Mitmproxy and Kubernetes

Solving the untrusted certificate issues in pods !!

Introduction

Mitmproxy is a free and open source interactive HTTPS proxy. All information can be found here https://mitmproxy.org/. In this short tutorial, we are not going to focus on all cool features mitmproxy offers, but rather on how to use it inside Kubernetes.

I will be covering the

• installation
• environment variable injection
• certificate trust

Note: If you face any formatting issues in the page, please find all code at https://github.com/xxradar/mitmproxy_k8s_interception/blob/main/docs/kubernetes_mitm_intercepts_basic.md

Setup of mitmproxy in kubernetes

1. Create a namespace

kubectl create ns mitmproxy

2. Deploy mitmproxy

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: mitmproxy
  namespace: mitmproxy
  labels:
    proxy: mitmproxy
spec:
  containers:
  - name: mitmweb
    image: mitmproxy/mitmproxy
    command: ["mitmweb"]
    args: ["--web-host","0.0.0.0"]
EOF

3. Create a service

kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: mitmproxy-svc
  namespace: mitmproxy
spec:
  selector:
    proxy: mitmproxy
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 8080
      name: mitmproxy
    - protocol: TCP
      port: 8081
      targetPort: 8081
      name: mitmweb
EOF

4. Verify connectivity

kubectl port-forward  -n mitmproxy svc/mitmproxy-svc  8081:8081

You can now connect your browser to http://127.0.0.1:8081

Accessing mitmproxy webUI

Preparing kubernetes

1. export the mitmproxy-ca.pem certificate used for signing the certificates that are presented to the client by mitmproxy

kubectl cp mitmproxy/mitmproxy:/root/.mitmproxy/mitmproxy-ca.pem \ 
   ./mitmproxy-ca.pem

2. Create a secret out of the copied certificate

kubectl create secret generic mitmproxysecret  \
   --from-file=mitmproxy-ca.pem

Deploy a demo pod

Now we can deploy a mitm-demo-pod to prove everything is working.

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: mitm-demo-pod
spec:
  containers:
  - name: mitm-demo
    image: xxradar/hackon
    command:
    - sleep
    args:
    - 5000s
    lifecycle:
      postStart:
        exec:
          command:
          - bash
          - -c
          - cp /certs/mitmproxy-ca.pem /usr/local/share/ca-certificates/mitmproxy-ca.crt ; update-ca-certificates --fresh
    env:
    - name: http_proxy
      value: "http://mitmproxy-svc.mitmproxy:8080/"
    - name: https_proxy
      value: "http://mitmproxy-svc.mitmproxy:8080/"
    volumeMounts:
    - mountPath: /certs
      name: mitmproxysecret
      readOnly: true
  volumes:
  - name: mitmproxysecret
    secret:
      secretName: mitmproxysecret
EOF

There are 2 important things to note in the manifest.

1. Next snippet injects the proxy endpoints inside the pod

env:
    - name: http_proxy
      value: "http://mitmproxy-svc.mitmproxy:8080/"
    - name: https_proxy
      value: "http://mitmproxy-svc.mitmproxy:8080/"

2. Following snippet makes the pod trust the issued certificates by the mitmproxy ca certificate

lifecycle:
      postStart:
        exec:
          command:
          - bash
          - -c
          - cp /certs/mitmproxy-ca.pem /usr/local/share/ca-certificates/mitmproxy-ca.crt ; update-ca-certificates --fresh

This is a crucial step, because it will prevent that applications will not work because of non-trusted certifcates.

The proof is in the pudding

kubectl exec -it mitm-demo-pod -- bash

Now you can try things as

apt-get update; apt-get install -y nikto

or

curl https://xxradar.medium.com

without facing any certicate warning errors. All traffic should be logged in the mitmproxy webUI.

Please checkout and like and clap and share other articles ;-) https://xxradar.medium.com