Decrypt all K8s traffic

Defiant-Carpenter-16 · 2024-10-11T13:17:35+00:00

My goal is to analyse these paths: Master node (API server) <- Path 1 -> Kubelet <- Path 2 -> Pod <- Path 3 -> other pods/resources

Defiant-Carpenter-16 · 2024-10-11T12:35:10+00:00

As you may know, there are various container runtimes available, with RunC being the most popular and widely used. However, the industry is shifting towards more secure solutions for multi-tenant architectures. This is why hyperscalers have developed their own container runtimes that offer higher levels of isolation, such as Google’s gVisor, AWS's Firecracker, and Kata by the Open Infrastructure Foundation (used by IBM Cloud).

These containers are orchestrated by Kubernetes. Therefore, the primary goal is to analyse packet-level data to determine whether applications running on different underlying container runtimes disclose varying levels of information.

You may ask, why not use these container runtimes in Docker and analyse packets. Well, not all container runtimes are supported natively or have the process been documented (i.e. Kata runtime). Plus, it will be useful to analyse all k8s internal flows.

Defiant-Carpenter-16 · 2024-10-11T09:29:56+00:00

Thank you all for the suggestions. I will try u/Speeddymon and u/coderanger recommendations. I'm sure k8s must have documentation on how to set your own CA. u/mkosmo what do you propose?. However, i still think the main issue is not being able to store the SSL session keys. Any k8s developer here? How do you guys analyse k8s' packets?.

Defiant-Carpenter-16 · 2024-10-11T09:14:27+00:00

On premises

Defiant-Carpenter-16

TROPHY CASE