mirror of
https://github.com/kubeshark/kubeshark.git
synced 2026-04-09 12:17:39 +00:00
10dbedf356
* Add KFL and Network RCA skills Introduce the skills/ directory with two Kubeshark MCP skills: - network-rca: Retrospective traffic analysis via snapshots, dissection, KFL queries, PCAP extraction, and trend comparison - kfl: Complete KFL2 (Kubeshark Filter Language) reference covering all supported protocols, variables, operators, and filter patterns Update CLAUDE.md with skill authoring guidelines, structure conventions, and the list of available Kubeshark MCP tools. * Optimize skills and add shared setup reference - network-rca: cut repeated metaphor, add list_api_calls example response, consolidate use cases, remove unbuilt composability section, extract setup reference to references/setup.md (409 → 306 lines) - kfl: merge thin protocol sections, fix map_get inconsistency, add negation examples, move capture source to reference doc - kfl2-reference: add most-commonly-used variables table, add inline filter examples per protocol section - Add skills/README.md with usage and contribution guidelines * Add plugin infrastructure and update READMEs - Add .claude-plugin/plugin.json and marketplace.json for Claude Code plugin distribution - Add .mcp.json bundling the Kubeshark MCP configuration - Update skills/README.md with plugin install, manual install, and agent compatibility sections - Update mcp/README.md with AI skills section and install instructions - Restructure network-rca skill into two distinct investigation routes: PCAP (no dissection, BPF filters, Wireshark/compliance) and Dissection (indexed queries, AI-driven analysis, payload inspection) * Remove CLAUDE.md from tracked files Content now lives in skills/README.md, mcp/README.md, and the skills themselves. * Add README to .claude-plugin directory * Reorder MCP config: default mode first, URL mode for no-kubectl * Move AI Skills section to top of MCP README * Reorder manual install: symlink first * Streamline skills README: focus on usage and contributing * Enforce KFL skill loading before writing filters - network-rca: require loading KFL skill before constructing filters, suggest installation if unavailable - kfl: set user-invocable: false (background knowledge skill), strengthen description to mandate loading before any filter construction * Move KFL requirement to top of Dissection route * Add strict fallback: only use exact examples if KFL skill unavailable * Add clone step to manual installation * Use $PWD/kubeshark paths in manual install examples * Add mkdir before symlinks, simplify paths * Move prerequisites before installation --------- Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
Kubeshark MCP Server
Kubeshark MCP (Model Context Protocol) server enables AI assistants like Claude Desktop, Cursor, and other MCP-compatible clients to query real-time Kubernetes network traffic.
AI Skills
The MCP provides the tools — AI skills teach agents how to use them. Skills turn raw MCP capabilities into domain-specific workflows like root cause analysis, traffic filtering, and forensic investigation. See the skills README for installation and usage.
| Skill | Description |
|---|---|
network-rca |
Network Root Cause Analysis — snapshot-based retrospective investigation with PCAP and dissection routes |
kfl |
KFL2 filter expert — write, debug, and optimize traffic queries across all supported protocols |
Features
- L7 API Traffic Analysis: Query HTTP, gRPC, Redis, Kafka, DNS transactions
- L4 Network Flows: View TCP/UDP flows with traffic statistics
- Cluster Management: Start/stop Kubeshark deployments (with safety controls)
- PCAP Snapshots: Create and export network captures
- Built-in Prompts: Pre-configured prompts for common analysis tasks
Installation
1. Install Kubeshark CLI
# macOS
brew install kubeshark
# Linux
sh <(curl -Ls https://kubeshark.com/install)
# Windows (PowerShell)
choco install kubeshark
Or download from GitHub Releases.
2. Configure Claude Desktop
Add to your Claude Desktop configuration:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Default (requires kubectl access / kube context)
{
"mcpServers": {
"kubeshark": {
"command": "kubeshark",
"args": ["mcp"]
}
}
}
With an explicit kubeconfig path:
{
"mcpServers": {
"kubeshark": {
"command": "kubeshark",
"args": ["mcp", "--kubeconfig", "/path/to/.kube/config"]
}
}
}
URL Mode (no kubectl required)
Use this when the machine doesn't have kubectl access or a kube context. Connect directly to an existing Kubeshark deployment:
{
"mcpServers": {
"kubeshark": {
"command": "kubeshark",
"args": ["mcp", "--url", "https://kubeshark.example.com"]
}
}
}
With Destructive Operations
{
"mcpServers": {
"kubeshark": {
"command": "kubeshark",
"args": ["mcp", "--allow-destructive", "--kubeconfig", "/path/to/.kube/config"]
}
}
}
3. Generate Configuration
Use the CLI to generate configuration:
kubeshark mcp --mcp-config --url https://kubeshark.example.com
Available Tools
Traffic Analysis (All Modes)
| Tool | Description |
|---|---|
list_workloads |
List pods, services, namespaces with observed traffic |
list_api_calls |
Query L7 API transactions with KFL filtering |
get_api_call |
Get detailed info about a specific API call |
get_api_stats |
Get aggregated API statistics |
list_l4_flows |
List L4 (TCP/UDP) network flows |
get_l4_flow_summary |
Get L4 connectivity summary |
list_snapshots |
List all PCAP snapshots |
create_snapshot |
Create a new PCAP snapshot |
get_dissection_status |
Check L7 protocol parsing status |
enable_dissection |
Enable L7 protocol dissection |
disable_dissection |
Disable L7 protocol dissection |
Cluster Management (Proxy Mode Only)
| Tool | Description | Requires |
|---|---|---|
check_kubeshark_status |
Check if Kubeshark is running | - |
start_kubeshark |
Deploy Kubeshark to cluster | --allow-destructive |
stop_kubeshark |
Remove Kubeshark from cluster | --allow-destructive |
Available Prompts
| Prompt | Description |
|---|---|
analyze_traffic |
Analyze API traffic patterns and identify issues |
find_errors |
Find and summarize API errors and failures |
trace_request |
Trace a request path through microservices |
show_topology |
Show service communication topology |
latency_analysis |
Analyze latency patterns and identify slow endpoints |
security_audit |
Audit traffic for security concerns |
compare_traffic |
Compare traffic patterns between time periods |
debug_connection |
Debug connectivity issues between services |
Example Conversations
User: Show me all HTTP 500 errors in the last hour
Claude: I'll query the API traffic for 500 errors.
[Calling list_api_calls with kfl="http and response.status == 500"]
Found 12 HTTP 500 errors:
1. POST /api/checkout -> payment-service (500)
Time: 10:23:45 | Latency: 2340ms
...
User: What services are communicating with the database?
Claude: Let me check the L4 flows to the database.
[Calling list_l4_flows with dst_filter="postgres"]
Found 5 services connecting to postgres:5432:
- orders-service: 456KB transferred
- users-service: 123KB transferred
...
CLI Options
| Option | Description |
|---|---|
--url |
Direct URL to Kubeshark Hub |
--kubeconfig |
Path to kubeconfig file |
--allow-destructive |
Enable start/stop operations |
--list-tools |
List available tools and exit |
--mcp-config |
Print Claude Desktop config JSON |
KFL (Kubeshark Filter Language)
Query traffic using KFL syntax:
# HTTP requests to a specific path
http and request.path == "/api/users"
# Errors only
response.status >= 400
# Specific source pod
src.pod.name == "frontend-.*"
# Multiple conditions
http and src.namespace == "default" and response.status == 500
MCP Registry
Kubeshark is published to the MCP Registry automatically on each release.
The server.json in this directory is a reference file. The actual registry metadata (version, SHA256 hashes) is auto-generated during the release workflow. See .github/workflows/release.yml for details.
Links
License
Apache-2.0