Kubernetes practical tips: using ksniff to capture packets

This article excerpts from kubernetes Learning notes

summary

Kubernetes How to deal with network problems in the environment ？ The traditional way is to log in Pod The node , then Into the container netns, Finally, use the node tcpdump Tools to grab bags . The whole process is complicated , Fortunately, the community has emerged ksniff This gadget , It's a kubectl plug-in unit , We can Kubernetes It's easier and faster to grab bags in the Internet .

This article will show you how to use ksniff This tool is for Pod Carry out the bag .

install

ksniff In general use krew This kubectl Package manager to install :

kubectl krew install sniff

Use wireshark Real time analysis

Grab assignments Pod All NIC packets , Automatically pop up locally installed wireshark And capture it in real time :

kubectl -n test sniff website-7d7d96cdbf-6v4p6

have access to wireshark Real time filter analysis :

Save the capture file

Sometimes in a production environment we may not be able to execute directly locally kubectl, We need to go through the springboard machine , At this time, we can save the captured package as a file , And then copy it to local use wireshark analysis .

Just add one -o Parameter to specify the path of the saved file :

kubectl -n test sniff website-7d7d96cdbf-6v4p6 -o test.pcap

Privilege mode

ksniff Upload by default tcpdump Binary to target Pod In a container of , Then execute binary to capture the package . But the way to rely on containers is to root User initiated , If not, you can't grab the bag .

We can add one at this time -p Parameters , Indicates that the Pod A new node is created privileged Of Pod, And then the Pod The container runtime is called (dockerd or containerd etc. ), Start a new one with root Identity activated container, and attach Target Pod Of netns, And then execute container Medium tcpdump Binary to achieve packet capture .

Usage examples :

kubectl -n test sniff website-7d7d96cdbf-6v4p6 -p

View plaintext

If a lot of packet content is plaintext ( such as HTTP), I just want to look at the clear text , You can specify -o - Print the contents directly to the standard output (stdout):

kubectl -n test sniff website-7d7d96cdbf-6v4p6 -o -

Filter when grabbing

Sometimes there's a lot of data , If you don't filter when you grab , It may be true apiserver Cause a lot of pressure ( The data is transmitted through apiserver), In this case, we'd better specify tcpdump Filter conditions , Block out unwanted data , Avoid data overload .

Add -f Parameter to specify the filter conditions , Example :

kubectl -n test sniff website-7d7d96cdbf-6v4p6 -f "port 80"

FAQ

wireshark newspaper unknown

When opening the capture file , Report errors pcap: network type 276 unknown or unsupported:

Usually because wireshark Low version leads to , Just upgrade to the latest version .

Grab the bag times No such file or directory

Use kubectl sniff When caught , Report errors ls: cannot access '/tmp/static-tcpdump': No such file or directory And then quit :

This is the author in mac Install the latest ksniff v1.6.0 Version problems . The question is obviously a bug,static-tcpdump Binary did not upload to the success of the implementation caused by , Consider three solutions :

1. Manual use kubectl cp Copy the binary to the target Pod Re execution kubectl sniff Grab the bag .
2. kubectl sniff Appoint -p Parameters use privileged mode ( Close test effectively ).
3. Compile the latest ksniff, Replace the current kubectl-sniff Binary system , This is also the way I use it at present .