Kubernetes MITM using LoadBalancer or ExternalIPs

K8S_MITM_LoadBalancer_ExternalIPs/2-prechecks.cast

@@ -0,0 +1,83 @@
+{"version": 2, "width": 118, "height": 55, "timestamp": 1578172396, "env": {"SHELL": "/bin/bash", "TERM": "xterm-256color"}}
+[0.560469, "o", "$ "]
+[4.343757, "o", "kubectl get nodes"]
+[4.735118, "o", "\r\n"]
+[5.081462, "o", "NAME                                             STATUS   ROLES    AGE   VERSION"]
+[5.081824, "o", "\r\ngke-kubeproxy-tests-default-pool-05cd0c3c-7thw   Ready    <none>   16m   v1.15.4-gke.22\r\ngke-kubeproxy-tests-default-pool-05cd0c3c-css4   Ready    <none>   16m   v1.15.4-gke.22\r\ngke-kubeproxy-tests-default-pool-05cd0c3c-gs6l   Ready    <none>   16m   v1.15.4-gke.22\r\n"]
+[5.102637, "o", "$ "]
+[9.400383, "o", "gcloud compute ssh gke-kubeproxy-tests-default-pool-05cd0c3c-7thw -- cat /etc/resolv.conf 2>/dev/null | grep nameserver"]
+[10.509477, "o", "\r\n"]
+[20.654543, "o", "\u001b[01;31m\u001b[Knameserver\u001b[m\u001b[K 169.254.169.254\r\n"]
+[20.758007, "o", "$ "]
+[24.583298, "o", "# We see that the GKE nodes use 169.254.169.254 as DNS server, this is what we will intercept later"]
+[25.782003, "o", "\r\n"]
+[25.799445, "o", "$ "]
+[31.581664, "o", "# Deploy our 2 tests pods"]
+[32.696417, "o", "\r\n"]
+[32.718093, "o", "$ "]
+[41.318524, "o", "kubectl apply -f - <<'EOF'\r\n"]
+[41.319114, "o", "> apiVersion: v1\r\n> "]
+[41.319478, "o", "kind: Pod\r\n> metadata:\r\n"]
+[41.320184, "o", ">   name: dig-pod\r\n"]
+[41.320455, "o", "> spec:\r\n> "]
+[41.320541, "o", "  containers:\r\n"]
+[41.320742, "o", "> "]
+[41.321023, "o", "    - name: dig\r\n> "]
+[41.321553, "o", "      image: sequenceiq/alpine-dig:latest\r\n"]
+[41.321793, "o", "> "]
+[41.322399, "o", "      command: [ \"/bin/sleep\", \"3600\" ]\r\n"]
+[41.322763, "o", "> ---\r\n"]
+[41.322871, "o", "> "]
+[41.323237, "o", "apiVersion: v1\r\n"]
+[41.323331, "o", "> "]
+[41.323624, "o", "kind: Pod\r\n"]
+[41.323714, "o", "> "]
+[41.324027, "o", "metadata:\r\n"]
+[41.324124, "o", "> "]
+[41.324401, "o", "  name: dig-node\r\n"]
+[41.324655, "o", "> spec:\r\n"]
+[41.324928, "o", "> "]
+[41.32519, "o", "  hostNetwork: true\r\n"]
+[41.325694, "o", "> "]
+[41.326075, "o", "  containers:\r\n> "]
+[41.326326, "o", "    - name: dig\r\n"]
+[41.32672, "o", "> "]
+[41.327069, "o", "      image: sequenceiq/alpine-dig:latest\r\n"]
+[41.327442, "o", "> "]
+[41.327826, "o", "      command: [ \"/bin/sleep\", \"3600\" ]\r\n"]
+[41.328157, "o", "> "]
+[41.328412, "o", "EOF"]
+[41.328676, "o", "\r\n"]
+[42.191858, "o", "pod/dig-pod created\r\n"]
+[42.369446, "o", "pod/dig-node created\r\n"]
+[42.394425, "o", "$ "]
+[44.933541, "o", "\r\n"]
+[44.950158, "o", "$ "]
+[48.513473, "o", "# Check the normal results for \"dig kubernetes.io\""]
+[49.299613, "o", "\r\n"]
+[49.315544, "o", "$ "]
+[49.885713, "o", "\r\n"]
+[49.901122, "o", "$ "]
+[54.167493, "o", "kubectl exec dig-pod -- dig kubernetes.io"]
+[55.264824, "o", "\r\n"]
+[56.144141, "o", "\r\n; <<>> DiG 9.10.2 <<>> kubernetes.io\r\n;; global options: +cmd\r\n;; Got answer:\r\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20095\r\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\r\n\r\n;; OPT PSEUDOSECTION:\r\n; EDNS: version: 0, flags:; udp: 512\r\n;; QUESTION SECTION:\r\n;kubernetes.io.\t\t\tIN\tA\r\n\r\n;; ANSWER SECTION:\r\nkubernetes.io.\t\t299\tIN\tA\t45.54.44.102\r\n\r\n;; Query time: 4 msec\r\n;; SERVER: 10.23.240.10#53(10.23.240.10)\r\n;; WHEN: Sat Jan 04 21:14:13 UTC 2020\r\n;; MSG SIZE  rcvd: 58\r\n\r\n"]
+[56.200438, "o", "$ "]
+[58.531128, "o", "\r\n"]
+[58.546352, "o", "$ "]
+[61.603045, "o", "kubectl exec dig-node -- dig kubernetes.io"]
+[62.268094, "o", "\r\n"]
+[63.216817, "o", "\r\n; <<>> DiG 9.10.2 <<>> kubernetes.io\r\n;; global options: +cmd\r\n;; Got answer:\r\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42573\r\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\r\n\r\n;; OPT PSEUDOSECTION:\r\n; EDNS: version: 0, flags:; udp: 512\r\n;; QUESTION SECTION:\r\n;kubernetes.io.\t\t\tIN\tA\r\n\r\n;; ANSWER SECTION:\r\nkubernetes.io.\t\t299\tIN\tA\t45.54.44.102\r\n\r\n;; Query time: 3 msec\r\n;; SERVER: 169.254.169.254#53(169.254.169.254)\r\n;; WHEN: Sat Jan 04 21:14:20 UTC 2020\r\n;; MSG SIZE  rcvd: 58\r\n\r\n"]
+[63.254811, "o", "$ "]
+[63.889576, "o", "\r\n"]
+[63.905228, "o", "$ "]
+[64.050977, "o", "\r\n"]
+[64.066374, "o", "$ "]
+[103.196876, "o", "kubectl exec dig-pod -- dig kubernetes.io @169.254.169.254"]
+[103.839082, "o", "\r\n"]
+[104.851211, "o", "\r\n; <<>> DiG 9.10.2 <<>> kubernetes.io @169.254.169.254\r\n;; global options: +cmd\r\n;; Got answer:\r\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33409\r\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\r\n\r\n;; OPT PSEUDOSECTION:\r\n; EDNS: version: 0, flags:; udp: 512\r\n;; QUESTION SECTION:\r\n;kubernetes.io.\t\t\tIN\tA\r\n\r\n;; ANSWER SECTION:\r\nkubernetes.io.\t\t258\tIN\tA\t45.54.44.102\r\n\r\n;; Query time: 1 msec\r\n;; SERVER: 169.254.169.254#53(169.254.169.254)\r\n;; WHEN: Sat Jan 04 21:15:01 UTC 2020\r\n;; MSG SIZE  rcvd: 58\r\n\r\n"]
+[104.873841, "o", "$ "]
+[109.124757, "o", "kubectl exec dig-node -- dig kubernetes.io @169.254.169.254"]
+[110.264736, "o", "\r\n"]
+[111.133953, "o", "\r\n; <<>> DiG 9.10.2 <<>> kubernetes.io @169.254.169.254\r\n;; global options: +cmd\r\n;; Got answer:\r\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32082\r\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\r\n\r\n;; OPT PSEUDOSECTION:\r\n; EDNS: version: 0, flags:; udp: 512\r\n;; QUESTION SECTION:\r\n;kubernetes.io.\t\t\tIN\tA\r\n\r\n;; ANSWER SECTION:\r\nkubernetes.io.\t\t251\tIN\tA\t45.54.44.102\r\n\r\n;; Query time: 1 msec\r\n;; SERVER: 169.254.169.254#53(169.254.169.254)\r\n;; WHEN: Sat Jan 04 21:15:08 UTC 2020\r\n;; MSG SIZE  rcvd: 58\r\n\r\n"]
+[111.16403, "o", "$ "]
+[117.200456, "o", "exit\r\n"]