unknown service runtime.v1alpha2.ImageService on EKS 1.33

[lambchr]

I can't seem to run the ksniff tool on an EKS cluster version 1.33. I have confirmed that the same command works on an EKS cluster version 1.31.

➜ kubectl sniff my-pod \
  --namespace my-namespace \
--container my-container \
  --filter "host my.host.com" \
  --output-file /tmp/my-pod.pcap \
  --privileged
INFO[0000] sniffing method: privileged pod
INFO[0000] sniffing on pod: 'my-pod' [namespace: 'my-namespace', container: 'my-container', filter: 'host my.host.com', interface: 'any']
INFO[0000] creating privileged pod on node: 'ip-10-25-36-65.us-east-2.compute.internal'
INFO[0001] pod: 'ksniff-6thh9' created successfully in namespace: 'my-namespace'
INFO[0001] waiting for pod successful startup
INFO[0002] pod: 'ksniff-6thh9' created successfully on node: 'ip-10-25-36-65.us-east-2.compute.internal'
INFO[0002] output file option specified, storing output in: '/tmp/my-pod.pcap'
INFO[0002] starting remote sniffing using privileged pod
INFO[0002] executing command: '[/bin/sh -c
    set -ex
    export CONTAINERD_SOCKET="/run/containerd/containerd.sock"
    export CONTAINERD_NAMESPACE="k8s.io"
    export CONTAINER_RUNTIME_ENDPOINT="unix:///host${CONTAINERD_SOCKET}"
    export IMAGE_SERVICE_ENDPOINT=${CONTAINER_RUNTIME_ENDPOINT}
    crictl pull docker.io/maintained/tcpdump:latest >/dev/null
    netns=$(crictl inspect 616123853eadba113827acea67d81d55a4f523249f1ed541ef04d1acbef6c2d6 | jq '.info.runtimeSpec.linux.namespaces[] | select(.type == "network") | .path' | tr -d '"')
    exec chroot /host ctr -a ${CONTAINERD_SOCKET} run --rm --with-ns "network:${netns}" docker.io/maintained/tcpdump:latest ksniff-container-vCPFbXvS tcpdump -i any -U -w - host my.host.com
    ]' on container: 'ksniff-privileged', pod: 'ksniff-6thh9', namespace: 'my-namespace'
INFO[0003] command: '[/bin/sh -c
    set -ex
    export CONTAINERD_SOCKET="/run/containerd/containerd.sock"
    export CONTAINERD_NAMESPACE="k8s.io"
    export CONTAINER_RUNTIME_ENDPOINT="unix:///host${CONTAINERD_SOCKET}"
    export IMAGE_SERVICE_ENDPOINT=${CONTAINER_RUNTIME_ENDPOINT}
    crictl pull docker.io/maintained/tcpdump:latest >/dev/null
    netns=$(crictl inspect 616123853eadba113827acea67d81d55a4f523249f1ed541ef04d1acbef6c2d6 | jq '.info.runtimeSpec.linux.namespaces[] | select(.type == "network") | .path' | tr -d '"')
    exec chroot /host ctr -a ${CONTAINERD_SOCKET} run --rm --with-ns "network:${netns}" docker.io/maintained/tcpdump:latest ksniff-container-vCPFbXvS tcpdump -i any -U -w - host my.host.com
    ]' executing successfully exitCode: '1', stdErr :'+ export 'CONTAINERD_SOCKET=/run/containerd/containerd.sock'
+ export 'CONTAINERD_NAMESPACE=k8s.io'
+ export 'CONTAINER_RUNTIME_ENDPOINT=unix:///host/run/containerd/containerd.sock'
+ export 'IMAGE_SERVICE_ENDPOINT=unix:///host/run/containerd/containerd.sock'
+ crictl pull docker.io/maintained/tcpdump:latest
time="2025-06-16T12:50:30Z" level=fatal msg="pulling image: rpc error: code = Unimplemented desc = unknown service runtime.v1alpha2.ImageService"
'
INFO[0003] remote sniffing using privileged pod completed
INFO[0003] starting sniffer cleanup
INFO[0003] removing privileged container: 'ksniff-privileged'
INFO[0003] executing command: '[/bin/sh -c
    set -ex
    export CONTAINERD_SOCKET="/run/containerd/containerd.sock"
    export CONTAINERD_NAMESPACE="k8s.io"
    export CONTAINER_ID="ksniff-container-vCPFbXvS"
    chroot /host ctr -a ${CONTAINERD_SOCKET} task kill -s SIGKILL ${CONTAINER_ID}
    ]' on container: 'ksniff-privileged', pod: 'ksniff-6thh9', namespace: 'my-namespace'
INFO[0004] command: '[/bin/sh -c
    set -ex
    export CONTAINERD_SOCKET="/run/containerd/containerd.sock"
    export CONTAINERD_NAMESPACE="k8s.io"
    export CONTAINER_ID="ksniff-container-vCPFbXvS"
    chroot /host ctr -a ${CONTAINERD_SOCKET} task kill -s SIGKILL ${CONTAINER_ID}
    ]' executing successfully exitCode: '1', stdErr :'+ export 'CONTAINERD_SOCKET=/run/containerd/containerd.sock'
+ export 'CONTAINERD_NAMESPACE=k8s.io'
+ export 'CONTAINER_ID=ksniff-container-vCPFbXvS'
+ chroot /host ctr -a /run/containerd/containerd.sock task kill -s SIGKILL ksniff-container-vCPFbXvS
ctr: container "ksniff-container-vCPFbXvS" in namespace "k8s.io": not found
'
INFO[0004] privileged container: 'ksniff-privileged' removed successfully
INFO[0004] removing pod: 'ksniff-6thh9'
INFO[0004] removing privileged pod: 'ksniff-6thh9'
INFO[0004] privileged pod: 'ksniff-6thh9' removed
INFO[0004] pod: 'ksniff-6thh9' removed successfully
INFO[0004] sniffer cleanup completed successfully

Here is the version:

➜ kubectl version
Client Version: v1.33.0
Kustomize Version: v5.6.0
Server Version: v1.33.1-eks-7308294

I think it may have something to do with the version of containerd used in this tool vs the newer version of EKS k8s. Would you be able to help me figure out how to run ksniff on later EKS versions?

[alkur-gh]

had the same error with k8s v1.32.5

fixed by creating a new image with updated crictl
from https://github.com/hamravesh/ksniff-helper/blob/master/Dockerfile
to

FROM alpine

RUN apk add --no-cache jq

RUN wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.33.0/crictl-v1.33.0-linux-amd64.tar.gz && \
    tar xzf crictl-v1.33.0-linux-amd64.tar.gz && \
    mv crictl /usr/bin && \
    rm crictl-v1.33.0-linux-amd64.tar.gz

kubectl sniff --image .../ksniff-helper:v4

[fergusean]

Thanks for the work on that @alkur-gh.

I've forked the original and applied your changes @ https://github.com/signal24/ksniff-helper w/ a build pipeline. The image is available at: ghcr.io/signal24/ksniff-helper:latest for anyone else who needs it but doesn't want to build your own.