Add support for setting security context into ephemeral container specs
gberche-orange opened this issue · comments
As a kubectl-netshoot user,
In order to use strace to debug a program (e.g. infering data sent over an encrypted connection)
I need an kubectl-netshoot option to craft the ephemeral container with a security context such as "securityContext": {"capabilities": {"add": ["SYS_PTRACE"]}},
or
More background into
https://betterprogramming.pub/debugging-kubernetes-pods-deep-dive-d6b2814cd8ce
Unfortunately, I didn’t find a way to pass extra permissions to the ephemeral container from kubectl command. So we will construct and send an HTTP request to kube API server without the use of kubectl command.
curl -v -XPATCH -H "Content-Type: application/json-patch+json" \ 'http://127.0.0.1:8001/api/v1/namespaces/default/pods/nginx-8f458dc5b-wkvq4/ephemeralcontainers' \ --data-binary @- << EOF [{ "op": "add", "path": "/spec/ephemeralContainers/-", "value": { "command":[ "/bin/sh" ], "stdin": true, "tty": true, "image": "nicolaka/netshoot", "name": "debug-strace", "securityContext": {"capabilities": {"add": ["SYS_PTRACE"]}}, "targetContainerName": "nginx" }}] EOF
Now, You can strace without getting permission denied.
Note that this feature is being worked on in kubectl debug
as part of kubernetes/kubectl#1108 through a --profile option: Debugging profile. Options are "legacy", "general", "baseline", or "restricted".
Since the plugin is basically a thin layer over kubectl, I would wait for the --profile
option to be supported in kubectl debug
.
Hi, debugging profile has been released at Kubernetes v1.27.
Added "general", "baseline", and "restricted" debugging profiles for kubectl debug. (kubernetes/kubernetes#114280, @sding3) [SIG CLI]
Added "netadmin" debugging profiles for kubectl debug. (kubernetes/kubernetes#115712, @wedaly) [SIG CLI]
However:
-
Some lack of securityContext settings were in the
restricted
profile. It has been fixed and will be released at v1.28. -
There seems to be lack of
CAP_NET_RAW
in thenetadmin
profile. It's disscussed here and I try to fix it.
In addition, custom profile are also being considered here.
FYI:
I actually made a PoC to be able to apply securityContext custom profiles to EphemeralContainer like this:
$ kubectl debug -it nginx --image=ubuntu --target=nginx --security-context='{"capabilities":{"add":["NET_BIND_SERVICE"],"drop":["all"]}}' -- /bin/bash
Targeting container "nginx". If you don't see processes from this container it may be because the container runtime doesn't support this feature.
Defaulting debug container name to debugger-5sgx7.
If you don't see a command prompt, try pressing enter.
root@nginx:/#
root@nginx:/# grep Cap /proc/$$/status
CapInh: 0000000000000000
CapPrm: 0000000000000400
CapEff: 0000000000000400
CapBnd: 0000000000000400
CapAmb: 0000000000000000
$ kubectl get po nginx -oyaml
apiVersion: v1
kind: Pod
...
ephemeralContainers:
- command:
- /bin/bash
image: ubuntu
imagePullPolicy: Always
name: debugger-5sgx7
resources: {}
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
...
However, they seem to be targeting a broader scope than just securityContext.
Thanks.