How to TCPdump effectively in Kubernetes (part 1)

Philippe Bogaerts
2 min readMay 9, 2019

In a previous blog post, we focused on how to TCPdump in docker containers (see https://dockersec.io/@xxradar/how-to-tcpdump-effectively-in-docker-2ed0a09b5406).

Although the information is still very useful and valid for troubleshooting K8S pods, it might get more difficult figuring out which containers to attach to on what node, etc … but a very valid approach.

While focusing on an easier way, I came across the command

kubectl patch 

This command allows to update a deployment for example. It basically does the trick outlined in the previous post but fully automatic

So if you have deployment running like for example

kubectl create -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/radarhack-deploy.yamlkubectl create -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/radarhack-expose-clusterip.yaml

You should be able to access it on

# kubectl get services
...
my-radarhack-clusterip ClusterIP 10.104.201.226 <none> 80/TCP 36d
# curl http://10.104.201.226/
<HTML>
<HEAD>
<TITLE>RADARHACK.COM by XXRADAR</TITLE>
...

So far so good. Let’s focus on how to add the TCPdump container to the deployment. Create following file ex. patch.yaml

spec:
template:
spec:
containers:
- name: tcpdumper
image: docker.io/dockersec/tcpdump

And apply it

kubectl patch deployment radarhack-deployment --patch “$(cat patch.yaml)”

You should be able to see that the TCPdump container is automatically added to the pods (please note that the pods are recreated, which is not exactly the same as in the previous blogpost, where you connect to a running pod/container)

# kubectl get deployment radarhack-deployment  --output yaml
apiVersion: extensions/v1beta1
kind: Deployment
..
labels:
app: radarhack
spec:
containers:
- image: docker.io/dockersec/tcpdump
imagePullPolicy: Always
name: tcpdumper
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File

- image: docker.io/xxradar/naxsi5
imagePullPolicy: Always
name: radarhack
ports:
- containerPort: 80…
Philippe Bogaerts

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!