Kubetap
What is Kubetap?
Kubetap is a kubectl plugin that enables an operator to easily deploy intercepting
proxies for Kubernetes Services.
Here is a video presentation and demo of the project.
Why Kubetap?
Kubetap arose from a need to quickly and efficiently proxy Kubernetes Services
without imposing a CNI mandate.
It has always been possible to manually: add a sidecar to Deployment manifests, patch
Service manifests, add a mitmweb Service, deploy, test, code push the bugfix,
remove the sidecar from the Deployment, un-patch the Service, remove the
mitmweb Service, deploy, and test again....
Or, if you own the app, could build and push some Printf debugging...
then wait for CI... then track down the pod to get logs...
But both of those are long, laborious processes that are ripe for automation.
Thus, Kubetap was born.
Documentation
The documentation website, https://soluble-ai.github.io/kubetap/,
contains formatted documentation. The documentation site source is available in
the docs folder, however an abridged documentation is provided
below.
Installation
From Source
The recommended installation method is to clone the repository and run:
make
Homebrew
Soluble provides a homebrew formula repository.
brew tap soluble-ai/homebrew-kubetap
brew install kubetap
Binary Release
Binary releases for Mac (non-notarized), Windows, and Linux of varying
architectures are available from the Releases page.
With Krew
Kubetap can be installed with krew:
kubectl krew install tap
Usage
Kubetap's binary is kubectl-tap. This makes kubetap a kubectl plugin,
allowing it to be invoked as kubectl tap.
Kubetap inherits many configuration options from kubectl, such as: --context,
--namespace (or -n), --as, etc.
Tap On
Deploy a MITMproxy container to tap the target Service, in the case of this example,
the grafana Service's exposed port 443, which uses HTTPS. This uses the
--browser flag (which implies --port-forward) to automatically open the
proxy and target Service in a browser window.
$ kubectl tap on grafana -p443 --https --browser
Establishing port-forward tunnels to service...
Port-Forwards:
mitmproxy - http://127.0.0.1:2244
grafana - https://127.0.0.1:4000
Tap Off
Remove the tap from the grafana Service.
$ kubectl tap off grafana
Untapped Service "grafana"
List Active Taps
The namespaces can be constrained with -n, but by default it lists taps in
all namespaces:
$ kubectl tap list
Tapped Namespace/Service:
default/grafana
In a container
It is possible to schedule kubetap as a Pod in Kubernetes using the
grc.io/soluble-oss/kubectl-tap:latest container. When run in a cluster,
kubetap will automatically detect and use serviceaccount tokens that are
mounted to the container's filesystem.
Additionally, it is possible to run the containers from a developer laptop as follows:
docker run -v "${HOME}/.kube/:/.kube/:ro" 'gcr.io/soluble-oss/kubectl-tap:latest' on -p80 myservice
docker run -v "${HOME}/.kube/:.kube/:ro" 'gcr.io/soluble-oss/kubectl-tap:latest' off myservice
Made by Soluble.ai
This project was created to compliment the Soluble platform.
Building Kubetap is a blog post detailing the creation and implementation of kubetap.