Kubeshark MCP: Network RCA for SREs and AI Agents

Kubernetes network incidents are still painful because the useful evidence is split across dashboards, logs, packet captures, service maps, and tribal knowledge. Kubeshark is worth watching because it turns cluster traffic into queryable incident context, then exposes that context to both humans and MCP-compatible AI agents.

What Is Kubeshark?

Kubeshark is an open-source Kubernetes network observability platform. It indexes cluster-wide traffic at the kernel level using eBPF, then lets operators query that data with network, API, and Kubernetes semantics.

The project positions itself as network observability for SREs and AI agents. That framing matters. Instead of asking an assistant to guess from stale logs, you can connect it to live and retained network evidence during root cause analysis.

Key Features

• Cluster-wide traffic indexing: Search requests and responses across workloads without adding app instrumentation.
• Protocol-aware views: Inspect HTTP, gRPC, GraphQL, Redis, Kafka, DNS, and other common protocols.
• Retrospective PCAPs: Export packet captures filtered by node, workload, IP, and time range for Wireshark or long-term retention.
• TLS and mTLS visibility: Use eBPF-based decryption paths without distributing private keys or injecting sidecars.
• MCP integration: Let tools such as Claude Code, Cursor, or other MCP clients ask traffic questions during incident workflows.

Installation

Install Kubeshark into a Kubernetes cluster with Helm:

helm repo add kubeshark https://helm.kubeshark.com
helm install kubeshark kubeshark/kubeshark
kubectl port-forward svc/kubeshark-front 8899:80

Then open the dashboard locally:

open http://localhost:8899

For production, use an ingress controller and define access controls around who can inspect payloads and download PCAPs.

Connect an AI Agent with MCP

Kubeshark can run an MCP server so an AI assistant can query traffic during triage:

brew install kubeshark
claude mcp add kubeshark -- kubeshark mcp

From there, responders can ask questions such as which services crossed an error-rate threshold, whether TCP retransmissions increased between nodes, or how a request moved through backend services.

Operational Tips

Treat Kubeshark as high-signal incident evidence, not just another dashboard. Define retention windows, storage targets, and payload access rules before a serious outage. Packet data can include sensitive information, so RBAC and auditability matter.

The MCP path is most useful when you give agents narrow jobs. Ask for an evidence packet, suspected blast radius, or filtered traffic summary. Avoid asking for broad remediation until a human has reviewed the captured signals.

Conclusion

Kubeshark fills a practical gap between service telemetry and packet-level debugging. For SRE teams running Kubernetes, it can shorten the path from vague symptom to concrete network evidence. The MCP integration makes it especially relevant for teams building AI-assisted incident workflows.

Akmatori helps SRE teams automate alert triage, collect operational context, and coordinate reliable incident response. Pair Akmatori with infrastructure from Gcore when you need resilient global delivery, edge networking, and cloud capacity for production systems.