K
Q

Decrypting kubernetes master api calls

6/6/2018

Team, I am running kubectl from my laptop and captured Wireshark trace of the same. how could I decrypt the traffic hitting the api server?

ex: we decrypt the http calls using private key of the web server. in k8s world, how would I decrypt the calls to cluster? new to this so need to understand.

--
kubernetes
kubernetes-security

Similar Questions

Kubectl: Access kubernetes cluster using route53 private hosted zone
Access to Kubernetes in IBM Cloud
SSL termination Nginx ingress controller
Helm charts nested loops
Argo worflows - fair share resources
How to use claims as Volumes
kubernetes assign configmap as environment variables on deployment
Mistakes in my ingress yaml file or process?
How to update Elasticsearch ECS in Kubernetes?

1 Answer

6/6/2018

The traffic itself and the (api)server keys will not be enough for that. Current TLS implementation is using forward secrecy so you would need the session keys as well. Browsers can be configured to log session keys (which you can feed into wireshark) but I don't know if kubectl can be configured with some debugging options to do that. Probably not.

An alternative is a man in the middle "attack" which will defeat TLS with forward secrecy. I capture kubectl traffic with mitmproxy. You will need to set it up with kubernetes CA, so the generated certificates are valid as far as kubectl is concerned.

Of course, all for educational purposes at trainings ;-)

-- Janos Lenart
Source: StackOverflow