Labsco
kubeshark logo

Kubeshark

β˜… 12,000

from kubeshark

MCP access to cluster-wide L4 and L7 network traffic, packets, APIs, and complete payloads.

πŸ”₯πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedFreeQuick setup

Kubeshark MCP Server

Kubeshark MCP (Model Context Protocol) server enables AI assistants like Claude Desktop, Cursor, and other MCP-compatible clients to query real-time Kubernetes network traffic.

AI Skills

The MCP provides the tools β€” AI skills teach agents how to use them. Skills turn raw MCP capabilities into domain-specific workflows like root cause analysis, traffic filtering, and forensic investigation. See the skills README for installation and usage.

Skill Description network-rca Network Root Cause Analysis β€” snapshot-based retrospective investigation with PCAP and dissection routes kfl KFL2 filter expert β€” write, debug, and optimize traffic queries across all supported protocols

Features

  • L7 API Traffic Analysis: Query HTTP, gRPC, Redis, Kafka, DNS transactions

  • L4 Network Flows: View TCP/UDP flows with traffic statistics

  • Cluster Management: Start/stop Kubeshark deployments (with safety controls)

  • PCAP Snapshots: Create and export network captures

  • Built-in Prompts: Pre-configured prompts for common analysis tasks

Available Tools

Traffic Analysis (All Modes)

Tool Description list_workloads List pods, services, namespaces with observed traffic list_api_calls Query L7 API transactions with KFL filtering get_api_call Get detailed info about a specific API call get_api_stats Get aggregated API statistics list_l4_flows List L4 (TCP/UDP) network flows get_l4_flow_summary Get L4 connectivity summary list_snapshots List all PCAP snapshots create_snapshot Create a new PCAP snapshot get_dissection_status Check L7 protocol parsing status enable_dissection Enable L7 protocol dissection disable_dissection Disable L7 protocol dissection

Cluster Management (Proxy Mode Only)

Tool Description Requires check_kubeshark_status Check if Kubeshark is running - start_kubeshark Deploy Kubeshark to cluster --allow-destructive stop_kubeshark Remove Kubeshark from cluster --allow-destructive

Available Prompts

Prompt Description analyze_traffic Analyze API traffic patterns and identify issues find_errors Find and summarize API errors and failures trace_request Trace a request path through microservices show_topology Show service communication topology latency_analysis Analyze latency patterns and identify slow endpoints security_audit Audit traffic for security concerns compare_traffic Compare traffic patterns between time periods debug_connection Debug connectivity issues between services

Example Conversations

Copy & paste β€” that's it
User: Show me all HTTP 500 errors in the last hour

Claude: I'll query the API traffic for 500 errors.
[Calling list_api_calls with kfl="http and response.status == 500"]

Found 12 HTTP 500 errors:
1. POST /api/checkout -> payment-service (500)
 Time: 10:23:45 | Latency: 2340ms
...
Copy & paste β€” that's it
User: What services are communicating with the database?

Claude: Let me check the L4 flows to the database.
[Calling list_l4_flows with dst_filter="postgres"]

Found 5 services connecting to postgres:5432:
- orders-service: 456KB transferred
- users-service: 123KB transferred
...

CLI Options

Option Description --url Direct URL to Kubeshark Hub --kubeconfig Path to kubeconfig file --allow-destructive Enable start/stop operations --list-tools List available tools and exit --mcp-config Print Claude Desktop config JSON

KFL (Kubeshark Filter Language)

Query traffic using KFL syntax:

Copy & paste β€” that's it
# HTTP requests to a specific path
http and request.path == "/api/users"

# Errors only
response.status >= 400

# Specific source pod
src.pod.name == "frontend-.*"

# Multiple conditions
http and src.namespace == "default" and response.status == 500

MCP Registry

Kubeshark is published to the MCP Registry automatically on each release.

The server.json in this directory is a reference file. The actual registry metadata (version, SHA256 hashes) is auto-generated during the release workflow. See .github/workflows/release.yml for details.

Links

License

Apache-2.0