Ephemeral Containers
kubespy
* kubectl plugin
* spy container joins namespaces: pid/net/ipc/mount
+ kubespy works without the Ephemeral Containers feature
- the cluster must use docker as container runtime
- works with privileged pods
kubctl exec
Directly log in to container so all namespaces are shared.
===========================================
Ephemeral Containers
- Here net and ipc namespace are shared. optionally pid namespace can be shared using 'kubectl dbug --target' command or using shareProcessNamespace flag at pod spec.
- a list of containers
- It shall be empty, at begining
- It can be updated only once in life time of pod using PATCH (not 'kubectl edit'). We can use 'kubectl debug' also.
- The list will not get modified even after the ephemeral container terminates.
- pod level cgroups is applicable.
- mnt namespace is not shared. Workaround : Access mnt namespace of other containers /proc/<PID>/root if shareProcessNamespace = true
+ easy to use
+ non-destructive
+ powerful low level tools
Attach ephermeral container
kubectl debug -it --attach=false -c debugger --image=busybox ${POD_NAME}
This will modify pod spec and pod status. We can attach to running ephermeral container with
kubectl attach -it -c debugger ${POD_NAME}
kubectl dbug command has another good option '--copy-to "new-name" ' A new pod is created. It is not part of deployment. it is not part of k8s service. it is like canary.
we cannot mount a volume on ephermeral container using 'kubectl debug' command. To mount volume on ephermeral container, we shall use k8s API
curl localhost:8001/api/v1/namespaces/default/pods/${POD_NAME}/ephemeralcontainers \
-XPATCH \
-H 'Content-Type: application/strategic-merge-patch+json' \
-d '
{
"spec":
{
"ephemeralContainers":
[
{
"name": "debugger",
"command": ["sh"],
"image": "busybox",
"targetContainerName": "app",
"stdin": true,
"tty": true,
"volumeMounts": [{
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
"name": "kube-api-access-qnhvv",
"readOnly": true
}]
}
]
}
}'
We can also start ephermeral container with privileged mode
curl localhost:8001/api/v1/namespaces/default/pods/${POD_NAME}/ephemeralcontainers \
-XPATCH \
-H 'Content-Type: application/strategic-merge-patch+json' \
-d '
{
"spec":
{
"ephemeralContainers":
[
{
"name": "debugger",
"command": ["sh"],
"image": "busybox",
"targetContainerName": "app",
"securityContext" : { "privileged" : true }.
"stdin": true,
"tty": true,
"volumeMounts": [{
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
"name": "kube-api-access-qnhvv",
"readOnly": true
}]
}
]
}
}'
Sharing pid namespace Ephemeral Containers
- pid namespace is not shared, unless shareProcessNamespace = true
- if we change shareProcessNamespace, then pod gets restarted. If we set shareProcessNamespace = true, by default then it will reduce isolation between containers of same pod.
use 'kubectl debug' command with '-target = "target container name".
With shareProcessNamespace flag, all containers , ephemeral container will have common pid namespace. While with -target option, only ephemeral container and one of the target containers at pod will share pid namespace. Other containers at pod, will have its own namespace.
Ephemeral Containers Example
- KoolKits
--koolkit-jvm
--koolkit-node
--koolkit-python
Reference: https://hub.docker.com/r/lightruncom/koolkits
- netshoot
It has system level dignosis tools like strace, ltrace, tcpdump etc.
Reference: https://github.com/nicolaka/netshoot
Reference:
https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/
https://www.youtube.com/watch?v=obasTgzhVR0
0 comments:
Post a Comment