Decrypting kubernetes master api calls

6/6/2018

Team, I am running kubectl from my laptop and captured Wireshark trace of the same. how could I decrypt the traffic hitting the api server?

ex: we decrypt the http calls using private key of the web server. in k8s world, how would I decrypt the calls to cluster? new to this so need to understand.

--
kubernetes
kubernetes-security

1 Answer

6/6/2018

The traffic itself and the (api)server keys will not be enough for that. Current TLS implementation is using forward secrecy so you would need the session keys as well. Browsers can be configured to log session keys (which you can feed into wireshark) but I don't know if kubectl can be configured with some debugging options to do that. Probably not.

An alternative is a man in the middle "attack" which will defeat TLS with forward secrecy. I capture kubectl traffic with mitmproxy. You will need to set it up with kubernetes CA, so the generated certificates are valid as far as kubectl is concerned.

Of course, all for educational purposes at trainings ;-)

-- Janos Lenart
Source: StackOverflow