Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. It manages the packaging, deployment and execution of Gadgets (eBPF programs encapsulated in OCI images) and provides mechanisms to customize and extend Gadget functionality.

Note: Major new functionality was released in v0.31.0. Please read the blog post for a detailed overview.

• Build and package eBPF programs into OCI images called Gadgets
• Targets Kubernetes clusters and Linux hosts
• Collect and export data to observability tools with a simple command (and soon via declarative configuration)
• Security mechanisms to restrict and lock-down which Gadgets can be run
• Automatic enrichment: map kernel data to high-level resources like Kubernetes and container runtimes
• Supports WebAssembly modules to post-process data and customize IG operators; using any WASM-supported language
• Supports many modes of operation; cli, client-server, API, embeddable via Golang library

The following examples use the trace_open Gadget which triggers when a file is open on the system.

krew is the recommended way to install kubectl gadget. You can follow the krew's quickstart to install it and then install kubectl gadget by executing the following commands.

kubectl krew install gadget
kubectl gadget deploy
kubectl gadget run trace_open:latest

Check Installing on Kubernetes to learn more about different options.

We can use kubectl node debug to run ig on a Kubernetes node:

kubectl debug --profile=sysadmin node/minikube-docker -ti --image=ghcr.io/inspektor-gadget/ig -- ig run trace_open:latest

For more information on how to use ig without installation on Kubernetes, please refer to the ig documentation.

Install the ig binary locally on Linux and run a Gadget:

IG_ARCH=amd64
IG_VERSION=$(curl -s https://api.github.com/repos/inspektor-gadget/inspektor-gadget/releases/latest | jq -r .tag_name)

curl -sL https://github.com/inspektor-gadget/inspektor-gadget/releases/download/${IG_VERSION}/ig-linux-${IG_ARCH}-${IG_VERSION}.tar.gz | sudo tar -C /usr/local/bin -xzf - ig

sudo ig run trace_open:latest

Check Installing on Linux to learn more.

docker run -ti --rm --privileged -v /:/host --pid=host ghcr.io/inspektor-gadget/ig run trace_open:latest

For more information on how to use ig without installation on Linux, please check Using ig in a container.

It's possible to control an ig running in Linux from different operating systems by using the gadgetctl binary.

Run the following on a Linux machine to make ig available to clients.

sudo ig daemon --host=tcp://0.0.0.0:1234

Download the gadgetctl tools for MacOS (amd64, arm64) or windows and run the Gadget specifying the IP address of the Linux machine:

gadgetctl run trace_open:latest --remote-address=tcp://$IP:1234

The above demonstrates the simplest command. To learn how to filter, export, etc. please consult the documentation for the run command.

Gadgets are the central component in the Inspektor Gadget framework. A Gadget is an OCI image that includes one or more eBPF programs, metadata YAML file and, optionally, WASM modules for post processing. As OCI images, they can be stored in a container registry (compliant with the OCI specifications), making them easy to distribute and share. Gadgets are built using the ig image build command.

You can find a growing collection of Gadgets on Artifact HUB. This includes both in-tree Gadgets (hosted in this git repository in the /gadgets directory and third-party Gadgets).

See the Gadget documentation for more information.

Prior to v0.31.0, Inspektor Gadget only shipped gadgets embedded in its executable file. As of v0.31.0 these built-in Gadgets are still available and work as before, but their use is discouraged as they will be deprecated at some point. We encourage users to use image-based Gadgets going forward, as they provide more features and decouple the eBPF programs from the Inspektor Gadget release process.

The data that eBPF collects from the kernel includes no knowledge about Kubernetes, container runtimes or any other high-level user-space concepts. In order to relate this data to these high-level concepts and make the eBPF data immediately more understandable, Inspektor Gadget automatically uses kernel primitives such as mount namespaces, pids or similar to infer which high-level concepts they relate to; Kubernetes pods, container names, DNS names, etc. The process of augmenting the eBPF data with these high-level concepts is called enrichment.

Enrichment flows the other way, too. Inspektor Gadget enables users to do high-performance in-kernel filtering by only referencing high-level concepts such as Kubernetes pods, container names, etc.; automatically translating these to the corresponding low-level kernel resources.

In Inspektor Gadget, an operator is any part of the framework where an action is taken. Some operators are under-the-hood (i.e. fetching and loading Gadgets) while others are user-exposed (enrichment, filtering, export, etc.) and can be reordered and overridden.

Use the project documentation to learn more about:

• Reference
• Gadgets
• Contributing

Kernel requirements are largely determined by the specific eBPF functionality a Gadget makes use of. The eBPF functionality available to Gadgets depend on the version and configuration of the kernel running running in the node/machine where the Gadget is being loaded. Gadgets developed by the Inspektor Gadget project require at least Linux 5.10 with BTF enabled.

Refer to the documentation for a specific Gadget for any notes regarding requirements.

There are some examples in this folder showing the usage of the Golang packages provided by Inspektor Gadget. These examples are designed for developers that want to use the Golang packages exposed by Inspektor Gadget directly. End-users do not need this and can use kubectl-gadget or ig directly.

Contributions are welcome, see CONTRIBUTING.

We hold community meetings regularly. Please check our calendar for the full schedule of up-coming meetings and please add any topic you want to discuss to our meeting notes document.

Join the discussions on the #inspektor-gadget channel in the Kubernetes Slack.

• Collecting Low-Level Metrics with eBPF, KubeCon + CloudNativeCon North America 2023 (video, slides)
• A (re)introduction of Inspektor Gadget: A Containerized Framework for eBPF Systems Inspection, Cloud Native Rejekts Chicago - November 2023 (video)
• Gaining Linux insights with Inspektor Gadget, an eBPF tool and systems inspection framework, All Systems Go - September 2023 (video)
• Overcoming the Challenges of Debugging Containers, Container Days Hamburg - September 2023 (video)
• Using the EBPF Superpowers To Generate Kubernetes Security Policies, KubeCon + CloudNativeCon North America 2022 (video, slides)
• Debug Your Clusters with eBPF-Powered Tools, Cloud Native eBPF Day North America 2022 (video, slides)
• Who Needs an API Server to Debug a Kubernetes Cluster?, Cloud Native eBPF Day North America 2022 (video, slides)
• Inspektor Gadget, introduction and demos, eCHO Livestream - September 2021 (video)
• OpenShift Commons Briefing: Unleash eBPF Superpowers with Kubectl Gadget, Openshift Commons 2020 (video)
• Tutorial: Understanding What Happens Inside Kubernetes Clusters Using BPF Tools, Open Source Summit EU 2020 (video)
• Inspektor Gadget and traceloop: Tracing containers syscalls using BPF, FOSDEM 2020 (video, slides)
• Traceloop for systemd and Kubernetes + Inspektor Gadget, All Systems Go 2019 (video)

• BPF Compiler Collection (BCC): some of the gadgets are based on BCC tools.
• kubectl-trace: the Inspektor Gadget architecture was inspired from kubectl-trace.
• cilium/ebpf: the gadget tracer manager and some other gadgets use the cilium/ebpf library.

The Inspektor Gadget user-space components are licensed under the Apache License, Version 2.0. The BPF code templates are licensed under the General Public License, Version 2.0, with the Linux-syscall-note.