Minimum required RBAC for user to successfully sniff

[RevREB]

I am wondering if you've done any tuning on figuring out what the minimum required RBAC permissions for a user would been to be to get a successful sniff.

[RevREB]

Side note this tool is awesome.

[eldadru]

Hi @RevREB thanks for using ksniff, glad you liked it!

I didn't check the minimum required permissions, I guess that the privileged mode requires higher permissions as it's creating new pod with access to the hosting node.

The upload mode will probably require less permissions because it's only execute tcpdump on existing pod.

In case you will have more detailed answer, it will be super helpful if you will update the project README with this information.

Eldad.

[RevREB]

I'm still gonna dig into it later... but does this basically just exec into the pod and and run tcpdump and pipe the stdout back across the wire?

[eldadru]

Yeah, what you described is the "exec mode"
Privileged mode is different:

• Deploy new pod with access to docker daemon unix socket file

• From the new privileged pod, create new docker container on the same node which attaches to the target pod network namespace.

• exec tcpdump on our new container, pipe stdout over the wire

[RevREB]

ok, ill play with RBAC this weekend and find the Lowest required perms.

[eldadru]

Closing for now, @RevREB if you did found the minimum required permissions, please open a pull request with your findings - thanks!