Mitmproxy and Kubernetes

Solving the untrusted certificate issues in pods !!

Introduction

Mitmproxy is a free and open source interactive HTTPS proxy. All information can be found here https://mitmproxy.org/. In this short tutorial, we are not going to focus on all cool features mitmproxy offers, but rather on how to use it inside Kubernetes.

I will be covering the

• installation
• environment variable injection
• certificate trust

Note: If you face any formatting issues in the page, please find all code at https://github.com/xxradar/mitmproxy_k8s_interception/blob/main/docs/kubernetes_mitm_intercepts_basic.md

Setup of mitmproxy in kubernetes

1. Create a namespace

kubectl create ns mitmproxy

2. Deploy mitmproxy

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: mitmproxy
  namespace: mitmproxy
  labels:
    proxy: mitmproxy
spec:
  containers:
  - name: mitmweb
    image: mitmproxy/mitmproxy
    command: ["mitmweb"]
    args: ["--web-host","0.0.0.0"]
EOF

3. Create a service

kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: mitmproxy-svc
  namespace: mitmproxy
spec:
  selector:
    proxy: mitmproxy
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 8080
      name: mitmproxy
    - protocol: TCP
      port: 8081
      targetPort: 8081
      name: mitmweb
EOF

4. Verify connectivity

kubectl port-forward  -n mitmproxy svc/mitmproxy-svc  8081:8081

You can now connect your browser to http://127.0.0.1:8081

Accessing mitmproxy webUI

Preparing kubernetes

1. export the mitmproxy-ca.pem certificate used for signing the certificates that are presented to the client by mitmproxy

kubectl cp mitmproxy/mitmproxy:/root/.mitmproxy/mitmproxy-ca.pem \ 
   ./mitmproxy-ca.pem

2. Create a secret out of the copied certificate

kubectl create secret generic mitmproxysecret  \
   --from-file=mitmproxy-ca.pem