Update 2021-04-21: Replaced ctr
with crictl
for finding the PID.
Update 2021-10-09: Added kubescape section.
Update 2021-12-01: Added wireshark section.
Update 2022-01-24: Added logs with stern section.
Update 2022-02-23: Added contexts and Service FQDN.
» Switching Contexts
Credits to Sarasa Gunawardhana
List all contexts:
|
|
Get current context:
|
|
Switch context:
|
|
» Service FQDN
Inside the cluster it’s <SERVICE>.<NAMESPACE>.svc.cluster.local
.
» Get logs from all pods of a specific namespace
Using stern:
|
|
» Start a fresh container
Handy for some quick testing.
Run a new container and get to the shell. As soon as you exit the container it will be removed from the cluster:
|
|
Run a pod but won’t get you into the shell immediately. Will stay until it crashes or you delete the pod:
|
|
Will deploy a container which will stay until you delete the deployment:
|
|
» Run Wireshark on the pods network
This requires tcpdump
on the container and wireshark
on the host which is running the kubectl
command.
|
|
For example:
|
|
or:
|
|
» Enter container namespace from cluster node
You can enter the namespace of your running containers from the cluster node which is running the container, thus, you first have to login/ssh into the cluster node.
One use case for doing this might be capturing traffic (e.g. with tcpdump
) of the given container.
Depending on the container runtime of your cluster, you might need the Docker
or the containerd
approach.
While the runtime specific sections show you an alternative approch of listing the container id, you can also get this value with good old kubectl
:
|
|
» Using Docker
Get the container ID (alternative):
|
|
Get the pid:
|
|
Enter the namespace:
Adjust nsenter
with the namespaces you need. For example, when you want to capture the network traffic, use --net
:
|
|
» Using crictl
Get the container ID (alternative):
|
|
Get the pid:
|
|
This will give you an output similar to the one below where the first entry (4921) represents the pid we are looking for.
|
|
Enter the namespace (again, adjust the namespaces as required):
|
|
» Run Security Checks
Test if there are any security flaws with your cluster.
» kube-bench
Start the pod which will run the checks:
|
|
Wait a moment and then check the logs:
|
|
» kube-hunter
» Outside the cluster
This will give you a limited view from the outside of the cluster.
|
|
For a more detailed analysis, run the container inside the cluster.
» Inside the cluster
Run the pod:
|
|
Wait a moment and then check the logs:
|
|
» kubescape
Kubescape is another tool which scans the cluster for security risks. The checks are based on the Kubernetes hardening guideline from the NSA and CISA.
First, install the client on your local machine as described here. Then run the scan, for example:
|
|