SRodi/ebpf-server
3.4
If you are the rightful owner of ebpf-server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.
A Model Context Protocol (MCP) server that uses eBPF to monitor network connections and provide real-time network analytics.
eBPF Network Monitor
A modular eBPF monitoring system with HTTP API server for real-time network and system event monitoring. Supports both VM and Kubernetes deployments with automatic metadata enrichment.
π Deployment Options
Kubernetes Deployment (Recommended)
Deploy across your entire Kubernetes cluster with automatic node metadata enrichment:
# Quick deployment with built-in script
./scripts/deploy.sh all --registry your-registry.com
# Or step by step
make docker-build
make docker-push REGISTRY=your-registry.com
make k8s-deploy
π - Detailed setup and configuration
Local Testing with Kind
Test the full Kubernetes deployment locally:
# Full automated test
make kind-full-test
# Or step by step:
make kind-cluster-create # Create local cluster
make kind-deploy # Deploy to kind cluster
make kind-integration-test # Run comprehensive tests
To get detailed API documentation for the aggregator, available only in Kubernetes mode see API Aggregator Documentation
VM Deployment (Traditional)
For single-server deployments:
# Install dependencies (Ubuntu/Debian)
sudo apt install -y golang-go clang libbpf-dev linux-headers-$(uname -r)
# Build and run
make build
sudo ./bin/ebpf-server
# Test the API
curl http://localhost:8080/health
curl "http://localhost:8080/api/events?type=connection&limit=10"
π Interactive API Documentation - Test APIs in your browser
β¨ Key Features
π Dual Deployment Support
- Kubernetes Mode: DaemonSet + Aggregator architecture for cluster-wide monitoring
- VM Mode: Traditional single-server deployment
- Automatic Detection: Seamlessly detects environment and adapts behavior
π·οΈ Kubernetes Metadata Enrichment
Events in Kubernetes include rich metadata:
{
"id": "abc123",
"type": "connection",
"k8s_node_name": "worker-node-1",
"k8s_pod_name": "ebpf-monitor-xyz",
"k8s_namespace": "ebpf-system",
...
}
ποΈ Scalable Architecture
Kubernetes Mode: Distributed monitoring with centralized aggregation
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Kubernetes Cluster β
β βββββββββββββββ βββββββββββββββ βββββββββββββββββββ β
β β Node 1 β β Node 2 β β Node N β β
β β βββββββββββ β β βββββββββββ β β βββββββββββ β β
β β β eBPF β β β β eBPF β β β β eBPF β β β
β β β Agent β β β β Agent β β β β Agent β β β
β β β+K8s Metaβ β β β+K8s Metaβ β β β+K8s Metaβ β β
β β ββββββ¬βββββ β β ββββββ¬βββββ β β ββββββ¬βββββ β β
β ββββββββΌβββββββ ββββββββΌβββββββ ββββββββββΌβββββββββ β
β β β β β
β ββββββββββββββββββΌβββββββββββββββββββ β
β β β
β βββββββΌββββββ β
β β eBPF β β
β β Aggregatorβββββ Unified API β
β β β β
β βββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
VM Mode: Modular, interface-based monitoring system
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β eBPF Programs β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β β Connection β β Packet Drop β β Custom β β
β β Monitor β β Monitor β β Monitors β β
β ββββββββ¬βββββββ ββββββββ¬βββββββ βββββββββββ¬ββββ β
βββββββββββΌββββββββββββββββββΌβββββββββββββββββββΌ-ββββββ
β β β
βββββββββββββββββββΌβββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββ
β Event Processing β
β (Manager + Storage) β
βββββββββββββββ¬ββββββββββββ
βΌ
βββββββββββββββββββββββββββ
β HTTP API β
β (/api/events) β
βββββββββββββββββββββββββββ
π Unified Monitoring
- Cross-Node Correlation: View events across entire Kubernetes cluster
- Node-Specific Filtering: Query events by specific nodes or pods
- Aggregated Statistics: Cluster-wide event statistics and metrics
- Backward Compatible: Existing VM deployments continue unchanged
π‘ API Features
- Unified Event API: Single
/api/eventsendpoint for all monitoring data - Flexible Filtering: Filter by event type, PID, command, and time windows
- Kubernetes Filtering: Filter by node name, pod name, or namespace
- Program Status: View program status and metrics via
/api/programs - Auto-Generated Documentation: OpenAPI 3.0 spec from code annotations
- Interactive Testing: Built-in Swagger UI for API exploration
Core Endpoints
GET /health- System health and statusGET /api/events- Query events with filtering supportGET /api/programs- List all programs and their status
Query Examples
# Get all connection events from the last hour
curl "http://localhost:8080/api/events?type=connection&since=2023-01-01T00:00:00Z"
# Get events for a specific process
curl "http://localhost:8080/api/events?pid=1234&limit=50"
# Kubernetes: Get events from specific node
curl "http://localhost:8080/api/events?k8s_node_name=worker-1"
Query Parameters
type: Event type filter (e.g., "connection", "packet_drop")pid: Process ID filtercommand: Command name filterk8s_node_name,k8s_pod_name,k8s_namespace: Kubernetes filterssince,until: RFC3339 timestamp filterslimit: Maximum results (default: 100)
π οΈ Development
# Development build with debug logging
make build-dev && sudo ./bin/ebpf-server-dev
# Generate API docs
make docs
# Run tests
make test
# Build eBPF programs
make build-bpf
π - Detailed guide for creating new eBPF monitoring programs
π Project Structure
βββ cmd/ # Application entry points
β βββ server/ # eBPF monitoring server
β βββ aggregator/ # Kubernetes aggregator
βββ internal/
β βββ core/ # Core interfaces and types
β βββ events/ # Event system (BaseEvent, streams)
β βββ programs/ # eBPF program implementations
β βββ storage/ # Event storage and querying
β βββ api/ # HTTP API handlers
β βββ kubernetes/ # Kubernetes metadata integration
β βββ system/ # System initialization
βββ bpf/ # eBPF C programs and headers
βββ kubernetes/ # Kubernetes manifests
βββ scripts/ # Deployment and testing scripts
βββ docs/ # Documentation and API specs
π§ Requirements
- Linux kernel 4.18+ with eBPF support
- Root privileges for eBPF program loading
- Dependencies: Go 1.23+, Clang, libbpf-dev, kernel headers
- Kubernetes: 1.20+ (for K8s deployment)
π Setup Guide:
π License
MIT License - see file.