DEV.co
MCP Servers · kubeshark

kubeshark

Kubeshark is an eBPF-based network observability tool for Kubernetes that captures and indexes cluster traffic at the kernel level, including decrypted TLS without key management. It provides a dashboard for human operators and integrates with AI agents via MCP protocol for incident response and root cause analysis.

Source: GitHub — github.com/kubeshark/kubeshark
12k
GitHub stars
543
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorykubeshark/kubeshark
Ownerkubeshark
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars12k
Forks543
Open issues146
Latest releasev53.3.0 (2026-05-19)
Last updated2026-07-06
Sourcehttps://github.com/kubeshark/kubeshark

What kubeshark is

Kubeshark uses eBPF to perform kernel-level packet capture and L7 protocol dissection (HTTP, gRPC, Redis, Kafka, DNS, etc.) with full Kubernetes context. It decrypts TLS/mTLS in-kernel without sidecars or key access, exposes queryable network data via a KFL (CEL-based) query language and MCP server, and supports PCAP export and cloud storage integration (S3, Azure Blob, GCS).

Quickstart

Get the kubeshark source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/kubeshark/kubeshark.gitcd kubeshark# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Incident Response & Root Cause Analysis

Query encrypted and unencrypted traffic by Kubernetes semantics, API call patterns, and network attributes. Extract retrospective PCAPs and feed raw traffic data to AI agents via MCP for rapid troubleshooting without manual log parsing.

Network Observability for Microservices

Monitor service-to-service communication across the cluster in real time, visualize dependency maps, identify error rates and latency patterns, and correlate API failures to network behavior without code instrumentation or sidecar proxies.

Compliance & Forensics

Retain cluster-wide encrypted traffic snapshots in cloud storage for long-term audit trails. Download filtered PCAPs by time, workload, and IP for post-incident investigation, regulatory compliance, or third-party analysis in Wireshark.

Implementation considerations

  • eBPF probe deployment: Kubeshark must run as a DaemonSet on all nodes and requires elevated privileges (root or CAP_BPF + CAP_PERFMON). Test node resource overhead (CPU, memory) in staging; large clusters may see measurable CPU/memory impact on each node.
  • RBAC and admission control: Configure Kubernetes RBAC to limit pod exec access to the Kubeshark dashboard and limit who can export PCAPs. Consider NetworkPolicy to restrict dashboard access if exposed via Ingress.
  • Storage and retention: Plan PCAP snapshot retention policy—local disk fills quickly at scale. Use cloud storage integration (S3, GCS, Azure Blob) for long-term retention and cost-effective archival.
  • TLS decryption scope: eBPF decryption works for TLS/mTLS; verify mTLS certificate configuration and test decryption before relying on it in production. Certificate rotation or custom mTLS setups may affect visibility.
  • Query language learning curve: KFL (CEL-based) requires operators to learn filter syntax. Provide team training and document common query patterns; leverage AI skills if using MCP integration.

When to avoid it — and what to weigh

  • Kernel eBPF Support Unavailable — Kubeshark requires eBPF kernel support (Linux 5.8+ for core features). Clusters on older kernels, Windows containers, or non-Linux environments cannot use this tool. Verify kernel version and eBPF probe availability before deployment.
  • Very High Packet Volume Without Filtering — eBPF-based capture is efficient but still requires thoughtful filtering strategy in extremely high-throughput environments (>100k packets/sec). Unfiltered capture at scale may strain node resources; pre-filter traffic or test in staging.
  • Need for Custom Protocol Parsers — Kubeshark supports common protocols (HTTP, gRPC, Redis, Kafka, DNS). If your workloads rely heavily on proprietary or niche binary protocols, you may not see L7 indexing and will be limited to L4/raw packet inspection.
  • Kubernetes Cluster Not Required — Kubeshark is purpose-built for Kubernetes observability. For bare VMs, non-containerized infrastructure, or non-K8s orchestration platforms, standard packet capture tools (tcpdump, Wireshark) or dedicated APM solutions are more appropriate.

License & commercial use

Apache-2.0 (Apache License 2.0) — a permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and no liability warranty.

Apache-2.0 explicitly permits commercial use, modification, and redistribution. No commercial license, support contract, or legal review is evident in the GitHub data provided. For production deployments, confirm with the Kubeshark maintainers whether commercial support or SLAs are available and obtain written terms if required.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityModerate
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Kubeshark requires root or high kernel capabilities (CAP_BPF, CAP_PERFMON) to run eBPF probes, making it a critical security boundary. Dashboard access should be gated by RBAC and network policies; uncontrolled access exposes plaintext decrypted TLS traffic. MCP server and AI agent integration require authenticated, encrypted channels to prevent network data exposure. eBPF-based decryption does not require storing cryptographic keys but performs decryption in kernel memory—verify no sensitive data persists in snapshots or logs. Audit all PCAP exports. No security audit or CVE history provided in data.

Alternatives to consider

Cilium Hubble

eBPF-based Kubernetes networking observability focused on network flow and DNS. Lighter-weight and integrated with service mesh, but lacks L7 protocol dissection, TLS decryption, and AI integration of Kubeshark.

Datadog/New Relic APM + Network Monitoring

Managed SaaS observability with full-stack metrics, traces, and network data. Easier operational lift but requires vendor lock-in, ongoing costs, and external data egress. Strong AI/anomaly detection.

tcpdump + Wireshark

Open-source packet capture and analysis. Requires manual filtering and operator expertise; no Kubernetes context, no TLS decryption, no real-time indexing. Suitable for ad-hoc troubleshooting, not continuous observability.

Software development agency

Build on kubeshark with DEV.co software developers

Kubeshark brings kernel-level traffic visibility to your Kubernetes cluster without sidecars or key management. Start with Helm, validate in staging, and connect AI agents for rapid incident response. Our DevOps and Cloud Deployment teams can guide implementation.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

kubeshark FAQ

Does Kubeshark require me to install a service mesh or modify my workloads?
No. Kubeshark is agentless and works independently of service meshes. It captures traffic at the kernel level using eBPF, so no code instrumentation, sidecars, or mesh installation is required.
How does Kubeshark decrypt TLS traffic without storing keys?
Kubeshark uses eBPF to hook into kernel TLS functions and capture plaintext before encryption/after decryption in kernel memory. Keys are never stored or logged; decryption is ephemeral during packet capture.
Can I use Kubeshark on a multi-cluster or non-Kubernetes infrastructure?
Kubeshark is designed specifically for Kubernetes. Multi-cluster support is not mentioned in the provided data; use native tools (tcpdump, Wireshark, packet brokers) for non-K8s environments.
What are the licensing implications for commercial use?
Kubeshark is Apache-2.0, which permits commercial use. However, no commercial support plan or enterprise license is documented here. Verify with maintainers if production SLAs or indemnification are needed.

Software development & web development with DEV.co

DEV.co helps companies turn open-source tools like kubeshark into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your mcp servers stack.

Ready to Deploy Network Observability?

Kubeshark brings kernel-level traffic visibility to your Kubernetes cluster without sidecars or key management. Start with Helm, validate in staging, and connect AI agents for rapid incident response. Our DevOps and Cloud Deployment teams can guide implementation.