diff --git a/go.mod b/go.mod index 72b58172..a24d8b15 100644 --- a/go.mod +++ b/go.mod @@ -30,7 +30,7 @@ require ( golang.org/x/sys v0.30.0 gopkg.in/evanphx/json-patch.v4 v4.12.0 k8s.io/api v0.0.0-20250319053034-feb95d943ada - k8s.io/apimachinery v0.0.0-20250319052758-7e8c77e774c9 + k8s.io/apimachinery v0.0.0-20250319092800-e8a77bd768fd k8s.io/cli-runtime v0.0.0-20250319060948-178adec27e2b k8s.io/client-go v0.0.0-20250319053412-169f1af1bf07 k8s.io/component-base v0.0.0-20250319054524-7c899b094d78 diff --git a/go.sum b/go.sum index 929346b6..75f3fc08 100644 --- a/go.sum +++ b/go.sum @@ -198,8 +198,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= k8s.io/api v0.0.0-20250319053034-feb95d943ada h1:jkgp/vD+5CoL2n17AMKQ3g3ELsKmn+zBDXqwvpPvmXw= k8s.io/api v0.0.0-20250319053034-feb95d943ada/go.mod h1:MsIjX9SIqRiiwfw1r0s0lMHaMw6jhSX8h4VjblK393I= -k8s.io/apimachinery v0.0.0-20250319052758-7e8c77e774c9 h1:vw/UFDFjwXc5W6nMCOUmIaFX19fkQ720CygFuZOS9jM= -k8s.io/apimachinery v0.0.0-20250319052758-7e8c77e774c9/go.mod h1:D2UW665TVSpInyOuG6C+PMtC1MZheP0KQz65UPQEiI4= +k8s.io/apimachinery v0.0.0-20250319092800-e8a77bd768fd h1:KoXgjwEokLM8o95kMxowg5vp5iQ4v46Kk+zobsqeTgU= +k8s.io/apimachinery v0.0.0-20250319092800-e8a77bd768fd/go.mod h1:D2UW665TVSpInyOuG6C+PMtC1MZheP0KQz65UPQEiI4= k8s.io/cli-runtime v0.0.0-20250319060948-178adec27e2b h1:U2IpmC0Xy+HhTucipOTB8bW6K9swj0MxHk0QUa1DsRo= k8s.io/cli-runtime v0.0.0-20250319060948-178adec27e2b/go.mod h1:NrI3OaU2ZafaHBAFm1ao0G1jXkMseiOF+zx3O47n/Ig= k8s.io/client-go v0.0.0-20250319053412-169f1af1bf07 h1:UmlJkL72Xyrfs30rqXWtVUcjV15AeOggxctLIiKuNsE= diff --git a/pkg/cmd/debug/debug.go b/pkg/cmd/debug/debug.go index 1cb325be..8df40aef 100644 --- a/pkg/cmd/debug/debug.go +++ b/pkg/cmd/debug/debug.go @@ -75,6 +75,9 @@ var ( debugging utilities without restarting the pod. * Node: Create a new pod that runs in the node's host namespaces and can access the node's filesystem. + + Note: When a non-root user is configured for the entire target Pod, some capabilities granted + by debug profile may not work. `)) debugExample = templates.Examples(i18n.T(` @@ -495,6 +498,8 @@ func (o *DebugOptions) debugByEphemeralContainer(ctx context.Context, pod *corev } klog.V(2).Infof("new ephemeral container: %#v", debugContainer) + o.displayWarning((*corev1.Container)(&debugContainer.EphemeralContainerCommon), pod) + debugJS, err := json.Marshal(debugPod) if err != nil { return nil, "", fmt.Errorf("error creating JSON for debug container: %v", err) @@ -611,6 +616,16 @@ func (o *DebugOptions) debugByCopy(ctx context.Context, pod *corev1.Pod) (*corev if err != nil { return nil, "", err } + + var debugContainer *corev1.Container + for i := range copied.Spec.Containers { + if copied.Spec.Containers[i].Name == dc { + debugContainer = &copied.Spec.Containers[i] + break + } + } + o.displayWarning(debugContainer, copied) + created, err := o.podClient.Pods(copied.Namespace).Create(ctx, copied, metav1.CreateOptions{}) if err != nil { return nil, "", err @@ -624,6 +639,32 @@ func (o *DebugOptions) debugByCopy(ctx context.Context, pod *corev1.Pod) (*corev return created, dc, nil } +// Display warning message if some capabilities are set by profile and non-root user is specified in .Spec.SecurityContext.RunAsUser.(#1650) +func (o *DebugOptions) displayWarning(container *corev1.Container, pod *corev1.Pod) { + if container == nil { + return + } + + if pod.Spec.SecurityContext.RunAsUser == nil || *pod.Spec.SecurityContext.RunAsUser == 0 { + return + } + + if container.SecurityContext == nil { + return + } + + if container.SecurityContext.RunAsUser != nil && *container.SecurityContext.RunAsUser == 0 { + return + } + + if (container.SecurityContext.Privileged == nil || !*container.SecurityContext.Privileged) && + (container.SecurityContext.Capabilities == nil || len(container.SecurityContext.Capabilities.Add) == 0) { + return + } + + _, _ = fmt.Fprintln(o.ErrOut, `Warning: Non-root user is configured for the entire target Pod, and some capabilities granted by debug profile may not work. Please consider using "--custom" with a custom profile that specifies "securityContext.runAsUser: 0".`) +} + // generateDebugContainer returns a debugging pod and an EphemeralContainer suitable for use as a debug container // in the given pod. func (o *DebugOptions) generateDebugContainer(pod *corev1.Pod) (*corev1.Pod, *corev1.EphemeralContainer, error) {