From f253ce97ae6c3884c545080d9124aceb2f3b4263 Mon Sep 17 00:00:00 2001 From: ffais <42377700+ffais@users.noreply.github.com> Date: Sat, 23 Jan 2021 02:35:17 +0100 Subject: [PATCH] Support for AKS and Istio compatibility (#85) When executing into ksniff container for tcpdump, must explicitly name the container name in the event a sidecar was injected. --- kube/kubernetes_api_service.go | 6 +++--- pkg/service/sniffer/privileged_pod_sniffer_service.go | 9 +++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/kube/kubernetes_api_service.go b/kube/kubernetes_api_service.go index b17e7c3..e7cfeb5 100644 --- a/kube/kubernetes_api_service.go +++ b/kube/kubernetes_api_service.go @@ -22,7 +22,7 @@ type KubernetesApiService interface { DeletePod(podName string) error - CreatePrivilegedPod(nodeName string, image string, socketPath string, timeout time.Duration) (*corev1.Pod, error) + CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration) (*corev1.Pod, error) UploadFile(localPath string, remotePath string, podName string, containerName string) error } @@ -103,7 +103,7 @@ func (k *KubernetesApiServiceImpl) DeletePod(podName string) error { return err } -func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, image string, socketPath string, timeout time.Duration) (*corev1.Pod, error) { +func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration) (*corev1.Pod, error) { log.Debugf("creating privileged pod on remote node") isSupported, err := k.IsSupportedContainerRuntime(nodeName) @@ -143,7 +143,7 @@ func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, image st privileged := true privilegedContainer := corev1.Container{ - Name: "ksniff-privileged", + Name: containerName, Image: image, SecurityContext: &corev1.SecurityContext{ diff --git a/pkg/service/sniffer/privileged_pod_sniffer_service.go b/pkg/service/sniffer/privileged_pod_sniffer_service.go index e3c9fb5..006cf05 100644 --- a/pkg/service/sniffer/privileged_pod_sniffer_service.go +++ b/pkg/service/sniffer/privileged_pod_sniffer_service.go @@ -21,7 +21,7 @@ type PrivilegedPodSnifferService struct { } func NewPrivilegedPodRemoteSniffingService(options *config.KsniffSettings, service kube.KubernetesApiService, bridge runtime.ContainerRuntimeBridge) SnifferService { - return &PrivilegedPodSnifferService{settings: options, kubernetesApiService: service, runtimeBridge: bridge} + return &PrivilegedPodSnifferService{settings: options, privilegedContainerName: "ksniff-privileged", kubernetesApiService: service, runtimeBridge: bridge} } func (p *PrivilegedPodSnifferService) Setup() error { @@ -39,6 +39,7 @@ func (p *PrivilegedPodSnifferService) Setup() error { p.privilegedPod, err = p.kubernetesApiService.CreatePrivilegedPod( p.settings.DetectedPodNodeName, + p.privilegedContainerName, p.settings.Image, p.settings.SocketPath, p.settings.UserSpecifiedPodCreateTimeout, @@ -53,7 +54,7 @@ func (p *PrivilegedPodSnifferService) Setup() error { if p.runtimeBridge.NeedsPid() { var buff bytes.Buffer command := p.runtimeBridge.BuildInspectCommand(p.settings.DetectedContainerId) - exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedPod.Spec.Containers[0].Name, command, &buff) + exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedContainerName, command, &buff) if err != nil { log.WithError(err).Errorf("failed to start sniffing using privileged pod, exit code: '%d'", exitCode) } @@ -71,7 +72,7 @@ func (p *PrivilegedPodSnifferService) Cleanup() error { command := p.runtimeBridge.BuildCleanupCommand() - exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedPod.Spec.Containers[0].Name, command, &kube.NopWriter{}) + exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedContainerName, command, &kube.NopWriter{}) if err != nil { log.WithError(err).Errorf("failed to remove privileged container: '%s', exit code: '%d', "+ "please manually remove it", p.privilegedContainerName, exitCode) @@ -103,7 +104,7 @@ func (p *PrivilegedPodSnifferService) Start(stdOut io.Writer) error { p.settings.SocketPath, ) - exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedPod.Spec.Containers[0].Name, command, stdOut) + exitCode, err := p.kubernetesApiService.ExecuteCommand(p.privilegedPod.Name, p.privilegedContainerName, command, stdOut) if err != nil { log.WithError(err).Errorf("failed to start sniffing using privileged pod, exit code: '%d'", exitCode) return err