-
Notifications
You must be signed in to change notification settings - Fork 198
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Create index.ts adding kubeshark feature * Update index.ts updating index with kubeshark * Create kubeshark.md * Update kubeshark.md * Update index.md adding kubeshark in the index * Update mkdocs.yml adding kubeshark doc * Update kubeshark.md * Delete lib/addons/index.ts * Delete lib/addons/kubeshark/index.ts * Update kubeshark.md * Update index.md * Update mkdocs.yml * Update kubeshark.md * Update kubeshark.md * Update kubeshark.md * Revert "Delete lib/addons/index.ts" This reverts commit 06fef31. * Remove: kubeshark from index.ts --------- Co-authored-by: zghanem <zghanem@amazon.com>
- Loading branch information
Showing
4 changed files
with
126 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
# Kubeshark AddOn | ||
|
||
[kubeshark](https://github.com/kubeshark/kubeshark) is an API Traffic Analyzer for Kubernetes providing real-time, protocol-level visibility into Kubernetes’ internal network, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. | ||
|
||
Kubeshark provide Real-time monitoring for all traffic going in, out and across containers, pods, namespaces, nodes and clusters, which allow you to pinpoint and resolve issues efficiently, ensuring stable network performance and enhancing application success in Kubernetes environments and identifying complex networking issue. | ||
|
||
## Usage | ||
1. import kubeshark | ||
``` | ||
npm i kubeshark | ||
``` | ||
2. import it in your `blueprint.ts` | ||
``` | ||
import { KubesharkAddOn } from 'kubeshark'; | ||
``` | ||
|
||
3. include the addon | ||
``` | ||
new KubesharkAddOn({}) // Provide an empty object if no specific properties are needed | ||
``` | ||
|
||
|
||
### Full example **`index.ts`** | ||
```typescript | ||
import * as cdk from 'aws-cdk-lib'; | ||
import * as blueprints from '@aws-quickstart/eks-blueprints'; | ||
import { KubesharkAddOn } from 'kubeshark'; | ||
|
||
const app = new cdk.App(); | ||
const account = '1234123412341'; | ||
const region = 'us-east-1'; | ||
const version = 'auto'; | ||
|
||
blueprints.HelmAddOn.validateHelmVersions = true; // optional if you would like to check for newer versions | ||
|
||
const addOns: Array<blueprints.ClusterAddOn> = [ | ||
new blueprints.addons.MetricsServerAddOn(), | ||
new blueprints.addons.ClusterAutoScalerAddOn(), | ||
new blueprints.addons.AwsLoadBalancerControllerAddOn(), | ||
new blueprints.addons.VpcCniAddOn(), | ||
new blueprints.addons.CoreDnsAddOn(), | ||
new blueprints.addons.KubeProxyAddOn(), | ||
new KubesharkAddOn({}) // Provide an empty object if no specific properties are needed | ||
]; | ||
|
||
const stack = blueprints.EksBlueprint.builder() | ||
.account(account) | ||
.region(region) | ||
.version(version) | ||
.addOns(...addOns) | ||
.useDefaultSecretEncryption(true) // set to false to turn secret encryption off (non-production/demo cases) | ||
.build(app, 'eks-blueprint');``` | ||
``` | ||
## validate the deployment | ||
Once deployed, you can see kubeshark pod in the `kube-system` namespace. | ||
|
||
```sh | ||
$ kubectl get deployments -n kube-system | ||
NAME READY UP-TO-DATE AVAILABLE AGE | ||
blueprints-addon-kubeshark 1/1 1 1 20m | ||
``` | ||
|
||
## Functionality | ||
|
||
1. Deploys the kubeshark helm chart in `kube-system` namespace by default. | ||
2. Supports [standard helm configuration options](./index.md#standard-helm-add-on-configuration-options). | ||
3. Supports `createNamespace` configuration to deploy the addon to a customized namespace. | ||
|
||
## Access Kubeshark | ||
|
||
Apply the kubernetes dashboard manifest. | ||
|
||
```sh | ||
$ kubectl -n kube-system port-forward svc/kubeshark-front 3000:80 | ||
``` | ||
|
||
Open the [dashboard](http://localhost:3000) | ||
|
||
Then you should be able to see view like this | ||
![dashboard](https://raw.githubusercontent.com/kubeshark/assets/master/png/kubeshark-ui.png) | ||
|
||
|
||
## Example | ||
|
||
1.) deploy nginx pod using the below command. | ||
``` | ||
kubectl apply -f - <<EOF | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: nginx | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx | ||
EOF | ||
``` | ||
|
||
|
||
2.) Try to access "aws.com" to generate traffic flow using the below command. | ||
``` | ||
kubectl exec nginx curl https://aws.com | ||
``` | ||
3.) Access kubeshark using the below command. | ||
``` | ||
kubectl -n kube-system port-forward svc/kubeshark-front 3000:80 | ||
``` | ||
4.) Run Kubeshark query to identify the traffic flow. | ||
``` | ||
(src.pod.metadata.name == "nginx" or dst.pod.metadata name == "nginx") and request.questions[0].name == "aws.com" or (src.name == "nginx" and src.namespace == "default" and dst.name == "kube-dns" and dst.namespace == "kube-system") | ||
``` | ||
As shown below, the Kubeshark query used to identify the traffic flowing from the pod "nginx" in the "default" namespace to "aws.com" and "coredns". The query is writen by [Kubeshark Filter Language (KFL)](https://docs.kubeshark.co/en/filtering#kfl-syntax-reference) is the language implemented inside kubeshark/worker that enables the user to filter the traffic efficiently and precisely. | ||
![query](https://github.com/zghanem0/kubeshark/blob/main/api.png?raw=true) | ||
Also you can visualize the traffic flow and bandwidth using service map feature as shown below. | ||
![Service Map](https://github.com/zghanem0/kubeshark/blob/main/map.png?raw=true) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters