Is there any simple way to inspect unencrypted protobuf traffic between kubelet and api-server?
This is for research purposes. I may need to ultimately implement kubelet interface for minor feature subset. I know there are things like virtual-kubelet - and that might later become part of the solution. But for now I am mapping my options to study the protocol in detail.
Kubernetes is a new thing to me and I’m still learning the basics (e.g. kubeadm setup, local VirtualBox instances). I don’t know TLS that well, but if no other option, I am prepared to learn it in more detail.
What I have found out or considered so far:
- no obvious way to disable TLS between kubelet and api-sever to inspect with wireshark
- it might be possible to feed TLS certificates / keys to wireshark, at least for earlier TLS versions
- eldadru/ksniff tool seemed promising, but realized it is supposedly only for observing pod traffic
- mitmproxy seems one option, but uncertain of the learning curve
- modify the code of api-server and kubelet to disable TLS support is one option, but probably quite difficult or not practical
Maybe I am missing something obvious.
Any thoughts?