How to TCPdump effectively in Kubernetes (part 1)

Philippe Bogaerts
2 min readMay 9, 2019

In a previous blog post, we focused on how to TCPdump in docker containers (see https://dockersec.io/@xxradar/how-to-tcpdump-effectively-in-docker-2ed0a09b5406).

Although the information is still very useful and valid for troubleshooting K8S pods, it might get more difficult figuring out which containers to attach to on what node, etc … but a very valid approach.

While focusing on an easier way, I came across the command

kubectl patch

This command allows to update a deployment for example. It basically does the trick outlined in the previous post but fully automatic

So if you have deployment running like for example

kubectl create -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/radarhack-deploy.yamlkubectl create -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/radarhack-expose-clusterip.yaml

You should be able to access it on

# kubectl get services
...
my-radarhack-clusterip ClusterIP 10.104.201.226 <none> 80/TCP 36d# curl http://10.104.201.226/
<HTML>
<HEAD>
<TITLE>RADARHACK.COM by XXRADAR</TITLE>
...

So far so good. Let’s focus on how to add the TCPdump container to the deployment. Create following file ex. patch.yaml

spec:
  template:
    spec:
      containers:
      - name: tcpdumper
        image: docker.io/dockersec/tcpdump

And apply it

kubectl patch deployment radarhack-deployment --patch “$(cat patch.yaml)”

You should be able to see that the TCPdump container is automatically added to the pods (please note that the pods are recreated, which is not exactly the same as in the previous blogpost, where you connect to a running pod/container)

# kubectl get deployment radarhack-deployment  --output yaml
apiVersion: extensions/v1beta1
kind: Deployment
..
      labels:
        app: radarhack
    spec:
      containers:
      - image: docker.io/dockersec/tcpdump
        imagePullPolicy: Always
        name: tcpdumper
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      - image: docker.io/xxradar/naxsi5
        imagePullPolicy: Always
        name: radarhack
        ports:
        - containerPort: 80…
Philippe Bogaerts

Written by Philippe Bogaerts

189 Followers

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!

More from Philippe Bogaerts

See all from Philippe Bogaerts

Recommended from Medium

Lists

Coding & Development

General Coding Knowledge

New_Reading_List

Natural Language Processing

See more recommendations