kubeshark

Kubeshark installation and deployment skill. Use this skill whenever the user wants to install Kubeshark, deploy Kubeshark to a Kubernetes cluster, set up Kubeshark, configure Kubeshark helm values, generate a Kubeshark config file, customize Kubeshark deployment, troubleshoot Kubeshark installation, upgrade Kubeshark, uninstall Kubeshark, or manage the Kubeshark Helm release. Also trigger when the user mentions "kubeshark tap", "kubeshark clean", "helm install kubeshark", "get kubeshark running", "set up traffic capture", "deploy kubeshark", "kubeshark not starting", "kubeshark pods not ready", "configure namespaces", "persistent storage", "cloud storage for snapshots", "kubeshark ingress", "kubeshark auth", "kubeshark SAML", "kubeshark license", "kubeshark config", "custom helm values", "kubeshark on EKS/GKE/AKS", "kubeshark on OpenShift", "kubeshark on KinD/minikube/k3s", "air-gapped", "offline install", or any request related to getting Kubeshark installed, configured, and running in a Kubernetes cluster.

KFL2 (Kubeshark Filter Language) reference. This skill MUST be loaded before writing, constructing, or suggesting any KFL filter expression. KFL is statically typed — incorrect field names or syntax will fail silently or error. Do not guess at KFL syntax without this skill loaded. Trigger on any mention of KFL, CEL filters, traffic filtering, display filters, query syntax, filter expressions, write a filter, construct a query, build a KFL, create a filter expression, "how do I filter", "show me only", "find traffic where", protocol-specific queries (HTTP status codes, DNS lookups, Redis commands, Kafka topics), Kubernetes-aware filtering (by namespace, pod, service, label, annotation), L4 connection/flow filters, time-based queries, or any request to slice/search/narrow network traffic in Kubeshark. Also trigger when other skills need to construct filters — KFL is the query language for all Kubeshark traffic analysis.

Kubernetes network root cause analysis skill powered by Kubeshark MCP. Use this skill whenever the user wants to investigate past incidents, perform retrospective traffic analysis, take or manage traffic snapshots, extract PCAPs, dissect L7 API calls from historical captures, compare traffic patterns over time, detect drift or anomalies between snapshots, or do any kind of forensic network analysis in Kubernetes. Also trigger when the user mentions snapshots, raw capture, PCAP extraction, traffic replay, postmortem analysis, "what happened yesterday/last week", root cause analysis, RCA, cloud snapshot storage, snapshot dissection, or KFL filters for historical traffic. Even if the user just says "figure out what went wrong" or "compare today's traffic to yesterday" in a Kubernetes context, use this skill.

Kubernetes network security audit skill powered by Kubeshark MCP. Use this skill whenever the user wants to audit a cluster for security threats, detect compromised workloads, find malicious traffic patterns, hunt for indicators of compromise (IOCs), check for data exfiltration, identify C2 (command and control) communication, detect cryptomining, find lateral movement, discover credential theft attempts, assess network security posture, or perform threat hunting in Kubernetes. Also trigger when the user mentions security audit, threat detection, compromise assessment, vulnerability scan, "is my cluster compromised", "find malicious traffic", "check for threats", DNS exfiltration, DNS tunneling, port scanning, IMDS access, reverse shell, crypto miner, MITRE ATT&CK, IOC detection, anomaly detection, suspicious traffic, rogue workloads, unauthorized access, or any request to evaluate cluster security through network traffic analysis.