Feature Request: Extension of talosctl pcap to Include Network Namespaces

[nberlee]

Feature Request

Description

At present, the really fantastic talosctl pcap command performs packet captures in the host network namespace. I propose expanding this feature to packet capture within a network namespace. This enhancement would simplify the 'last mile' debugging, especially in scenarios where TLS termination occurs within the pod, like in a service mesh. Furthermore, it would facilitate debugging of container-to-container traffic via localhost, for instance, in internal container pod traffic scenarios such as nginx -> uwsgi or nginx -> fpm.

In a non-Talos cluster, I can achieve this by sshing to the host of the active pod whose traffic I want to monitor. I would then identify the container ID using crictl ps, inspect with crictl inspect to find the PID, and finally use nsenter -n -t <pid> tcpdump. However, in a Talos cluster, I would need to create a container with a image with tcpdump + nsenter in privileged mode and schedule it on the right host.

To maintain consistency, I propose that we use the same syntax as with talosctl netstat <namespace>/<pod>. This command initially performs a lookup to find the netns name, and the netns lookup function of netstat could probably be reused for this purpose.

I am eager to begin working on this, but first, I would like to confirm if this proposed enhancement is desirable within Talos.

[github-actions[bot]]

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 7 days with no activity.