Tapping encrypted traffic in a Kubernetes cluster using sidecar-based service mesh

Modern 5G networks are increasingly deployed in cloud-native environments, where Network Functions are containerized and orchestrated as Kubernetes Pods, using Deployments or StatefulSets. In these architectures, service meshes like Istio are commonly used to manage the complex interactions between microservices. This thesis addresses the challenge of capturing plain-text messages within cloud-native 5G environments, specifically focusing on the control plane traffic based on HTTP/2 protocol, exchanged between these Network Functions. The primary objective of this research is to develop and evaluate methods for tapping plain traffic in a Kubernetes-orchestrated 5G environment that uses a sidecar-based service mesh, in which the messages are encrypted. We investigate the use of eBPF technology to intercept TCP traffic at different points in the Linux kernel, with the specific goal of extracting useful data from the plain-text content of packet payloads exchanged between NFs Pods. In particular our methodology involves implementing and testing two different approaches for eBPF, attaching the programs to XDP hook point for early packet capture and using the tcp_sendmsg kprobe to intercept at socket level. To understand how and where we could use eBPF a key component of this research is an in-depth study of the Istio service mesh architecture and its traffic management mechanisms. This analysis is crucial to understand how network communications are handled within the mesh, providing an overview on the way containers and sidecars interact to each other within a Pod, what are the addresses and ports involved in every step of the communication path and where the traffic is encrypted and where it doesn’t. The two methods to develop eBPF code are evaluated across three different use cases, each one exploring different deployment scenarios within the cloud-native architecture. We analyze the effectiveness, performance impact, and practical implementation requirements of each approach for our goals. The results presented comes from several tests and they evaluate the efficiency and the accuracy of each capturing method, how the different applications impact on the cluster nodes and on the NFs Pods, which are the permissions required to deploy a certain solution and the additional Istio tools or containers which could be used to implement that. Our findings demonstrate the tradeoffs between capture accuracy, system performance, implementation complexity, and operational overhead across the different eBPF deployment scenarios in our test environment, considering both technical performance and practical deployment considerations in cloud infrastructure. The final goals so are finding what is the best solution we can use in a real production environment, according to the company requirements, and providing a comparison with the parallel project based on Clilum service mesh. This research contributes to the understanding of advanced traffic interception techniques in a cloud-native 5G environments based on Istio service mesh, with a specific focus on reading unencrypted data between Network Functions, offering practical guidance for implementing different traffic capture solutions in similar cloud-native 5G deployments.