Background
Yesterday I faced some issues with an application running on my private k8s cluster. I assumed some kind of networking issue. Therefore, I wanted to sniff the network traffic, in order to find out what was going on. However, I had no idea how to do it. Sure, the web helped in this case. The solution was ksniff.
What is ksniff?
Ksniff is a plugin for kubectl that can be installed via krew, a plugin manager for kubectl. The cool thing about ksniff is, that you get the full power of Wireshark, because it makes use of it. Ksniff even has a workaround for pods, that are not running in privileged mode. Ksniff will deploy a pod in the same network namespace, which can sniff network traffic of none privileged pods.
Krew installation
Kubectl plugins were a new thing to me, so I had to install krew first.
(
set -x; cd "$(mktemp -d)" &&
OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
KREW="krew-${OS}_${ARCH}" &&
curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
tar zxvf "${KREW}.tar.gz" &&
./"${KREW}" install krew
)
Also added it to my ~/.zshrc.
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
Wireshark
An installation of Wireshark is a prerequisite to run ksniff. On Ubuntu it was rather easy.
sudo apt-get install wireshark
Side note: If Wireshark is installed the way, that only the root user can run it, you will need to run the kubectl sniff commands as root.
Ksniff installation
Finally, it was time to install Ksniff.
kubectl krew install sniff
It’s time to sniff
The pod I faced issues with, was not running in privileged, the workaround was necessary (-p flag)
kubectl sniff plex-5bfc46c5bf-ngkj5 -n plex -o out.pcap -p
Above command captured the whole traffic of this pod and saved it to a file called out.pcap. Which can be opened in Wireshark.
Using ksniff is very easy, but this solution is definitely not suitable for large scale sniffing.
