Redis Enterprise for Kubernetes (REC) deployments occasionally require packet captures to troubleshoot connectivity issues, TLS handshakes, replication traffic, cluster communication, or interactions between Redis Enterprise components and external services. Because REC pods run within Kubernetes security boundaries, you cannot always install or run diagnostic tools directly inside the container.
This article explains two supported approaches for collecting packet captures using Kubernetes debug containers:
Option 1: Attach a debug container to an REC pod for pod-level traffic analysis.
Option 2: Attach a debug container to the worker node when pod security policies prevent direct access.
Use Option 1 whenever your Kubernetes environment allows ephemeral debug containers to share the REC pod's network namespace. Use Option 2 when security policies, admission controllers, or platform restrictions prevent pod-level debugging.
Quick Fix
| Situation | Recommended Approach |
|---|---|
| Need to capture traffic entering or leaving a specific REC pod | Use Option 1: Pod-level debug container |
kubectl debug against the REC pod fails due to security restrictions |
Use Option 2: Node-level capture |
Need to inspect Redis Enterprise management traffic such as cnm_http
|
Capture traffic on port 9443 |
| Need to provide packet captures to Redis Support | Copy the .pcap file from the debug container before exiting |
| Running in a security-hardened Kubernetes environment | Use a node-level capture |
Prerequisites
Before collecting a packet capture:
Access to the Kubernetes cluster.
Permission to run kubectl debug.
Permission to create ephemeral containers or node debug containers.
A packet capture tool such as the Netshoot image (nicolaka/netshoot).
Sufficient disk space for packet capture files.
Knowledge of the target REC pod and relevant ports.
Option 1: Capture Traffic from an REC Pod
This method creates a temporary debug container that shares the REC pod's network namespace.
Step 1: Start a Debug Container
Replace the namespace and pod name as appropriate.
kubectl -n redis debug -it pod/rec-0 \
--image=nicolaka/netshoot \
--target=redis-enterprise-node \
--profile=sysadmin
Example output:
Targeting container "redis-enterprise-node".
Defaulting debug container name to debugger-zfhhj.
Important
Record the generated debug container name (for example, debugger-zfhhj). You will need it later when copying the capture file.
Note: This procedure may require elevated Kubernetes RBAC permissions and might need to be performed by a Kubernetes administrator.
Step 2: Start tcpdump
For example, to capture Redis Enterprise management traffic on port 9443:
tcpdump -vvv -i eth0 port 9443 -w /tmp/cnm_http.pcap
Example output:
tcpdump: listening on eth0
Allow the capture to run while reproducing the issue.
When finished, stop the capture with:
Ctrl+C
Step 3: Copy the Packet Capture File
From a separate terminal window, copy the capture file from the debug container.
Replace the container name with the value generated in your environment.
kubectl cp rec-0:/tmp/cnm_http.pcap ./cnm_http.pcap \
-c debugger-zfhhj \
--retries=3
Step 4: Exit the Debug Container
exit
Example output:
Session ended, the ephemeral container will not be restarted.
Option 2: Capture Traffic from the Kubernetes Worker Node
Use this method when pod-level debugging is restricted by security policies.
Step 1: Identify the Node Hosting the REC Pod
List pods and determine the node where the target REC pod is running.
kubectl get pods -o wide
Example:
NAME READY STATUS IP NODE
rec-0 2/2 Running 10.42.8.136 worker-node-1
Record:
The REC pod IP address.
The worker node name.
Step 2: Create a Debug Container on the Worker Node
kubectl debug node/worker-node-1 -it \
--image=nicolaka/netshoot
A debug pod similar to the following is created:
node-debugger-worker-node-1-qpjln
Record the debug pod name for later use.
Step 3: Start tcpdump
Filter traffic by the REC pod IP address and the relevant port.
Example:
tcpdump -vvv -ni any \
host 10.42.8.136 and port 9443 \
-w /tmp/mycap.pcap
Allow the capture to run while reproducing the issue.
Stop the capture with:
Ctrl+C
Step 4: Copy the Capture File
From another terminal window:
kubectl cp \
node-debugger-worker-node-1-qpjln:/tmp/mycap.pcap \
./mycap.pcap
Step 5: Delete the Debug Pod
After the capture is collected:
kubectl delete pod node-debugger-worker-node-1-qpjln
Troubleshooting
| Issue | Resolution |
|---|---|
kubectl debug is denied |
Verify RBAC permissions and Kubernetes security policies. |
| Debug container starts but cannot capture packets | Confirm the container has sufficient privileges and required Linux capabilities. |
| No packets appear in the capture | Verify the correct interface, port, and pod IP address are being monitored. |
Unable to copy the .pcap file |
Confirm the correct debug container or debug pod name was specified. |
| Pod-level capture fails in a restricted environment | Use the node-level capture method instead. |
| Capture file is empty | Reproduce the issue while the capture is running and verify filters are not too restrictive. |
When to Use Each Method
| Method | Best For |
|---|---|
| Pod-level debug container | Capturing traffic associated with a specific REC pod |
| Node-level debug container | Security-restricted environments or situations where pod-level debugging is unavailable |
Next Steps
If you are collecting packet captures for a Redis Support investigation:
Reproduce the issue while the capture is running.
Stop the capture as soon as the issue occurs.
Compress the .pcap file if it is large.
Attach the capture to your Redis Support case along with timestamps and a description of the observed behavior.
0 comments
Please sign in to leave a comment.