search

eldadru / ksniff

Kubectl plugin to ease sniffing on kubernetes pods using tcpdump and wireshark
Apache License 2.0
3.13k stars 186 forks source link

Support custom labels + resources in ksniff pods #149

Closed ruben-rodriguez closed 1 year ago

ruben-rodriguez commented 2 years ago

Some environments have admission webhook policies so that labels and resources must be provided to run workloads:

INFO[0000] no container specified, taking first container we found in pod.
INFO[0000] selected container: 'test-container'
INFO[0000] sniffing method: privileged pod
INFO[0000] sniffing on pod: 'test-pod' [namespace: 'default', container: 'test-container', filter: '', interface: 'any']
INFO[0000] creating privileged pod on node: 'main1'
ERRO[0000] failed to create privileged pod on node: 'main1'  error="admission webhook \"validation.gatekeeper.sh\" denied the request: [policy-k8spodenforcelabels] you must provide labels: {\"app.kubernetes.io/instance\", \"app.kubernetes.io/managed-by\", \"app.kubernetes.io/name\"}"
Error: admission webhook "validation.gatekeeper.sh" denied the request: [policy-k8spodenforcelabels] you must provide labels: {"app.kubernetes.io/instance", "app.kubernetes.io/managed-by", "app.kubernetes.io/name"}

I'm currently following this approach in a personal fork (modifying kubernetes_api_service.go), though not sure if this is a feature that should be implemented for the general use of the tool. 

objectMetadata := v1.ObjectMeta{
    GenerateName: "ksniff-",
    Namespace:    k.targetNamespace,
    Labels: map[string]string{
        "app": "ksniff",
        "custom-label": "test",
        "app.kubernetes.io/instance": "ksniff",
        "app.kubernetes.io/name": "ksniff",
    },
}

And also resources requests and limits like:

resources := corev1.ResourceRequirements{
    Limits: corev1.ResourceList{
        corev1.ResourceMemory: resource.MustParse("150M"),
        corev1.ResourceCPU: resource.MustParse("25m"),
    },
    Requests: corev1.ResourceList{
        corev1.ResourceCPU: resource.MustParse("15m"),
        corev1.ResourceMemory: resource.MustParse("75M"),
    },
}

privilegedContainer := corev1.Container{
    Name:  containerName,
    Image: image,
    ImagePullPolicy: "IfNotPresent",

    SecurityContext: &corev1.SecurityContext{
        Privileged: &privileged,
    },

    Command:      []string{"sh", "-c", "sleep 10000000"},
    VolumeMounts: volumeMounts,
    Resources: resources,
}