Inspect traffic between kubelet and api-server

Is there any simple way to inspect unencrypted protobuf traffic between kubelet and api-server?

This is for research purposes. I may need to ultimately implement kubelet interface for minor feature subset. I know there are things like virtual-kubelet - and that might later become part of the solution. But for now I am mapping my options to study the protocol in detail.

Kubernetes is a new thing to me and I’m still learning the basics (e.g. kubeadm setup, local VirtualBox instances). I don’t know TLS that well, but if no other option, I am prepared to learn it in more detail.

What I have found out or considered so far:

  • no obvious way to disable TLS between kubelet and api-sever to inspect with wireshark
  • it might be possible to feed TLS certificates / keys to wireshark, at least for earlier TLS versions
  • eldadru/ksniff tool seemed promising, but realized it is supposedly only for observing pod traffic
  • mitmproxy seems one option, but uncertain of the learning curve
  • modify the code of api-server and kubelet to disable TLS support is one option, but probably quite difficult or not practical

Maybe I am missing something obvious.

Any thoughts?