GitHub - aylei/kubectl-debug: Debug your pod by a new container with every troub...
source link: https://github.com/aylei/kubectl-debug
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
Kubectl-debug
Overview
kubectl-debug is an out-of-tree solution for troubleshooting running pods, which allows you to run a new container in running pods for debugging purpose. The new container will join the pid, network, user and ipc namespaces of the target container, so you can use arbitrary trouble-shooting tools without pre-install them in your production container image.
- demo
- quick start
- build from source
- default image and entrypoints
- future works
- implementation details
- contribute
Demo
Quick Start
kubectl-debug is pretty simple, give it a try!
Install the debug agent DaemonSet in your cluster, which is responsible to run the "new container":
kubectl apply -f https://raw.githubusercontent.com/aylei/kubectl-debug/master/scripts/agent_daemonset.yml
Install the kubectl debug plugin:
# Linux curl -Lo kubectl-debug https://github.com/aylei/kubectl-debug/releases/download/0.0.1/kubectl-debug_0.0.1_linux-amd64 # MacOS curl -Lo kubectl-debug https://github.com/aylei/kubectl-debug/releases/download/0.0.1/kubectl-debug_0.0.1_macos-amd64 chmod +x ./kubectl-debug mv kubectdl-debug /usr/local/bin/
For windows user, download the latest binary from the release page and add it to your PATH.
Try it out!
kubectl debug POD_NAME
# learn more with
kubectl debug -hCompatibility: I've tested
kubectl-debugwith kubectl v1.13.1 and kubernetes v1.9.1. I don't have an environment to test more versions but I suppose thatkubectl-debugis compatible with all versions of kubernetes and kubectl 1.12.0+. Please file an issue if you findkubectl-debugdo not work.
Build from source
Clone this repo and:
# build plugin go build -o kubectl-debug ./cmd/plugin # install plugin mv kubectl-debug /usr/local/bin # build agent go build -o debug-agent ./cmd/agent # build agent image docker build . -t debug-agent
Default image and entrypoint
kubectl-debug use nicolaka/netshoot as the default image to run debug container, and use bash as default entrypoint.
You can override the default image and entrypoint with cli flag, or even better, with config file ~/.kube/debug-config:
agent_port: 10027 image: nicolaka/netshoot:latest command: - '/bin/bash' - '-l'
PS: kubectl-debug will always override the entrypoint of the container, which is by design to avoid users running an unwanted service by mistake(of course you can always do this explicitly).
Future works
kubectl-debug is supposed to be just a troubleshooting helper, and is going be replaced by the native kubectl debug command when this proposal is implemented and merged in the future kubernetes release. But for now, there is still some works to do to improve kubectl-debug.
- Security.
kubectl-debugruns privileged agent on every node, and client talks to the agent directly. A possible solution is introducing a central apiserver to do RBAC, which integrates to the kube apiserver using aggregation layer - Protocol.
kubectl-debugvendor the SPDY wrapper fromclient-go. SPDY is deprecated now, websockets maybe a better choice
Details
kubectl-debug consists of 2 components:
- the kubectl plugin: a cli client of
node agent, serveskubectl debugcommand, - the node agent: responsible for manipulating the "debug container"; node agent will also act as a websockets relay for remote tty
When user run kubectl debug target-pod -c <container-name> /bin/bash:
- The plugin get the pod info from apiserver and extract the
hostIP, if the target container is no existed or not currently running, an error raised. - The plugin send a HTTP request to the specific node agent running on the
hostIP, which includes a protocol upgrade from HTTP to SPDY. - The agent runs a container in the pod's namespaces (ipc, pid, network, etc) with the STDIN stay open (
-iflag). - The agent checks if the target container is actively running, if not, write an error to client.
- The agent runs a
debug containerwithttyandstdinopened, thedebug contaienrwill join thepid,network,ipcandusernamespace of the target container. - The agent pipes the connection io to the
debug contaienrusingattach - Debug in the debug container.
- Jobs done, user close the SPDY connection.
- The node agent close the SPDY connection, then wait the
debug contaienrexit and do the cleanup.
Contribute
Feel free to open issues and pull requests. Any feedback is highly appreciated!
Recommend
-
93
kubectl-aliases This repository contains a script to generate hundreds of convenient shell aliases for kubectl, so you no longer need...
-
121
What happens when ... Kubernetes edition! Imagine I want to deploy nginx to a Kubernetes cluster. I'd probably type something like this in my terminal: kubectl create deployment nginx --image=nginx --replicas=3...
-
120
I got sick of typing the same kubectl commands over and over again so here is my simplified TUI wrapper, kk. Installation go get -u github.com/golang/dep/cmd/dep go get -d -u github.com/nii236...
-
76
kubectl 是日常访问和管理Kubernetes集群最为常用的工具。 当我们使用kubeadm成功引导启动(init)一个
-
49
README.md krew krew is the package manager for kubectl plugins. What is krew? krew is a tool that makes it easy to use
-
21
README.md Kubectl
-
34
README.md kubectl tree 🎄 A kubectl plugin to explore ownership relationships between Kubernetes objects through ownersReferences on them....
-
6
kubectx + kubens: Power tools for kubectl This repository provides both kubectx and kubens tools. Install →
-
12
Kubectl Imperative == refers to cli commands Declarative == using YAML files --export --save-config --record kubectl replace With the apply command the configuration will be saved in an a...
-
7
How to Tail Kubernetes Logs: kubectl Command ExplainedLive Elasticsearch Online Training starting on Oct 10! See all classes...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK