Skip to content

Commit

Permalink
Support for AKS and Istio compatibility (#85)
Browse files Browse the repository at this point in the history 
When executing into ksniff container for tcpdump, must explicitly name the container name in the event a sidecar was injected.
  • Loading branch information
@ffais
ffais authored Jan 23, 2021
1 parent 66ed0ca commit f253ce9
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 7 deletions.
6 changes: 3 additions & 3 deletions kube/kubernetes_api_service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ type KubernetesApiService interface {

DeletePod(podName string) error

CreatePrivilegedPod(nodeName string, image string, socketPath string, timeout time.Duration) (*corev1.Pod, error)
CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration) (*corev1.Pod, error)

UploadFile(localPath string, remotePath string, podName string, containerName string) error
}
Expand Down Expand Up @@ -103,7 +103,7 @@ func (k *KubernetesApiServiceImpl) DeletePod(podName string) error {
return err
}

func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, image string, socketPath string, timeout time.Duration) (*corev1.Pod, error) {
func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration) (*corev1.Pod, error) {
log.Debugf("creating privileged pod on remote node")

isSupported, err := k.IsSupportedContainerRuntime(nodeName)
Expand Down Expand Up @@ -143,7 +143,7 @@ func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, image st

privileged := true
privilegedContainer := corev1.Container{
Name: "ksniff-privileged",
Name: containerName,
Image: image,

SecurityContext: &corev1.SecurityContext{
Expand Down
9 changes: 5 additions & 4 deletions pkg/service/sniffer/privileged_pod_sniffer_service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ type PrivilegedPodSnifferService struct {
}

func NewPrivilegedPodRemoteSniffingService(options *config.KsniffSettings, service kube.KubernetesApiService, bridge runtime.ContainerRuntimeBridge) SnifferService {
return &PrivilegedPodSnifferService{settings: options, kubernetesApiService: service, runtimeBridge: bridge}
return &PrivilegedPodSnifferService{settings: options, privilegedContainerName: "ksniff-privileged", kubernetesApiService: service, runtimeBridge: bridge}
}

func (p *PrivilegedPodSnifferService) Setup() error {
Expand All @@ -39,6 +39,7 @@ func (p *PrivilegedPodSnifferService) Setup() error {

p.privilegedPod, err = p.kubernetesApiService.CreatePrivilegedPod(
p.settings.DetectedPodNodeName,
p.privilegedContainerName,
p.settings.Image,
p.settings.SocketPath,
p.settings.UserSpecifiedPodCreateTimeout,
Expand All @@ -53,7 +54,7 @@ func (p *PrivilegedPodSnifferService) Setup() error {
if p.runtimeBridge.NeedsPid() {
var buff bytes.Buffer
command := p.runtimeBridge.BuildInspectCommand(p.settings.DetectedContainerId)
exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedPod.Spec.Containers[0].Name, command, &buff)
exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedContainerName, command, &buff)
if err != nil {
log.WithError(err).Errorf("failed to start sniffing using privileged pod, exit code: '%d'", exitCode)
}
Expand All @@ -71,7 +72,7 @@ func (p *PrivilegedPodSnifferService) Cleanup() error {

command := p.runtimeBridge.BuildCleanupCommand()

exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedPod.Spec.Containers[0].Name, command, &kube.NopWriter{})
exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedContainerName, command, &kube.NopWriter{})
if err != nil {
log.WithError(err).Errorf("failed to remove privileged container: '%s', exit code: '%d', "+
"please manually remove it", p.privilegedContainerName, exitCode)
Expand Down Expand Up @@ -103,7 +104,7 @@ func (p *PrivilegedPodSnifferService) Start(stdOut io.Writer) error {
p.settings.SocketPath,
)

exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedPod.Spec.Containers[0].Name, command, stdOut)
exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedContainerName, command, stdOut)
if err != nil {
log.WithError(err).Errorf("failed to start sniffing using privileged pod, exit code: '%d'", exitCode)
return err
Expand Down

1 comment on commit f253ce9

@suryakandulapati
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Eldadru,

I'm interested in this testing my dev environment. I would like to request you to send me steps to install and use in AKS. I'm new to Cloud Platform, I'm trying to understand bit by bit. if you help in testing in my environment it is a great oppurtunity to learn. if you feel any hesitations, I'm happy with that also. Thanks, Ram

Please sign in to comment.