Closed nberlee closed 2 months ago
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.
This issue was closed because it has been stalled for 7 days with no activity.
Feature Request
Description
At present, the really fantastic
talosctl pcap
command performs packet captures in the host network namespace. I propose expanding this feature to packet capture within a network namespace. This enhancement would simplify the 'last mile' debugging, especially in scenarios where TLS termination occurs within the pod, like in a service mesh. Furthermore, it would facilitate debugging of container-to-container traffic via localhost, for instance, in internal container pod traffic scenarios such as nginx -> uwsgi or nginx -> fpm.In a non-Talos cluster, I can achieve this by sshing to the host of the active pod whose traffic I want to monitor. I would then identify the container ID using
crictl ps
, inspect withcrictl inspect
to find the PID, and finally usensenter -n -t <pid> tcpdump
. However, in a Talos cluster, I would need to create a container with a image with tcpdump + nsenter in privileged mode and schedule it on the right host.To maintain consistency, I propose that we use the same syntax as with
talosctl netstat <namespace>/<pod>
. This command initially performs a lookup to find the netns name, and the netns lookup function of netstat could probably be reused for this purpose.I am eager to begin working on this, but first, I would like to confirm if this proposed enhancement is desirable within Talos.