top of page

How to TCPdump using ephemeral containers in Kubernetes (part 3)

Philippe Bogaerts

Updated: Feb 11, 2023

Introduction

In order to use ephemeral containers, the K8S cluster needs to support EphemeralContainers. The functionality is available sinds version v1.23.


In earlier versions, the EphemeralContainers feature gate needs to be enabled.


This technique makes using tcpdump inside a pod quite easy without the need to restart or patch a pod or deployment.


Let's get started

Create a nginx pod for testing purposes

kubectl run nginx-demo --image nginx:latest

Create an ephemeral debug container

kubectl debug -it nginx-demo  --image=dockersec/tcpdump \
    --target nginx-demo

Generate some traffic via a separate console

kubectl run -it --rm load --image xxradar/hackon -- bash \
    curl http://<nginx-demo-ip-address>

See the output in the ephemeral containerq

kubectl  debug -it nginx-demo  --image=dockersec/tcpdump \
    --target nginx-demo
    
Defaulting debug container name to debugger-jml67.
If you don't see a command prompt, try pressing enter.
09:41:59.177177 ARP, Request who-has nginx-demo tell 128-199-42-214.kubernetes.default.svc.cluster.local, length 28
09:41:59.177199 ARP, Reply nginx-demo is-at 46:9f:0a:24:f4:81 (oui Unknown), length 28
09:41:59.177203 IP 10.48.38.201.46526 > nginx-demo.80: Flags [S], seq 3083611759, win 64400, options [mss 1400,sackOK,TS val 2789751669 ecr 0,nop,wscale 7], length 0
09:41:59.177225 ARP, Request who-has 169.254.1.1 tell nginx-demo, length 28
09:41:59.177228 ARP, Reply 169.254.1.1 is-at ee:ee:ee:ee:ee:ee (oui Unknown), length 28
09:41:59.177230 IP nginx-demo.80 > 10.48.38.201.46526: Flags [S.], seq 1011782564, ack 3083611760, win 65236, options [mss 1400,sackOK,TS val 3814256463 ecr 2789751669,nop,wscale 7], length 0
09:41:59.177263 IP 10.48.38.201.46526 > nginx-demo.80: Flags [.], ack 1, win 504, options [nop,nop,TS val 2789751669 ecr 3814256463], length 0
09:41:59.183283 IP nginx-demo.40204 > kube-dns.kube-system.svc.cluster.local.53: 33453+ PTR? 201.38.48.10.in-addr.arpa. (43)

Conclusion


This technique makes it quite easy to actually use tcpdump inside a pod without restarting the pod. A potential downside is that you cannot remove the container once added to the pod. The real advantage lies in the fact that you can intervene easily in an running container that might not have installed any debugging tools.

75 views0 comments

Recent Posts

See All

Comments


bottom of page