How to TCPdump effectively in Kubernetes (part 1)
--
In a previous blog post, we focused on how to TCPdump in docker containers (see https://dockersec.io/@xxradar/how-to-tcpdump-effectively-in-docker-2ed0a09b5406).
Although the information is still very useful and valid for troubleshooting K8S pods, it might get more difficult figuring out which containers to attach to on what node, etc … but a very valid approach.
While focusing on an easier way, I came across the command
kubectl patch
This command allows to update a deployment for example. It basically does the trick outlined in the previous post but fully automatic
So if you have deployment running like for example
kubectl create -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/radarhack-deploy.yamlkubectl create -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/radarhack-expose-clusterip.yaml
You should be able to access it on
# kubectl get services
...
my-radarhack-clusterip ClusterIP 10.104.201.226 <none> 80/TCP 36d# curl http://10.104.201.226/
<HTML>
<HEAD>
<TITLE>RADARHACK.COM by XXRADAR</TITLE>
...
So far so good. Let’s focus on how to add the TCPdump container to the deployment. Create following file ex. patch.yaml
spec:
template:
spec:
containers:
- name: tcpdumper
image: docker.io/dockersec/tcpdump
And apply it
kubectl patch deployment radarhack-deployment --patch “$(cat patch.yaml)”
You should be able to see that the TCPdump container is automatically added to the pods (please note that the pods are recreated, which is not exactly the same as in the previous blogpost, where you connect to a running pod/container)
# kubectl get deployment radarhack-deployment --output yaml
apiVersion: extensions/v1beta1
kind: Deployment
..
labels:
app: radarhack
spec:
containers:
- image: docker.io/dockersec/tcpdump
imagePullPolicy: Always
name: tcpdumper
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
- image: docker.io/xxradar/naxsi5
imagePullPolicy: Always
name: radarhack
ports:
- containerPort: 80…