kubeshark
Kubeshark is an eBPF-based network observability tool for Kubernetes that captures and indexes cluster traffic at the kernel level, including decrypted TLS without key management. It provides a dashboard for human operators and integrates with AI agents via MCP protocol for incident response and root cause analysis.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | kubeshark/kubeshark |
| Owner | kubeshark |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 12k |
| Forks | 543 |
| Open issues | 146 |
| Latest release | v53.3.0 (2026-05-19) |
| Last updated | 2026-07-06 |
| Source | https://github.com/kubeshark/kubeshark |
What kubeshark is
Kubeshark uses eBPF to perform kernel-level packet capture and L7 protocol dissection (HTTP, gRPC, Redis, Kafka, DNS, etc.) with full Kubernetes context. It decrypts TLS/mTLS in-kernel without sidecars or key access, exposes queryable network data via a KFL (CEL-based) query language and MCP server, and supports PCAP export and cloud storage integration (S3, Azure Blob, GCS).
Get the kubeshark source
Clone the repository and explore it locally.
git clone https://github.com/kubeshark/kubeshark.gitcd kubeshark# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- eBPF probe deployment: Kubeshark must run as a DaemonSet on all nodes and requires elevated privileges (root or CAP_BPF + CAP_PERFMON). Test node resource overhead (CPU, memory) in staging; large clusters may see measurable CPU/memory impact on each node.
- RBAC and admission control: Configure Kubernetes RBAC to limit pod exec access to the Kubeshark dashboard and limit who can export PCAPs. Consider NetworkPolicy to restrict dashboard access if exposed via Ingress.
- Storage and retention: Plan PCAP snapshot retention policy—local disk fills quickly at scale. Use cloud storage integration (S3, GCS, Azure Blob) for long-term retention and cost-effective archival.
- TLS decryption scope: eBPF decryption works for TLS/mTLS; verify mTLS certificate configuration and test decryption before relying on it in production. Certificate rotation or custom mTLS setups may affect visibility.
- Query language learning curve: KFL (CEL-based) requires operators to learn filter syntax. Provide team training and document common query patterns; leverage AI skills if using MCP integration.
When to avoid it — and what to weigh
- Kernel eBPF Support Unavailable — Kubeshark requires eBPF kernel support (Linux 5.8+ for core features). Clusters on older kernels, Windows containers, or non-Linux environments cannot use this tool. Verify kernel version and eBPF probe availability before deployment.
- Very High Packet Volume Without Filtering — eBPF-based capture is efficient but still requires thoughtful filtering strategy in extremely high-throughput environments (>100k packets/sec). Unfiltered capture at scale may strain node resources; pre-filter traffic or test in staging.
- Need for Custom Protocol Parsers — Kubeshark supports common protocols (HTTP, gRPC, Redis, Kafka, DNS). If your workloads rely heavily on proprietary or niche binary protocols, you may not see L7 indexing and will be limited to L4/raw packet inspection.
- Kubernetes Cluster Not Required — Kubeshark is purpose-built for Kubernetes observability. For bare VMs, non-containerized infrastructure, or non-K8s orchestration platforms, standard packet capture tools (tcpdump, Wireshark) or dedicated APM solutions are more appropriate.
License & commercial use
Apache-2.0 (Apache License 2.0) — a permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and no liability warranty.
Apache-2.0 explicitly permits commercial use, modification, and redistribution. No commercial license, support contract, or legal review is evident in the GitHub data provided. For production deployments, confirm with the Kubeshark maintainers whether commercial support or SLAs are available and obtain written terms if required.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Strong |
| Assessment confidence | High |
Kubeshark requires root or high kernel capabilities (CAP_BPF, CAP_PERFMON) to run eBPF probes, making it a critical security boundary. Dashboard access should be gated by RBAC and network policies; uncontrolled access exposes plaintext decrypted TLS traffic. MCP server and AI agent integration require authenticated, encrypted channels to prevent network data exposure. eBPF-based decryption does not require storing cryptographic keys but performs decryption in kernel memory—verify no sensitive data persists in snapshots or logs. Audit all PCAP exports. No security audit or CVE history provided in data.
Alternatives to consider
Cilium Hubble
eBPF-based Kubernetes networking observability focused on network flow and DNS. Lighter-weight and integrated with service mesh, but lacks L7 protocol dissection, TLS decryption, and AI integration of Kubeshark.
Datadog/New Relic APM + Network Monitoring
Managed SaaS observability with full-stack metrics, traces, and network data. Easier operational lift but requires vendor lock-in, ongoing costs, and external data egress. Strong AI/anomaly detection.
tcpdump + Wireshark
Open-source packet capture and analysis. Requires manual filtering and operator expertise; no Kubernetes context, no TLS decryption, no real-time indexing. Suitable for ad-hoc troubleshooting, not continuous observability.
Build on kubeshark with DEV.co software developers
Kubeshark brings kernel-level traffic visibility to your Kubernetes cluster without sidecars or key management. Start with Helm, validate in staging, and connect AI agents for rapid incident response. Our DevOps and Cloud Deployment teams can guide implementation.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
kubeshark FAQ
Does Kubeshark require me to install a service mesh or modify my workloads?
How does Kubeshark decrypt TLS traffic without storing keys?
Can I use Kubeshark on a multi-cluster or non-Kubernetes infrastructure?
What are the licensing implications for commercial use?
Software development & web development with DEV.co
DEV.co helps companies turn open-source tools like kubeshark into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your mcp servers stack.
Ready to Deploy Network Observability?
Kubeshark brings kernel-level traffic visibility to your Kubernetes cluster without sidecars or key management. Start with Helm, validate in staging, and connect AI agents for rapid incident response. Our DevOps and Cloud Deployment teams can guide implementation.