Finding Neighbours

备注

Hello?

Sometimes, it seems we are the only ones around, but we should always be on guard against invisible sidecars reporting sensitive secrets.

有时，看起来我们似乎是周围唯一的存在，但我们应该始终警惕那些隐形的 sidecar，它们可能会泄露敏感的秘密。

查看当前的网络连接

player@wiz-k8s-lan-party:~$ netstat -anopt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     Timer
tcp        0      0 192.168.1.39:42882      10.100.171.123:80       TIME_WAIT   -                    timewait (58.43/0/0)
tcp        0      0 192.168.1.39:42870      10.100.171.123:80       TIME_WAIT   -                    timewait (53.42/0/0)

可以看到，有向 10.100.171.123:80 发起的连接，但是在本容器内无法得知运行的进程信息

那么结合题目描述，可以猜测是 sidecar 容器发起的网络连接，尝试使用 tcpdump 捕获连接中的数据

player@wiz-k8s-lan-party:~$ tcpdump dst host 10.100.171.123 and dst port 80 -A
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ns-eafe9b, link-type EN10MB (Ethernet), snapshot length 262144 bytes
07:29:35.482799 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [S], seq 513025098, win 64240, options [mss 1460,sackOK,TS val 2483130223 ecr 0,nop,wscale 7], length 0
E..<.n@........'
d.{...P..$J........w..........
...o........
07:29:35.482839 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [.], ack 1811249520, win 502, options [nop,nop,TS val 2483130223 ecr 2391605501], length 0
E..4.o@........'
d.{...P..$Kk.yp....w......
...o....
07:29:35.482878 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [P.], seq 0:214, ack 1, win 502, options [nop,nop,TS val 2483130223 ecr 2391605501], length 214: HTTP: POST / HTTP/1.1
E..
.p@........'
d.{...P..$Kk.yp....x......
...o....POST / HTTP/1.1
Host: reporting-service
User-Agent: curl/7.64.0
Accept: */*
Content-Length: 63
Content-Type: application/x-www-form-urlencoded

wiz_k8s_lan_party{good-crime-comes-with-a-partner-in-a-sidecar}
07:29:35.484560 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [.], ack 206, win 501, options [nop,nop,TS val 2483130224 ecr 2391605502], length 0
E..4.q@........'
d.{...P..%!k.z=....w......
...p....
07:29:35.484662 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [F.], seq 214, ack 206, win 501, options [nop,nop,TS val 2483130225 ecr 2391605502], length 0
E..4.r@........'
d.{...P..%!k.z=....w......
...q....
07:29:35.484701 IP 192.168.1.39.44170 > reporting-service.k8s-lan-party.svc.cluster.local.http: Flags [.], ack 207, win 501, options [nop,nop,TS val 2483130225 ecr 2391605503], length 0
E..4.s@........'
d.{...P..%"k.z>....w......
...q....
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

即可得到答案

wiz_k8s_lan_party{good-crime-comes-with-a-partner-in-a-sidecar}