Using trace sni
The trace sni gadget is used to trace the Server Name Indication (SNI) requests sent as part of TLS handshakes.
On Kubernetes
The SNI tracer will show which pods are making which SNI requests. To start it, we can run:
$ kubectl gadget trace sni
K8S.NODE K8S.NAMESPACE K8S.PODNAME PID TID COMM NAME
To generate some output for this example, let's create a demo pod in another terminal:
$ kubectl run -it ubuntu --image ubuntu:latest -- /bin/bash
root@ubuntu:/# apt update && apt install -y wget && wget wikimedia.org
(...)
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.wikimedia.org/ [following]
(...)
root@ubuntu:/# wget www.github.com
(...)
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/ [following]
(...)
Go back to the first terminal and see:
K8S.NODE K8S.NAMESPACE K8S.PODNAME PID TID COMM NAME
minikube default ubuntu 3917791 3917791 wget www.github.com
minikube default ubuntu 3917791 3917791 wget github.com
minikube default ubuntu 3917812 3917812 wget wikimedia.org
minikube default ubuntu 3917812 3917812 wget www.wikimedia.org
We can see that each time our wget
client connected to a different
server, our tracer caught the Server Name Indication requested.
Clean everything
Congratulations! You reached the end of this guide! You can now delete the pod you created:
$ kubectl delete pod ubuntu
pod "ubuntu" deleted
With ig
Run the gadget in a terminal
$ sudo ig trace sni -r docker -c test-trace-sni
RUNTIME.CONTAINERNAME PID TID COMM NAME
Run a containers that establishs a TLS connection with a remote endpoint:
$ docker run -it --rm --name test-trace-sni busybox /bin/sh -c "wget https://example.com"
Connecting to example.com (93.184.216.34:443)
wget: note: TLS certificate validation not implemented
saving to 'index.html'
index.html 100% |*******************************************************************************************************************************************************************| 1256 0:00:00 ETA
'index.html' saved
The gadget will show that Server Name Indication used by the request.
$ sudo ig trace sni -r docker -c test-trace-sni
RUNTIME.CONTAINERNAME PID TID COMM NAME
test-trace-sni 3944366 3944366 wget example.com