How to TCPdump effectively in Kubernetes (part 1)

Philippe Bogaerts
2 min readMay 9, 2019

In a previous blog post, we focused on how to TCPdump in docker containers (see

Although the information is still very useful and valid for troubleshooting K8S pods, it might get more difficult figuring out which containers to attach to on what node, etc … but a very valid approach.

While focusing on an easier way, I came across the command

kubectl patch 

This command allows to update a deployment for example. It basically does the trick outlined in the previous post but fully automatic

So if you have deployment running like for example

kubectl create -f create -f

You should be able to access it on

# kubectl get services
my-radarhack-clusterip ClusterIP <none> 80/TCP 36d
# curl

So far so good. Let’s focus on how to add the TCPdump container to the deployment. Create following file ex. patch.yaml

- name: tcpdumper

And apply it

kubectl patch deployment radarhack-deployment --patch “$(cat patch.yaml)”

You should be able to see that the TCPdump container is automatically added to the pods (please note that the pods are recreated, which is not exactly the same as in the previous blogpost, where you connect to a running pod/container)

# kubectl get deployment radarhack-deployment  --output yaml
apiVersion: extensions/v1beta1
kind: Deployment
app: radarhack
- image:
imagePullPolicy: Always
name: tcpdumper
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File

- image:
imagePullPolicy: Always
name: radarhack
- containerPort: 80…
Philippe Bogaerts

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!