Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Mirrord 3.0 – Mirror a pod's network traffic and file system accesses locally (metalbear.co)
39 points by Gadiguibou on Oct 20, 2022 | hide | past | favorite | 3 comments


Thanks for posting mirrord! One of the creators here, feel free to ask anything.


First time I see this piece of software and I'm both intrigued and scared of what it's capable of. My fear (as a k8s administrator) comes from not yet understanding the details of how it works. Yes, I've read the linked article and project's readme on github and they didn't contain the important details.

Does this tool work with any k8s cluster? or does one at first need to install an operator into their cluster?

Does this tool talk to kubernetes API? If yes - then does it rely on kubectl's config or what?

https://mirrord.dev/docs/overview/faq/ - Here I've found an answer to "how exactly does it do it's magic?":

> Does mirrord install anything on the cluster?

> No, mirrord doesn’t install anything on the cluster, nor does it have any persistent state. It does spawn a short-living pod/container to run the proxy, which is automatically removed when mirrord exits.

> If you have any restrictions for pulling external images inside your cluster, you have to allow pulling of ghcr.io/metalbear-co/mirrord image.

and also another important detail:

> Since mirrord uses the dynamic linker to load into the application’s process, it cannot load if the binary is statically linked.


It does work with any k8s cluster, no operator needed. It indeed relies on kubectl's config to talk to the k8s API. All that's needed is permissions to run privileged pods (or if you've configured mirrord to use ephemeral containers, not even that).

We're currently working on a more enterprise-oriented version where you would have a persistent operator in the cluster, and it would let you properly manage RBAC, rather than relying on each user's kubectl.

Thanks for pointing all of this out! We'll try to make this info more easily accessible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: