-
Notifications
You must be signed in to change notification settings - Fork 14.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify documented privileges of kubectl debug node #34879
Comments
@kgibm: This issue is currently awaiting triage. SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I think this is a decision that oc is making for you. We currently only mount the host when you debug on a node. There is a plan to add further debug profiles to kubectl debug. Not sure this is something we'd want to change right now by default though. |
@eddiezane Thanks, makes sense. I agree the default doesn't need to change, but some flag like |
Resurrecting this because I noticed that the documentation writes (emphasis added):
However, whereas So it seems to me that either the documentation should be updated to remove "privileged" (or some caveats added) or the default should change to create a privileged pod.
|
Hi @kgibm, we plan on adding a privileged debug profile, follow along in kubernetes/kubectl#1108 We won't change the default, though, so maybe the docs should be updated. I'll send this issue over to the website repo. /transfer website |
The feature request is to document that Kubernetes ephemeral containers are unprivileged by default. Have I got that right? |
@sftim Yes, this is a documentation change request although I'm not sure what the correct term should be instead of privileged. I don't think unprivileged is right either because the pod does have privileged access to the worker node filesystem but it lacks other privileged permissions that one would normally expect |
No, it's not about ephemeral containers. It's about debug pods that you can try to create with There aren't any docs for |
/retitle “Debug Running Pods” gives poor advice about debugging via node shell |
Correct. Not sure how ephemeral containers came into the picture.
Yes, there are, as quoted earlier: https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#node-shell-session
These are, in a sense, privileged, as the user is |
@kgibm would you be willing to revise the issue description to frame this as the improvement you would like to see? |
/retitle Clarify documented privileges of kubectl debug node |
@kgibm: Re-titling can only be requested by trusted users, like repository collaborators. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@sftim I've updated the title. If you think it's better to close this issue and open a new issue that's cleaner and reference this as background, I can do that as well. As far as what the actual clarification should be instead of the word "privileged", I'm not sure. I think a subject matter expert should opine on that. My guess is it should be something along the lines of:
|
I suggest opening a new issue, given that the original issue was a CLI feature request and not a suggestion for docs. BTW, the description is the longer text slightly below the issue title. |
Opened #35170. Closing this issue. |
What would you like to be added:
oc
supportschroot /host
(and even prints a helpful hint of "To use host binaries, runchroot /host
") whereaskubectl
causes "Operation not permitted" (even though/host
is readable):oc
results:kubectl
results:Why is this needed:
This is part of a broader lack of permissions in
kubectl debug node
thatoc debug node
does not suffer from which limits certain diagnostics. For example, I can't even look at all PIDs withkubectl
even though I'm ostensiblyroot
:Although this works fine with
oc
:The relevant bits of code appear to be the following and show significant differences in the debug node pod templates:
kubectl
'sgenerateNodeDebugPod
oc
'sapproximatePodTemplateForObject
in thecorev1.Node
caseThe text was updated successfully, but these errors were encountered: