic that can help you identify the root cause of a problem on your cluster. I hope this was significant to you.

See more:

RELATED ARTICLES

Most Popular

Recent Comments