Packet Capture using tcpdump on Kubernetes Pods in Azure AKS
source link: https://robrankin.github.io/posts/packet-capture-tcpdump-kubernetes-pods-azure/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Assuming the target containers can actually install new software (apt install is available) what follows is a quick and very dirty method to run tcpdump
on k8s/AKS containers in Azure.
If you’re running Kubernetes 1.23 and up, please read this instead:
https://downey.io/blog/kubernetes-ephemeral-debug-container-tcpdump/
Install some needed utilities
Use whatever pod label is required to target the right pods.
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- apt-get -y update
Install tcpdump, screen, psmisc, and rclone
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- \
apt-get -y install tcpdump screen psmisc rclone
Check
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- tcpdump --version
Start tcpdump in a screen
Use whatever tcpdump <FILTER> here as needed.
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- \
bash -c "screen -d -m tcpdump -nn <FILTER> -w /\$(hostname).out"
Kill tcpdump sessions
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- killall -9 tcpdump
rclone the capture files off
Change the Account Name and Key as needed
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- rclone --progress copy \
--azureblob-account <ACCOUNTNAME> \
--azureblob-key "<KEY>" \
--include "/*.out" / :azureblob:/
Cleanup
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- bash -c "rm -f /*.out"
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK