Introduction
In order to use ephemeral containers, the K8S cluster needs to support EphemeralContainers. The functionality is available sinds version v1.23.
In earlier versions, the EphemeralContainers feature gate needs to be enabled.
On how to do this, checkout an older post at https://xxradar.medium.com/how-to-tcpdump-using-ephemeral-containers-in-kubernetes-d066e6855785.
This technique makes using tcpdump inside a pod quite easy without the need to restart or patch a pod or deployment.
Let's get started
Create a nginx pod for testing purposes
kubectl run nginx-demo --image nginx:latest
Create an ephemeral debug container
kubectl debug -it nginx-demo --image=dockersec/tcpdump \
--target nginx-demo
Generate some traffic via a separate console
kubectl run -it --rm load --image xxradar/hackon -- bash \
curl http://<nginx-demo-ip-address>
See the output in the ephemeral containerq
kubectl debug -it nginx-demo --image=dockersec/tcpdump \
--target nginx-demo
Defaulting debug container name to debugger-jml67.
If you don't see a command prompt, try pressing enter.
09:41:59.177177 ARP, Request who-has nginx-demo tell 128-199-42-214.kubernetes.default.svc.cluster.local, length 28
09:41:59.177199 ARP, Reply nginx-demo is-at 46:9f:0a:24:f4:81 (oui Unknown), length 28
09:41:59.177203 IP 10.48.38.201.46526 > nginx-demo.80: Flags [S], seq 3083611759, win 64400, options [mss 1400,sackOK,TS val 2789751669 ecr 0,nop,wscale 7], length 0
09:41:59.177225 ARP, Request who-has 169.254.1.1 tell nginx-demo, length 28
09:41:59.177228 ARP, Reply 169.254.1.1 is-at ee:ee:ee:ee:ee:ee (oui Unknown), length 28
09:41:59.177230 IP nginx-demo.80 > 10.48.38.201.46526: Flags [S.], seq 1011782564, ack 3083611760, win 65236, options [mss 1400,sackOK,TS val 3814256463 ecr 2789751669,nop,wscale 7], length 0
09:41:59.177263 IP 10.48.38.201.46526 > nginx-demo.80: Flags [.], ack 1, win 504, options [nop,nop,TS val 2789751669 ecr 3814256463], length 0
09:41:59.183283 IP nginx-demo.40204 > kube-dns.kube-system.svc.cluster.local.53: 33453+ PTR? 201.38.48.10.in-addr.arpa. (43)
Conclusion
This technique makes it quite easy to actually use tcpdump inside a pod without restarting the pod. A potential downside is that you cannot remove the container once added to the pod. The real advantage lies in the fact that you can intervene easily in an running container that might not have installed any debugging tools.
Comments