├── README.md
├── dspcap-start
└── dspcap-stop


/README.md:
--------------------------------------------------------------------------------
 1 | # dspcap
 2 | 
 3 | A humble bash script set that uses daemonset to capture tcpdump from all k8s nodes, then collect the captures.
 4 | 
 5 | ## How to use
 6 | 
 7 | As simple as:
 8 | 
 9 | 1. Call `dspcap-start` script to start capture.
10 | 2. Call `dspcap-stop` script to stop capture and collect result to `dspcap` directory.
11 | 
12 | Installation:
13 | ```
14 | wget https://raw.githubusercontent.com/tdihp/dspcap/master/dspcap-start
15 | wget https://raw.githubusercontent.com/tdihp/dspcap/master/dspcap-stop
16 | chmod +x dspcap-start dspcap-stop
17 | ./dspcap-start
18 | ./dspcap-stop
19 | ```
20 | Then you will find all tcpdump files for your K8s nodes in dspcap directory. 
21 | 
22 | ## Customization
23 | 
24 | ### Finetune tcpdump command
25 | 
26 | Modify `TCPDUMP_ARGS` line at the top of dspcap-start accordingly. Alternatively, locate and modify the `tcpdump` line.
27 | 
28 | ### images
29 | 
30 | To change image used, modify `IMAGE` line at the top of dspcap-start accordingly. Most base images should work as long as nsenter (GNU or busybox version) is provided.
31 | 
32 | Below images are tested:
33 | 
34 | * `alpine:3.15` (default)
35 | * `ubuntu:20.04`
36 | * `mcr.microsoft.com/dotnet/runtime-deps:6.0`
37 | 
38 | ### Capture selected nodes
39 | 
40 | An easy way to achieve this is to add a nodeSelector for the daemonset in dspcap-start, then add the same label for all nodes with `kubectl label node/<name>` 
41 | 
42 | e.g.
43 | 
44 | To add a section in `.spec.template.spec` of the daemonset:
45 | 
46 | ```
47 |       nodeSelector:
48 |         foo: bar
49 | ```
50 | 
51 | Then label the target nodes, if not already applied:
52 | 
53 | ```
54 | kubectl label node/mynode1 foo=bar
55 | kubectl label node/mynode2 foo=bar
56 | ```
57 | 
58 | ## Caveat
59 | 
60 | The current dspcap implementation uses a previleged pod to access root.
61 | `nsenter` is used to get access to root for reaching tcpdump. We do not advise
62 | to use the current setting as-is to take long-term capture for the security
63 | implication involved. Note however that this can be easily averted by using
64 | capabilities instead of privilege to limit the impact, and to download tcpdump
65 | package in the pod instead of using the one on the node via nsenter.
66 | 


--------------------------------------------------------------------------------
/dspcap-start:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e 
 3 | set -o pipefail
 4 | STARTTIME=$(date -u +%Y-%m-%dT%H:%M)
 5 | PIDFILE=/var/run/dspcap.pid
 6 | NAMESPACE=default
 7 | IMAGE=alpine:3.15
 8 | # IMAGE=mcr.microsoft.com/dotnet/runtime-deps:6.0
 9 | TCPDUMP_ARGS="-i any -s 100 -C 100"
10 | 
11 | cat <<EOF | kubectl apply -f -
12 | apiVersion: apps/v1
13 | kind: DaemonSet
14 | metadata:
15 |   name: dspcap
16 |   namespace: $NAMESPACE
17 | spec:
18 |   selector:
19 |     matchLabels:
20 |       app: dspcap
21 |   template:
22 |     metadata:
23 |       labels:
24 |         app: dspcap
25 |     spec:
26 |       hostPID: true
27 |       hostNetwork: true
28 |       tolerations:
29 |       - effect: NoSchedule
30 |         key: node-role.kubernetes.io/master
31 |       containers:
32 |       - name: tcpdump
33 |         command:
34 |         - nsenter
35 |         - --mount=/proc/1/ns/mnt
36 |         - --
37 |         - bash
38 |         - -xc
39 |         - |
40 |           mkdir -p /tmp/dspcap
41 |           chmod 777 /tmp/dspcap
42 |           echo "starting pcap"
43 |           tcpdump $TCPDUMP_ARGS -w "/tmp/dspcap/$STARTTIME.\$(hostname).pcap" &
44 |           echo \$! >$PIDFILE
45 |           wait
46 |           rm $PIDFILE
47 |           echo "sleeping forever"
48 |           sleep infinity
49 |         image: $IMAGE
50 |         resources:
51 |           requests:
52 |             cpu: 50m
53 |             memory: 50M
54 |         securityContext:
55 |           privileged: true
56 | EOF
57 | 
58 | kubectl rollout status daemonset/dspcap -n $NAMESPACE
59 | echo "Capture started. Use dspcap-stop to stop capture and collect outcome."
60 | 


--------------------------------------------------------------------------------
/dspcap-stop:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e 
 3 | set -o pipefail
 4 | PIDFILE=/var/run/dspcap.pid
 5 | KILL_COMMAND="$(cat <<EOF
 6 | if [ -f "$PIDFILE" ]; then
 7 |   echo "killing pcap"
 8 |   pkill -SIGINT -F$PIDFILE
 9 | fi
10 | EOF
11 | )"
12 | TAR_COMMAND="cd /tmp && tar zvc dspcap"
13 | DEL_COMMAND="rm -rf /tmp/dspcap"
14 | NAMESPACE=default
15 | 
16 | pods=`kubectl get po -n $NAMESPACE -l app=dspcap -o name`
17 | 
18 | for po in `echo "$pods"`; do
19 |   echo "run killing for $po"
20 |   kubectl exec -n $NAMESPACE "$po" -- bash -c "$KILL_COMMAND"
21 | done
22 | 
23 | for po in `echo "$pods"`; do
24 |   echo "downloading for $po"
25 |   kubectl exec -n $NAMESPACE "$po" -- bash -c "$TAR_COMMAND" | tar zvx
26 | done
27 | 
28 | for po in `echo "$pods"`; do
29 |   echo "cleanup for $po"
30 |   kubectl exec -n $NAMESPACE "$po" -- bash -c "$DEL_COMMAND"
31 | done
32 | 
33 | kubectl delete -n $NAMESPACE ds/dspcap
34 | 
35 | echo "All done, cheers."
36 | 


--------------------------------------------------------------------------------