-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create 2023-08-03-kubernetes-ephemeral-container.md
- Loading branch information
Showing
1 changed file
with
39 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| --- | ||
| layout: single | ||
| title: Kubernetes ephemeral containers | ||
| toc: true | ||
| tags: kubernetes | ||
| --- | ||
| Removing building and debugging tools from the images we use to run services on containers is one of the security best practices. However, you can't debug a container if it is not shipped with the debugging tools. Security and easy of debug seems to mutual exclusive but Kubernetes provides a solution: **ephemeralContainers**. As the name suggests, they are ephemeral containers attached to the same pod we want to debug and they share the same linux process namespace. The ephemeral container contains all the tools needed to troubleshoot the main container, but it is stopped as soon as we ended our debugging session. | ||
|
|
||
| At the time of writing this post, the latest version of Kubernetes is 1.27. | ||
|
|
||
| # Demo | ||
|
|
||
| Create a pod with the python image (Alpine flavoured) that runs an http server on the port 8080. This image doesn't provide tools like curl. | ||
|
|
||
| Python allows run a http server on port 8080 in one line: `python3 -m http.server 8080`. | ||
|
|
||
| If you try to test the server with the command `curl`, it is not found: | ||
|
|
||
| ```console | ||
| $ kubectl run server --image=python:3.12.0b4-alpine3.18 -- python3 -m http.server 8080 | ||
| If you don't see a command prompt, try pressing enter. | ||
| / # curl | ||
| /bin/sh: curl: not found | ||
| / # exit | ||
| ``` | ||
|
|
||
| `kubectl debug` command allows to create an ephemeral container in the same pod we want to debug. Using the image `curlimages/curl` and curl the python http server: | ||
|
|
||
| ```console | ||
| $ kubectl debug -it pod/server --image=curlimages/curl -- /bin/sh | ||
| Defaulting debug container name to debugger-t492c. | ||
| If you don't see a command prompt, try pressing enter. | ||
| ~ $ curl localhost:8080 | ||
| <!DOCTYPE HTML> | ||
| ... | ||
| </html> | ||
| ~ $ exit | ||
| Session ended, the ephemeral container will not be restarted but may be reattached using 'kubectl attach server -c debugger-t492c -i -t' if it is still running | ||
| ``` |