Member-only story
Capturing container traffic on Kubernetes
It’s easy to capture network traffic with a capture tool (for example: tcpdump) if we have access to the network interface. But it’s tricky in Kubernetes. There are several options, for example: sidecar container, capture plugin, docker container, direct access in same network namespace.
Free link to this article: https://faun.pub/capturing-container-traffic-on-kubernetes-ee4a49b833b7?source=friends_link&sk=756b6f75f86ccaaf6eb8e5eca0ff9066
[Update 2024] This 3.5-years-old article is outdated. Updates were added
Managed Kubernetes providers hardened security configurations, so depending on our access possibilities and rights to the cluster, the below examples may work (if it’s possible to access the node OS, if container is enabled to run the container as root, etc.). Below examples are tested on a VM-based K8s cluster created for my earlier article Setup On-premise Kubernetes with Kubeadm, MetalLB, Traefik, and Vagrant.
Tools
In most cases, the container, which the network traffic would be captured, does not contain any capture tool, of course. A part of the alternatives uses a new container, which contains network capture tools. My favorite Docker image is https://github.com/nicolaka/netshoot, which contains several networking tools, for example: tcpdump, tshark, termshark, iptraf-ng. The parameters will be executed as a command, for example:
sudo docker run -it --rm --net container:k8s_nginx_my-nginx-b7d7bc74d-zxx28_default_ae4ee834-fb5d-4ec4-86b1-7834e538c666_0 nicolaka/netshoot tcpdump -i eth0 -s 0 -Xvv tcp port 80Tcpdump can redirect captured packets to stdout, which can be saved or used on the host, for example:
tcpdump -i eth0 -s 0 -w - >/tmp/container.captcpdump -i eth0 -s 0 -w - | wireshark -k -i -
The -v /tmp:/tmp/tmp can be useful, if captured packets are written into a file, inside of the container.
There are a few capture tools, which needs more rights (tshark, termshark), for example in docker run CLI : --cap-add=NET_ADMIN --cap-add=CAP_NET_RAW . Finally, a whole example with having a shell to run this kind of tools:
sudo docker run -it --rm -v…
