k8s-digester icon indicating copy to clipboard operation
k8s-digester copied to clipboard
verified publisher icon google

Feat: ephemeralContainer support (kubectl debug)

Open iamasmith opened this issue 8 months ago • 4 comments

I just wanted to check if you guys were amenable to a PR to cover adding support for kubectl debug on pods?

I have something pretty much ready but my registry at home is using my own CA cert so I need to do a little patching to allow the crane libraries to be able to trust it for final testing.

We just find it a bit annoying having to go an check a sha for a tagged version when we debug and digester otherwise does a great job in other cases to obviate the need to do this with our binary auth setup on GKE.

Also, this is a silent feature at present, do you prefer a flag to turn on the setting or should it just be enabled by default and work? This also brings up any documentation requirements you might think appropriate, obviously with a flag to enable there will need to be document updates.

The user of course will have the option to disable it should they wish by removing a line in the mutatingwebhookconfiguration so that's maybe worth documenting.

iamasmith avatar Aug 12 '25 19:08 iamasmith

I spotted doc reference that does need updating anyway, recommendations.md needs to reflect the addition of spec.ephemeralContainers

iamasmith avatar Aug 12 '25 20:08 iamasmith

PR raised, as mentioned please suggest any changes required and happy to accomodate. I know these things aren't on the mustfix list etc. and really appreciate any time you spent on this project as it's so valuable to many :)

https://github.com/google/k8s-digester/pull/43

For my own testing (with my registry using a self signed cert at home) I added a crane.Insecure flag to another test branch (I haven't really done much with skaffold to add my CA cert to my test build so this was quicker for a smoke test) but was able to successfullly attach a patched container using this as you can see from the spec.ephemeralContainers.image vs the original in the request shown in spec.ephemeralContainerStatuses.image.

  ephemeralContainers:
  - command:
    - /bin/sh
    image: alpine:latest@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
    imagePullPolicy: Always
...
  ephemeralContainerStatuses:
  - containerID: containerd://60c733927fa441fb08aff466a287ef9338e8093d4850ae0cbcaca2538aa977f7
    image: docker.io/library/alpine:latest
    imageID: docker.io/library/alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
    lastState: {}

This did make me also wonder though if the webhook should also mutate imagePullPolicy to IfNotPresent as the result is an absolute image reference and improve efficiency once the mutation has been done. It's a seperate concern and so a seperate issue though.

iamasmith avatar Aug 12 '25 21:08 iamasmith

I spotted doc reference that does need updating anyway, recommendations.md needs to reflect the addition of spec.ephemeralContainers

btw, I realise that this is actually only pertinent to a kpt based apply and the changes are really only relevant to use in webhook mode (you can't apply ephemeralContainers on create anyway). I have removed the doc change.

iamasmith avatar Aug 12 '25 21:08 iamasmith

wrt: clusters prior to 1.25 (stable ephemeralContainer) that do not enable the feature gate or do not have it at all, the code itself as you know patches what is there and if a spec.ephemeralContainer section is not there then it will not add one.

Similarly using pods/ephemeralcontainers in the webhook config API path appears to have no discernable effect, indeed adding additional random subpaths that aren't supported by the API appears to have no impact on the admission controller in tests that I have performed.

iamasmith avatar Aug 13 '25 15:08 iamasmith