How to TCPdump effectively in Kubernetes (part 2)

Philippe Bogaerts
5 min readDec 5, 2019

In previous blog posts, we focused on how to use TCPdump in a specific container (see https://medium.com/@xxradar/how-to-tcpdump-effectively-in-docker-2ed0a09b5406 ) as well as how we could add it to an existing K8S deployment using a patch (see https://medium.com/@xxradar/how-to-tcpdump-effectively-in-kubernetes-part-1-a1546b683d2f)

While researching some other things recently, I came across a comment suggesting a quick fix for another issue like this …

$ kubectl run -it --rm debug  --restart=Never --image=ubuntu --overrides='{"kind":"Pod", "apiVersion":"v1", "spec": {"hostNetwork":true}}'

This is pretty similar as described in a previous blog posts …

docker run -it --net=host ubuntu 

… but in the kubectl case, we do not need SSH access to a node or access to the docker client, nor do we need to re-deploy the deployment (aka restart of the pods)

So let’s try this !!
Create a small K8S cluster and deploy a simple nginx service (I used the managed K8S service from Digitalocean and tested as well on an Azure environment)

$ kubectl get no
NAME STATUS ROLES AGE VERSION
demo-pool1-lyg2 Ready <none> 2m3s v1.16.2
demo-pool1-lygl Ready <none> 2m12s v1.16.2
demo-pool1-lygt Ready <none> 2m14s v1.16.2
$ kubectl get svc -n radarhack
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
my-radarhack-clusterip ClusterIP 10.245.94.156 <none> 80/TCP 100s
$ kubectl get po -n radarhack -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
radarhack-deployment-655b776bd-6v6dl 1/1 Running 0 22m 10.244.0.232 demo-pool1-lygt <none> <none>
radarhack-deployment-655b776bd-wmqv9 1/1 Running 0 22m 10.244.1.87 demo-pool1-lygl <none> <none>
radarhack-deployment-655b776bd-zrxdd 1/1 Running 0 22m 10.244.2.223 demo-pool1-lyg2 <none> <none>

So lets deploy an ubuntu pod like described before …

$ kubectl run -it…

--

--

Philippe Bogaerts

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!