Add support for setting security context into ephemeral container specs

[gberche-orange]

As a kubectl-netshoot user,
In order to use strace to debug a program (e.g. infering data sent over an encrypted connection)
I need an kubectl-netshoot option to craft the ephemeral container with a security context such as "securityContext": {"capabilities": {"add": ["SYS_PTRACE"]}},or

More background into
https://betterprogramming.pub/debugging-kubernetes-pods-deep-dive-d6b2814cd8ce

Unfortunately, I didn’t find a way to pass extra permissions to the ephemeral container from kubectl command. So we will construct and send an HTTP request to kube API server without the use of kubectl command.

curl -v -XPATCH -H "Content-Type: application/json-patch+json" \
'http://127.0.0.1:8001/api/v1/namespaces/default/pods/nginx-8f458dc5b-wkvq4/ephemeralcontainers' \
--data-binary @- << EOF
[{
"op": "add", "path": "/spec/ephemeralContainers/-",
"value": {
"command":[ "/bin/sh" ],
"stdin": true, "tty": true,
"image": "nicolaka/netshoot",
"name": "debug-strace",
"securityContext": {"capabilities": {"add": ["SYS_PTRACE"]}},
"targetContainerName": "nginx" }}]
EOF

Now, You can strace without getting permission denied.

[gberche-orange]

Note that this feature is being worked on in kubectl debug as part of kubernetes/kubectl#1108 through a --profile option: Debugging profile. Options are "legacy", "general", "baseline", or "restricted".

[nilic]

Since the plugin is basically a thin layer over kubectl, I would wait for the --profile option to be supported in kubectl debug.

[mochizuki875]

Hi, debugging profile has been released at Kubernetes v1.27.

Added "general", "baseline", and "restricted" debugging profiles for kubectl debug. (kubernetes/kubernetes#114280, @sding3) [SIG CLI]

Added "netadmin" debugging profiles for kubectl debug. (kubernetes/kubernetes#115712, @wedaly) [SIG CLI]

However:

1. Some lack of securityContext settings were in the restricted profile. It has been fixed and will be released at v1.28.

2. There seems to be lack of CAP_NET_RAW in the netadmin profile. It's disscussed here and I try to fix it.

In addition, custom profile are also being considered here.

FYI:
I actually made a PoC to be able to apply securityContext custom profiles to EphemeralContainer like this:

$ kubectl debug -it nginx --image=ubuntu --target=nginx --security-context='{"capabilities":{"add":["NET_BIND_SERVICE"],"drop":["all"]}}' -- /bin/bash                                    
Targeting container "nginx". If you don't see processes from this container it may be because the container runtime doesn't support this feature.
Defaulting debug container name to debugger-5sgx7.
If you don't see a command prompt, try pressing enter.
root@nginx:/# 
root@nginx:/# grep Cap /proc/$$/status
CapInh:	0000000000000000
CapPrm:	0000000000000400
CapEff:	0000000000000400
CapBnd:	0000000000000400
CapAmb:	0000000000000000

$ kubectl get po nginx -oyaml                                                                                                                                                                                                                    
apiVersion: v1
kind: Pod
...
  ephemeralContainers:
  - command:
    - /bin/bash
    image: ubuntu
    imagePullPolicy: Always
    name: debugger-5sgx7
    resources: {}
    securityContext:
      capabilities:
        add:
        - NET_BIND_SERVICE
        drop:
        - all
...

https://github.com/kubernetes/kubernetes/compare/master...mochizuki875:kubernetes:ec-custom-security-context?expand=1#diff-e961c6c329b92e6595113a179583cddc9192bcf00d3ee2ad721b029aff6957bc

However, they seem to be targeting a broader scope than just securityContext.

Thanks.