Konubinix' opinionated web of thoughts

Kubernetes: debug Running Pods

Fleeting

kubernetes, Debug Running Pods

to test how a container restart

to dig into the filesystem of some distroless container (/proc/1/root)

kubectl debug with the --target option1.

k debug -ti pod/clk-collector-6cd64d897b-dxdk9 --image busybox --target otc-container

get access to the filesystem

in the debug container, /proc/1/root is the filesystem of the main container.

But you may have a permission denied. In that case, look at its group and user ls -n /proc/1/root lrwxrwxrwx 1 10001 0 0 Nov 3 16:55 /proc/1/root

Then, create a user with those exact user and group id.

adduser -u 10001 -G root test

Then su to that user and you will have access to the container filesystem.

looking at the listening ports

The debug container share the same network namespace, so simply run netstat -tupln

to start another pod like the one you want to debug with slightly modified settings

changing the image and the command of the container

k debug -ti pod/clk-collector-6cd64d897b-dxdk9 --image busybox --container otc-container -- sh2

creating a copy of the pod with a debug container inside3

k debug -ti pod/clk-collector-6cd64d897b-dxdk9 --image busybox --share-process -- sh

this is slightly less practical than to dig into the filesystem of some distroless container as /proc/1 is not necessarily the pod to debug here. .

run the same pod with a different command4

k debug -ti pod/clk-collector-6cd64d897b-dxdk9 --copy-to test --container otc-container -- sh

This won’t help for distroless ones.

It may be useful in combination with --set-image to provide a devel version of the image, not distroless5.

debug the node itself

kubectl debug node/mynode -it –image=ubuntu

https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/

This will mount the node filesystem under /host

  1. kubectl debug -it ephemeral-demo –image=busybox:1.28 –target=ephemeral-demo Defaulting debug

    https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/

     ↩︎

  2. can use kubectl debug to create a copy of this Pod with the command changed to an interactive kubectl debug myapp -it –copy-to=myapp-debug –container=myapp – sh If you don’t

    https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/

     ↩︎

  3. kubectl debug myapp -it –image=ubuntu –share-processes –copy-to=myapp-debug Defaulting

    https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/

     ↩︎

  4. Now you have an interactive shell that you can use to perform tasks like checking filesystem paths or running the container command manually.

    https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/

     ↩︎

  5. kubectl debug myapp –copy-to=myapp-debug –set-image=*=ubuntu The syntax

    https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/

    may want to change a misbehaving Pod from its normal production container images to an image containing a debugging build or additional utilities.

    https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/

     ↩︎