Key Components
eBPF Sniffer
Purpose: Intercepts HTTP traffic by hooking into key system calls (accept
, read
, write
, close
) at the kernel level.
Deployment: Runs as a DaemonSet in Kubernetes, ensuring coverage across all nodes.
Value: Captures API traffic in near real-time with low overhead and no code instrumentation.
RabbitMQ (Message Queue)
Purpose: Acts as a scalable message broker between the Sniffer and Aggregator. Deployment: Runs as a Kubernetes Deployment in the same cluster.
Aggregator
Purpose: Collects, filters, and deduplicates HTTP session data before generating HAR files. Deployment: Runs as a Kubernetes Deployment, pulling data from the Sniffer via RabbitMQ. Responsibilities:
Filtering irrelevant traffic.
Deduplicating repeated sessions.
Storing the last X sessions in memory.
Providing an API to generate HAR files on demand.
Attacker Container (Soon)
Purpose: Accesses generated HAR files for automated security scanning and API testing. Deployment: Runs as a sidecar container within the Aggregator pod. Benefit: Enables seamless vulnerability testing without extra network hops.
Security & Trust Considerations
Minimal System Footprint
eBPF operates in a sandboxed environment at the kernel level, ensuring system stability with minimal overhead.
Controlled Access & Compliance
Strict access controls allow only authenticated users and designated microservices to request HAR files.
Filtered storage policies prevent the retention of unnecessary or sensitive data.
End-to-End Data Protection
All communication is encrypted between the Sniffer, Aggregator, and RabbitMQ.
Data remains contained within your Kubernetes cluster, ensuring isolation and security compliance.
Last updated