Member-only story
How to TCPdump effectively in Kubernetes (part 1)
In a previous blog post, we focused on how to TCPdump in docker containers (see https://dockersec.io/@xxradar/how-to-tcpdump-effectively-in-docker-2ed0a09b5406).
Although the information is still very useful and valid for troubleshooting K8S pods, it might get more difficult figuring out which containers to attach to on what node, etc … but a very valid approach.
While focusing on an easier way, I came across the command
kubectl patch This command allows to update a deployment for example. It basically does the trick outlined in the previous post but fully automatic
So if you have deployment running like for example
kubectl create -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/radarhack-deploy.yamlkubectl create -f https://raw.githubusercontent.com/xxradar/kuberneteslearning/master/radarhack-expose-clusterip.yaml
You should be able to access it on
# kubectl get services
...
my-radarhack-clusterip ClusterIP 10.104.201.226 <none> 80/TCP 36d# curl http://10.104.201.226/
<HTML>
<HEAD>
<TITLE>RADARHACK.COM by XXRADAR</TITLE>
...
So far so good. Let’s focus on how to add the TCPdump container to the deployment. Create following file ex. patch.yaml
spec:
template:
spec:
containers:
- name: tcpdumper…
