Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ephemeral container debug is not working for 8.3.x #332

Closed
dddpaul opened this issue Nov 26, 2023 · 4 comments
Closed

Ephemeral container debug is not working for 8.3.x #332

dddpaul opened this issue Nov 26, 2023 · 4 comments
Assignees
@Zelldon

Comments

@dddpaul
Copy link

dddpaul commented Nov 26, 2023
edited

Since Zeebe 8.3.x use non-privileged user to run zeebe process inside container - ephemeral container method became broken.

Trying with simplest busybox image:

kubectl debug -it camunda-zeebe-0 --image=busybox:1.28 --target=zeebe
Targeting container "zeebe". If you don't see processes from this container it may be because the container runtime doesn't support this feature.
Defaulting debug container name to debugger-2x7n2.
Warning: container debugger-2x7n2: container has runAsNonRoot and image will run as root (pod: "camunda-zeebe-0_default(70ff89d8-78fa-4b49-98c0-7ef4c2f59f78)", container: debugger-2x7n2)

kubectl describe pod camunda-zeebe-0:

Ephemeral Containers:
 debugger-2x7n2:
    Container ID:    
    Image:           busybox:1.28
    Image ID:        
    Port:            <none>
    Host Port:       <none>
    State:           Waiting
      Reason:        CreateContainerConfigError
    Ready:           False
    Restart Count:   0
    Environment:     <none>
    Mounts:          <none>

Definitely it's not a problem of zdb tool ) But the users should know not to use this method for 8.3 and later versions.

Maybe it will be fixed inside k8s:
kubernetes/kubernetes#110126
kubernetes/kubectl#1108
@Zelldon Zelldon self-assigned this Nov 26, 2023
@Zelldon
Copy link
Owner

Zelldon commented Jan 11, 2024
edited

PodSecurity is non-mutating. When using ephemeral containers in a namespace that is enforcing the restricted PodSecurity level, the ephemeral container must set securityContext.allowPrivilegeEscalation=false and securityContext.capabilities.drop=["ALL"]
kubernetes/kubernetes#110126 (comment)

Would be interesting whether this works.

Additionally kubernetes/kubernetes#114280

@Zelldon
Copy link
Owner

Zelldon commented Jan 19, 2024

There is still an open issue to implement more profiles until then this approach can likely not be used kubernetes/kubectl#1108

@Zelldon
Copy link
Owner

Zelldon commented Jan 19, 2024

I will remove the debug container approach from the README or put a note that this might not be possible right now.

@Zelldon
Copy link
Owner

Zelldon commented Feb 2, 2024

I made a note of it in the readme 401c279 thanks for reporting I will close this issue then. I see no way to fix it from here

@Zelldon Zelldon closed this as completed Feb 2, 2024
@Zelldon Zelldon mentioned this issue Apr 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Zelldon Zelldon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dddpaul @Zelldon