Kubernetes in-node eBPF agent that forwards node/process events to Kafka.
This agent does not scrape Pod stdout/stderr logs like Fluent Bit, Vector, or Promtail. It captures kernel and process-level events from Linux nodes via eBPF and enriches them with Kubernetes Pod context before publishing to Kafka.
git clone --recurse-submodules https://github.com/ChambitTrace/core
cd core
git submodule update --init --recursive
docker build -t ghcr.io/chambittrace/core:v1.0.4 .This repository can be deployed in a homelab topology where:
- the Kubernetes cluster runs on an HP Z440 with Proxmox
- the operator workstation is a Mac mini on the same LAN
- Kafka runs in Docker on the Mac mini
- Tailscale exists for management traffic, but Kafka can use the simpler LAN path
- Kubernetes worker nodes are
linux/amd64
Edit Daemonset.yaml ConfigMap values:
KAFKA_BROKERS: Mac mini Kafka address (LAN first, optional tailscale fallback)KAFKA_TOPIC: topic for eBPF eventsCLUSTER_NAME: logical cluster identifier
Example:
KAFKA_BROKERS: "192.168.200.178:9092"
KAFKA_TOPIC: "chambit-ebpf-events"
CLUSTER_NAME: "proxmox-k8s"If you want a single file deploy, edit the same values in runtimeAgent.yaml and apply that file directly.
Create a local env file from the example and keep the advertised host set to the Mac mini LAN IP:
cp .env.kafka.example .env.kafka
docker compose -f docker-compose.kafka.yml up -dkubectl apply -f rbac.yaml
kubectl apply -f Daemonset.yamlOr with the all-in-one manifest:
kubectl apply -f runtimeAgent.yamlkubectl -n monitor get ds,pods -l app=chambit-innodeagent -o wide
kubectl -n monitor logs -l app=chambit-innodeagent --tail=100docker exec -it chambit-kafka kafka-topics --bootstrap-server 127.0.0.1:9092 --list
docker exec -it chambit-kafka kafka-console-consumer --bootstrap-server 127.0.0.1:9092 --topic chambit-ebpf-events --from-beginningKAFKA_BROKERS(required): comma-separated broker listKAFKA_TOPIC(required): destination topicKAFKA_BATCH_SIZE(optional, default100)KAFKA_BATCH_TIMEOUT_MS(optional, default1000)KAFKA_WRITE_TIMEOUT_MS(optional, default5000)CLUSTER_NAME(optional, defaulthomelab-k3s)NODE_NAME(set via downward API)NODE_IP(set via downward API)
eBPF Agent (DaemonSet) -> Kafka on Mac mini Docker -> ELK
What this agent sends to Kafka:
- exec, open, mount, chmod, chown, setuid/setgid, ptrace, bpf, module and related runtime events
- node identity (
NODE_NAME,NODE_IP,CLUSTER_NAME) - resolved Kubernetes pod context from cgroup metadata
What this agent does not send by itself:
- application stdout/stderr log lines from containers
- Kubernetes Event objects from the API server
If you need container log shipping, pair this with a log collector such as Fluent Bit or Vector and keep Chambit for runtime tracing.
For small clusters and Proxmox-backed homelabs, keep these disabled unless you have measured the overhead:
ENABLE_OPEN_EVENTS=falseENABLE_READ_EVENTS=falseENABLE_WRITE_EVENTS=falseLOG_EACH_EVENT=false
read and write syscall tracing is extremely noisy and can destabilize shared virtualization hosts or management paths if enabled cluster-wide.
Build the safe image locally:
docker build -t chambit-core:safe .Run a local image registry on the Mac mini:
docker compose -f docker-compose.registry.yml up -d
docker tag chambit-core:safe localhost:5001/chambit-core:safe
docker push localhost:5001/chambit-core:safeThen edit Daemonset.canary.yaml and replace REPLACE_WITH_CANARY_NODE with one Kubernetes node hostname before applying:
kubectl apply -f rbac.yaml
kubectl apply -f Daemonset.canary.yamlFor K3s, configure each node to trust the Mac mini registry over plain HTTP by creating /etc/rancher/k3s/registries.yaml and restarting K3s. Official docs: K3s Private Registry Configuration