A humble bash script set that uses daemonset to capture tcpdump from all k8s nodes, then collect the captures.

As simple as:

1. Call dspcap-start script to start capture.
2. Call dspcap-stop script to stop capture and collect result to dspcap directory.

Installation:

wget https://raw.githubusercontent.com/tdihp/dspcap/master/dspcap-start
wget https://raw.githubusercontent.com/tdihp/dspcap/master/dspcap-stop
chmod +x dspcap-start dspcap-stop
./dspcap-start
./dspcap-stop

Then you will find all tcpdump files for your K8s nodes in dspcap directory.

Modify TCPDUMP_ARGS line at the top of dspcap-start accordingly. Alternatively, locate and modify the tcpdump line.

To change image used, modify IMAGE line at the top of dspcap-start accordingly. Most base images should work as long as nsenter (GNU or busybox version) is provided.

Below images are tested:

• alpine:3.15 (default)
• ubuntu:20.04
• mcr.microsoft.com/dotnet/runtime-deps:6.0

An easy way to achieve this is to add a nodeSelector for the daemonset in dspcap-start, then add the same label for all nodes with kubectl label node/<name>

e.g.

To add a section in .spec.template.spec of the daemonset:

      nodeSelector:
        foo: bar

Then label the target nodes, if not already applied:

kubectl label node/mynode1 foo=bar
kubectl label node/mynode2 foo=bar

The current dspcap implementation uses a previleged pod to access root. nsenter is used to get access to root for reaching tcpdump. We do not advise to use the current setting as-is to take long-term capture for the security implication involved. Note however that this can be easily averted by using capabilities instead of privilege to limit the impact, and to download tcpdump package in the pod instead of using the one on the node via nsenter.