Pod debugging made easy
kubectl-debug is an out-of-tree solution for troubleshooting running pods, which allows you to run new containers in running pod for debugging purpose. kubectl-debug is pretty simple and capable for all versions* of k8s.
*: I've tested kubectl-debug with kubectl version v1.13.1 and kubernetes version v1.9.1. I don't have an environment to test more versions but I suppose that kubectl-debug is compatible with all versions of kubernetes and kubectl 1.12.0 or higher. Please [file an issue] if you find kubectl-debug do not work.
WIP
- DaemonSet YAML and helm chart for agent
nice to have:
- bash completion
-
kubectl debug list: list debug containers, we might need this because the debug container is not discovered by kubernetes. - security: security is import, but not a consideration in current stage
kubectl-debug consists of 2 components:
- the kubectl plugin: a cli client of
node agent, serveskubectl debugcommand, - the node agent: responsible for manipulating the "debug container"; node agent will also act as a websockets relay for remote tty
When user run kubectl debug target-pod -c <container-name> /bin/bash:
- The plugin get the pod info from apiserver and extract the
hostIP, if the target container is no existed or not currently running, an error raised. - The plugin send a HTTP request to the specific node agent running on the
hostIP, which includes a protocol upgrade from HTTP to SPDY. - The agent runs a container in the pod's namespaces (ipc, pid, network, etc) with the STDIN stay open (
-iflag). - The agent checks if the target container is actively running, if not, write an error to client.
- The agent runs a
debug containerwithttyandstdinopened, thedebug contaienrwill join thepid,network,ipcandusernamespace of the target container. - The agent pipes the connection io to the
debug contaienrusingattach - Debug in the debug container.
- Jobs done, user close the SPDY connection.
- The node agent close the SPDY connection, then wait the
debug contaienrexit and do the cleanup.