tcpdump-webhook

A simple demonstration of Kubernetes Mutating Webhooks. Injects a tcpdump sidecar to your pods with the tcpdump-sidecar label.

Rewrite of https://github.com/bilalunalnet/k8s-tcpdump-webhook in Golang

DISCLAIMER: THIS IS NOT MEANT FOR PRODUCTION

Build and Deploy

In order to get your sidecar containers running you need to build the following image too: https://github.com/dyslexicat/tcpdump-alpine

Build docker image;

docker build -t dyslexicat/tcpdump-webhook .

Generate ca in /tmp
cfssl gencert -initca ./tls/ca-csr.json | cfssljson -bare /tmp/ca

Generate private key and certificate for SSL connection.

cfssl gencert \
  -ca=/tmp/ca.pem \
  -ca-key=/tmp/ca-key.pem \
  -config=./tls/ca-config.json \
  -hostname="tcpdump-webhook,tcpdump-webhook.webhook-demo.svc.cluster.local,tcpdump-webhook.webhook-demo.svc,localhost,127.0.0.1" \
  -profile=default \
  ./tls/ca-csr.json | cfssljson -bare /tmp/tcpdump-webhook

Move your SSL key and certificate to the ssl directory:
mv /tmp/tcpdump-webhook.pem ./ssl/tcpdump.pem
mv /tmp/tcpdump-webhook-key.pem ./ssl/tcpdump.key

Update ConfigMap data in the manifest/webhook-deployment.yaml file with your key and certificate.

Update caBundle value in the manifest/webhook-configuration.yaml file with your base64 encoded CA certificate.

cat ca.pem | base64

kubectl create ns webhook-demo
kubectl apply -f manifest/webhook-deployment.yaml
kubectl apply -f manifest/webhook-configuration.yaml

Test

There is a Pod manifest file in the manifest directory to be used for testing purposes.

GitHub

View Github