Packet capture inside Pod using community ksniff with OpenShift 4

Intro

ksniff is a popular tool for conveniently running packet captures inside Kubernetes Pods. Version 1.5.0 of ksniff adds support for OpenShift 4 with CRI-O.

Demo

Support and Issues

ksniff is a community project and therefore not directly maintained by Red Hat. This means there is no Red Hat support for ksniff so if you run into any problems or have questions about usability, please open an issue with at the community GitHub. If you find an issue with this guide in particular, please leave a comment.

You can always fall back to this manual method of packet capturing inside of a Pod in OpenShift: How to use tcpdump inside OpenShift v4 Pod.

Installation

Installation of ksniff is documented here. Note that krew can be used with oc just as it can with kubectl. Also, note that the manual installation steps of ksniff are also valid for oc.

Compilation of the static tcpdump binary is NOT necessary to use ksniff with OpenShift 3, 4, and CRI-O if you use the -p privileged flag noted below.

Starting the capture

The best way to use ksniff with OpenShift 4 is to use the "privileged" mode (-p) like below. It will launch a new privileged Pod. This privileged Pod will perform the packet capture and its output will be saved to your local system.

# oc sniff -p <POD> -n <NAMESPACE> -o output.pcap

NOTE: You must include the -n namespace flag. This is an open issue is being reviewed in community GitHub.

Ending the capture

You can use CTRL+C to end the packet capture. The output of the capture should be stored in a local file.

Limited OpenShift 3 Compatibility

ksniff will work in OpenShift 3 but you must call the kubectl-sniff binary directly. The oc client in v3 is too old and incompatible with the latest distribution method for OC/Kubectl plugins.

# wget -q https://github.com/eldadru/ksniff/releases/download/v1.5.0/ksniff.zip
# unzip ksniff.zip
# ./kubectl-sniff -p httpd-1-wczrs -n myproject -o test.pcap

Known Issues

• If you did not build the static tcpdump binary, you should use -p privileged flag.
• The -n namespace flag is required. This is an open issue is being reviewed in community GitHub.
• The ksniff Pod may remain after existing the oc sniff command. You can safely delete the Pod[s] using: oc delete pods -l app=ksniff
• ksniff privileged mode will require access to docker.io/maintained/tcpdump image. If you are in a disconnected or offline environment, you must make sure access to this image is allowed (either through a Proxy or copy to mirror registry). This issue is being reviewed in community GitHub.