K8s: kubectl debug with custom profile - Wed, Sep 4, 2024
K8s: kubectl debug with custom profile
kubectl debug can be used to troubleshoot misbehaving pods. You can use specific profiles to creates Pods with certain properties. This might be important for the security context since some cluster might not allow certain settings (e.g. privilege escalation). The available profiles and their security policies can be found here .
Situations where these profiles might not work
There might be situations where none of the profiles work. For example while trying to debug a keda operator Pod, I got the following error:
$ kubectl debug --profile=sysadmin -n keda keda-operator-668cf66486-4vpfc -ti --image=nicolaka/netshoot --share-processes=true -- bash
Defaulting debug container name to debugger-c2lkv.
Warning: container debugger-c2lkv: container has runAsNonRoot and image has non-numeric user (root), cannot verify user is non-root (pod: "keda-operator-668cf66486-4vpfc_keda(44c4114a-cee7-40fa-8b18-c7feaf22bb49)", container: debugger-c2lkv)
The image used nicolaka/netshoot
has the USER root in the Dockerfile
and since the sysadmin profile has the runAsNonRoot set to true the debug container cannot be started.
Use custom profiles for explicit settings
Since kubernetes v1.31.0 you can supply partial container specs
to the kubectl debug command.
To solve the situation above the following snippet solves the problem:
$ cat partial_container.yaml
securityContext:
runAsNonRoot: false
$ kubectl debug --profile=sysadmin --custom=partial_container.yaml -n keda keda-operator-668cf66486-4vpfc -ti --image=nicolaka/netshoot -- bash
Defaulting debug container name to debugger-888vh.
If you don't see a command prompt, try pressing enter.
keda-operator-668cf66486-4vpfc:~# whoami
root
Now the image runs as root bypassing the verification function. Setting a user like runAsUser: 1000 would also work
although the container would run as a non-root user.