Kivebpf is a free and open source eBPF-powered file access monitoring Kubernetes operator.
Kivebpf is used by Koney to place deception policies on kubernetes clusters.
Note that Kivebpf is not yet ready for production use.
You can specify a path to monitor and in which containers by
creating a KivePolicy. The following is an example policy:
apiVersion: kivebpf.san7o.github.io/v1
kind: KivePolicy
metadata:
labels:
app.kubernetes.io/name: kivebpf
name: kive-sample-policy
namespace: kivebpf-system
spec:
alertVersion: v1
traps:
- path: /secret.txt
create: true
mode: 444
callback: "http://my-callback.com/alerts"
matchAny:
- pod: nginx-pod
namespace: default
containerName: "regex:nginx-.*"
matchLabels:
security-level: high
metadata:
alert-level: criticalThis sets up a trap on the path /secret.txt in the matched
containers, creating it with mode permissions if it does not
exist. The match groups under the matchAny field will be matched via
a logical OR, and each field in a match group is matched with a
logical AND. All the match fields are optional, but there must be at
least one match group under matchAny.
When a file gets accessed, the operator will generate an KiveAlert
and print the information to standard output in json format. The
following is an example alert:
{
"kive-alert-version": "v1",
"kive-policy-name": "kive-sample-policy",
"timestamp": "2025-08-02T16:51:19Z",
"metadata": {
"path": "/secret.txt",
"inode": 16256084,
"mask": 36,
"kernel-id": "2c147a95-23e5-4f99-a2de-67d5e9fdb502"
},
"custom-metadata": {
"alert-level": "critical"
},
"pod": {
"name": "nginx-pod",
"namespace": "default",
"container": {
"id": "containerd://0c37512624823392d71e99a12011148db30ba7ea2a74fc7ff8bd5f85bc7b499c",
"name": "nginx"
}
},
"node": {
"name": "kive-worker"
},
"process": {
"pid": 176928,
"tgid": 176928,
"uid": 0,
"gid": 0,
"binary": "/usr/bin/cat",
"cwd": "/",
"arguments": "/secret.txt -"
}
}cwdandargumentsare currently disabled
If you specify a callback in the KivePolicy, then the data will be
sent to the URL of the callback through an HTTP POST request.
Please, read the USAGE document to learn how to use the operator in more detail. You can find more examples in config/samples.
To deploy the operator, first make sure you have cert-manager
installed for secure TLS connections.
Note: This dependency is currently required but it should be dropped
in a future release. Additionally, cert-manager currently configures
a self-signing issuer: this is not meant to be used on EKS or other
providers, please use Minikube or Kind to test the operator.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yamlThen simply install the operator from the official docker repository:
kubectl apply -f https://raw.githubusercontent.com/San7o/kivebpf/refs/heads/main/dist/install-remote.yaml| Component | Supported Version(s) | Notes |
|---|---|---|
| Kubernetes | v1.33.x minikube or kind | cert-manager on EKS is currently not configured. Support for EKS is in development. |
| Container Runtime | containerd | Only containerd is supported at the moment. |
| Go (for dev build) | 1.24 | Required for building the operator. |
| Linux Version | >= 5.10 | All kernels from 5.10 are supported. Tested on 5.10 and 6.14. |
| Architectures | x86_64 | The eBPF program works only on x86_64. |
The DESIGN document contains all the information about the internals of the operator.
Please read the DEVELOPMENT document to build and get started with Kive's development. EBPF-TESTING has instructions to build and test the eBPF program without running the kubernetes operator. To run a local cluster, take a look at k8s-lab or simply use the script registry-cluster.sh.
The status contains information about the current status of development and future work.