Transparently record kubectl exec sessions with a daemonset using ebpf. No
client-side configuration or proxying required.
- Linux kernel version 1.15+
- Containerd configured as the CRI
- DaemonSet with a priveledged pod that can run a bpf program and connect to the containerd socket
The exec-record daemonset loads a bpf program with a kprobe attached to the
tty_write
kernel function. For each tty_write call, we check that the parent process of
the pid namespace matches the containerd-shim command and emit an event to the
process in user space.
In user space we receive the contents of each buffer passed to tty_write and the
pid of the owner of the pid namespace. From there, we can verify that the pid
matches a containerd task with exec_id process info metadata, confirming the
tty_write call belongs to a kubectl exec session.
The contents of the buffer are then appended to a file per session in asciicast format.
- Support kernel versions older than 5.15
vagrant up
vagrant ssh
sudo su -
cd /vagrant
export CONTAINERD_RUNTIME_ENDPOINT="/var/run/k3s/containerd/containerd.sock"
mkdir /tmp/recordings
go generate -v ./...
go run -v .
vagrant ssh
sudo su -
k3s kubectl exec -it deploy/nginx-deployment -- bash
echo "hello world"
exit
ls /tmp/recordings