Sniffing traffic on a pod in Kubernetes/OpenShift
It's such a pain when you have a container without root permissions and you can't install tcpdump to sniff traffic. How to deal with it? I found a small tool called ksniff which can easily do that for you. Let's take a look at this tool.
How to install it?
The easiest way is to install using krew package manager:
$ kubectl krew install sniff # for Kubernetes platform
$ oc krew install sniff # for OpenShift platformWhere to read more about it?
You can find the source code and documentation with examples on Github.
Some examples
I use Openshift platform for my example, but it will work the same way for Kubernetes.
So imagine we have a pod called example:
$ oc get pods
NAME READY STATUS RESTARTS AGE
example 1/1 Running 0 103sAnd also we have 1 container inside called httpd:
$ oc get pod example -o jsonpath='{.spec.containers[*].name}'
httpdThe only thing missing is an image with tcpdump. Here is a Dockerfile to build the image:
FROM alpine:3.16.2
VOLUME [ "/data" ]
RUN apk add --no-cache tcpdump coreutils
ENTRYPOINT [ "/usr/bin/tcpdump" ]
CMD [ "-C", "1000", "-W", "100", "-v", "-w", "/data/dump" ]
This image is needed if your container doesn't have root permissions.
Now we can sniff traffic from the pod:
$ oc sniff example -c httpd -n default --tcpdump-image docker.io/fmorte/tcpdump -p -o ~/dumpLet's see the command in detail:
$ oc sniff <pod_name> -c <container_name> -n <namespace> --tcpdump-image <image_with_tcpdump> -p -o <path_to_output_file>If you run the container without root permissions, then you need to use the -p option and also provide an image with tcpdump. It will create a pod with tcpdump in the cluster and sniff the target container.
Now you can open Wireshark and analyse the file with traffic.
Conclusion
ksniff is a nice and easy tool which I use in my work quite often. I hope this small article will be helpful for you :) Stay tuned for more posts!
Member discussion