2

Team, I am running kubectl from my laptop and captured Wireshark trace of the same. how could I decrypt the traffic hitting the api server?

ex: we decrypt the http calls using private key of the web server. in k8s world, how would I decrypt the calls to cluster? new to this so need to understand.

  • Did you create the cluster or rather have a hold of the keys to create the cluster? – iomv Jun 06 '18 at 08:48

1 Answers1

2

The traffic itself and the (api)server keys will not be enough for that. Current TLS implementation is using forward secrecy so you would need the session keys as well. Browsers can be configured to log session keys (which you can feed into wireshark) but I don't know if kubectl can be configured with some debugging options to do that. Probably not.

An alternative is a man in the middle "attack" which will defeat TLS with forward secrecy. I capture kubectl traffic with mitmproxy. You will need to set it up with kubernetes CA, so the generated certificates are valid as far as kubectl is concerned.

Of course, all for educational purposes at trainings ;-)

Janos Lenart
  • 25,074
  • 5
  • 73
  • 75
  • so, i can see live traffic on mitmproxy provided i use the k8s CA? but how do i redirect the kubectl calls to mitmproxy so that i can see the trafic? –  Jun 07 '18 at 12:57