Kubeshark
MCP access to cluster-wide L4 and L7 network traffic, packets, APIs, and complete payloads.
Kubeshark MCP Server
Kubeshark MCP (Model Context Protocol) server enables AI assistants like Claude Desktop, Cursor, and other MCP-compatible clients to query real-time Kubernetes network traffic.
Features
- L7 API Traffic Analysis: Query HTTP, gRPC, Redis, Kafka, DNS transactions
- L4 Network Flows: View TCP/UDP flows with traffic statistics
- Cluster Management: Start/stop Kubeshark deployments (with safety controls)
- PCAP Snapshots: Create and export network captures
- Built-in Prompts: Pre-configured prompts for common analysis tasks
Installation
1. Install Kubeshark CLI
# macOS
brew install kubeshark
# Linux
sh <(curl -Ls https://kubeshark.com/install)
# Windows (PowerShell)
choco install kubeshark
Or download from GitHub Releases.
2. Configure Claude Desktop
Add to your Claude Desktop configuration:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
URL Mode (Recommended for existing deployments)
{
"mcpServers": {
"kubeshark": {
"command": "kubeshark",
"args": ["mcp", "--url", "https://kubeshark.example.com"]
}
}
}
Proxy Mode (Requires kubectl access)
{
"mcpServers": {
"kubeshark": {
"command": "kubeshark",
"args": ["mcp", "--kubeconfig", "/path/to/.kube/config"]
}
}
}
or:
{
"mcpServers": {
"kubeshark": {
"command": "kubeshark",
"args": ["mcp"]
}
}
}
With Destructive Operations
{
"mcpServers": {
"kubeshark": {
"command": "kubeshark",
"args": ["mcp", "--allow-destructive", "--kubeconfig", "/path/to/.kube/config"]
}
}
}
3. Generate Configuration
Use the CLI to generate configuration:
kubeshark mcp --mcp-config --url https://kubeshark.example.com
Available Tools
Traffic Analysis (All Modes)
| Tool | Description |
|---|---|
list_workloads | List pods, services, namespaces with observed traffic |
list_api_calls | Query L7 API transactions with KFL filtering |
get_api_call | Get detailed info about a specific API call |
get_api_stats | Get aggregated API statistics |
list_l4_flows | List L4 (TCP/UDP) network flows |
get_l4_flow_summary | Get L4 connectivity summary |
list_snapshots | List all PCAP snapshots |
create_snapshot | Create a new PCAP snapshot |
get_dissection_status | Check L7 protocol parsing status |
enable_dissection | Enable L7 protocol dissection |
disable_dissection | Disable L7 protocol dissection |
Cluster Management (Proxy Mode Only)
| Tool | Description | Requires |
|---|---|---|
check_kubeshark_status | Check if Kubeshark is running | - |
start_kubeshark | Deploy Kubeshark to cluster | --allow-destructive |
stop_kubeshark | Remove Kubeshark from cluster | --allow-destructive |
Available Prompts
| Prompt | Description |
|---|---|
analyze_traffic | Analyze API traffic patterns and identify issues |
find_errors | Find and summarize API errors and failures |
trace_request | Trace a request path through microservices |
show_topology | Show service communication topology |
latency_analysis | Analyze latency patterns and identify slow endpoints |
security_audit | Audit traffic for security concerns |
compare_traffic | Compare traffic patterns between time periods |
debug_connection | Debug connectivity issues between services |
Example Conversations
User: Show me all HTTP 500 errors in the last hour
Claude: I'll query the API traffic for 500 errors.
[Calling list_api_calls with kfl="http and response.status == 500"]
Found 12 HTTP 500 errors:
1. POST /api/checkout -> payment-service (500)
Time: 10:23:45 | Latency: 2340ms
...
User: What services are communicating with the database?
Claude: Let me check the L4 flows to the database.
[Calling list_l4_flows with dst_filter="postgres"]
Found 5 services connecting to postgres:5432:
- orders-service: 456KB transferred
- users-service: 123KB transferred
...
CLI Options
| Option | Description |
|---|---|
--url | Direct URL to Kubeshark Hub |
--kubeconfig | Path to kubeconfig file |
--allow-destructive | Enable start/stop operations |
--list-tools | List available tools and exit |
--mcp-config | Print Claude Desktop config JSON |
KFL (Kubeshark Filter Language)
Query traffic using KFL syntax:
# HTTP requests to a specific path
http and request.path == "/api/users"
# Errors only
response.status >= 400
# Specific source pod
src.pod.name == "frontend-.*"
# Multiple conditions
http and src.namespace == "default" and response.status == 500
MCP Registry
Kubeshark is published to the MCP Registry automatically on each release.
The server.json in this directory is a reference file. The actual registry metadata (version, SHA256 hashes) is auto-generated during the release workflow. See .github/workflows/release.yml for details.
Links
License
Apache-2.0
Related Servers
Scout Monitoring MCP
sponsorPut performance and error data directly in the hands of your AI assistant.
Alpha Vantage MCP Server
sponsorAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
MCP Sourcify Server
Verify and retrieve smart contract source code using the Sourcify API.
vigile-mcp
Security scanner for MCP servers and agent skills — query trust scores, check for vulnerabilities, and search the Vigile trust registry
Apktool
A server for Android APK analysis and reverse engineering using Apktool.
AgentOps MCP
An MCP server for AgentOps, providing observability and evaluation tools for AI agents.
PureScript MCP Server
An MCP server offering PureScript development tools for AI assistants. Requires Node.js and the PureScript compiler for full functionality.
VSCode MCP
Interact with VSCode through the Model Context Protocol, enabling AI agents to perform development tasks.
PixelLab
Generate and manipulate pixel art using the PixelLab API.
mcpGW
An MCP gateway and proxy designed to simplify applications that utilize various tools.
BitFactory MCP
Simplifies and standardizes interactions with the BitFactory API.
MCP RAG Server
A lightweight Python server for Retrieval-Augmented Generation (RAG) using AWS Lambda. It retrieves knowledge from external data sources like arXiv and PubMed.