When we go through kubectl Check it out. 、 modify Kubernetes Resource time , Have you ever thought about what the interface is like ？ Is there any way to probe these interactive data ？

Kuberenetes The interface between client and server , Is based on http Agreed . So you just need to be able to capture and parse https Traffic , We can see kubernetes Of API Traffic .

But because of kubenetes The client private key is used to authenticate the client , So the packet capturing configuration should be a little more complex . The specific structure is as follows ：

If you want to know more Kubernetes Knowledge of certificates , May have a look This article Kubernetes Certificate analysis article

from kubeconfig Extract the client certificate and private key

kubeconfig Contains the client's certificate and private key , We first have to extract them ：

#  Extract the client certificate 
grep client-certificate-data ~/.kube/config | \
  awk '{ print $2 }' | \
  base64 --decode > client-cert.pem
#  Extract the client private key 
grep client-key-data ~/.kube/config | \
  awk '{ print $2 }' | \
  base64 --decode > client-key.pem
#  Extract the server CA certificate 
grep certificate-authority-data ~/.kube/config | \
  awk '{ print $2 }' | \
  base64 --decode > cluster-ca-cert.pem

Reference from Reddit

To configure Charles Agent software

As can be seen from the first picture , Agent software has two functions ： One is receiving https Traffic and forward , Second, forward to kubernetes apiserver When , Use the specified client private key .

First configuration Charles, Let him intercept all https Traffic ：

Then configure the client private key , That is, for sending to apiserver Request , Uniformly use the specified client private key for authentication ：

To configure kubectl

Need to grab bags kubectl Of traffic , Two conditions are required ：1. kubectl Use Charles Acting as agent ,2. kubectl Need to trust Charles Certificate .

# Charles The proxy port for is 8888, Set up https_proxy environment variable , Give Way kubectl Use Charles agent 
$ export https_proxy=http://127.0.0.1:8888/
# insecure-skip-tls-verify Indicates that the server certificate is not verified 
$ kubectl --insecure-skip-tls-verify get pod
NAME                    READY   STATUS    RESTARTS   AGE
sc-b-7f5dfb694b-xtfrz   2/2     Running   0          2d20h

We can see get pod Your network request ：

You can see ,get pod Of endpoint yes GET /api/v1/namespaces/<namespace>/pods.

Let's try again to create pod Request ：

$ cat <<EOF >pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx-robberphex
spec:
  containers:
  - name: nginx
    image: nginx:1.14.2
EOF
$ kubectl --insecure-skip-tls-verify apply -f pod.yaml
pod/nginx-robberphex created

You can also catch the bag ：

establish pod Of endpoint yes POST /api/v1/namespaces/<namespace>/pods

To configure kubenetes client

Let's start by writing a with kubernetes go client To get pod Example （ Be careful , All certificates have been trusted in the code , So you can catch the bag ）：

package main

/*
require (
	k8s.io/api v0.18.19
	k8s.io/apimachinery v0.18.19
	k8s.io/client-go v0.18.19
)
*/
import (
	"context"
	"flag"
	"fmt"
	"path/filepath"

	apiv1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/tools/clientcmd"
	"k8s.io/client-go/util/homedir"
)

func main() {
	ctx := context.Background()
	var kubeconfig *string
	if home := homedir.HomeDir(); home != "" {
		kubeconfig = flag.String("kubeconfig", filepath.Join(home, ".kube", "config"), "(optional) absolute path to the kubeconfig file")
	} else {
		kubeconfig = flag.String("kubeconfig", "", "absolute path to the kubeconfig file")
	}
	flag.Parse()

	config, err := clientcmd.BuildConfigFromFlags("", *kubeconfig)
	if err != nil {
		panic(err)
	}
	//  Give Way clientset Trust all certificates 
	config.TLSClientConfig.CAData = nil
	config.TLSClientConfig.Insecure = true
	clientset, err := kubernetes.NewForConfig(config)
	if err != nil {
		panic(err)
	}
	podClient := clientset.CoreV1().Pods(apiv1.NamespaceDefault)
	podList, err := podClient.List(ctx, metav1.ListOptions{})
	if err != nil {
		panic(err)
	}

	for _, pod := range podList.Items {
		fmt.Printf("podName: %s\n", pod.Name)
	}

	fmt.Println("done!")
}

Then compile and execute ：

$ go build -o kube-client
$ export https_proxy=http://127.0.0.1:8888/
$ ./kube-client
podName: nginx-robberphex
podName: sc-b-7f5dfb694b-xtfrz
done!

The same result can be caught at this time ：

Based on this , We can analyze a Kubernetes What did you do , We also analyze Kubernetes The entrance to realization .

This article was first published in https://robberphex.com/lambda-causes-arthas-cant-redefine .