kubectl debug: Display a warning message that the debug container's capabilities may not work with a non-root user (#127696)

* Add warning message about capabilities of debug container * fix1 * fix2 * fix3 Kubernetes-commit: 07a275437f304456b2a32159ec6550a71d020a64
2025-03-19 16:50:30 +09:00 · 2025-03-19 16:50:30 +09:00 · 5cbdedb625
parent 6203603c4a
commit 5cbdedb625
3 changed files with 44 additions and 3 deletions
--- a/go.mod
+++ b/go.mod
@ -30,7 +30,7 @@ require (
 	golang.org/x/sys v0.30.0
 	gopkg.in/evanphx/json-patch.v4 v4.12.0
 	k8s.io/api v0.0.0-20250319053034-feb95d943ada
-	k8s.io/apimachinery v0.0.0-20250319052758-7e8c77e774c9
+	k8s.io/apimachinery v0.0.0-20250319092800-e8a77bd768fd
 	k8s.io/cli-runtime v0.0.0-20250319060948-178adec27e2b
 	k8s.io/client-go v0.0.0-20250319053412-169f1af1bf07
 	k8s.io/component-base v0.0.0-20250319054524-7c899b094d78
--- a/go.sum
+++ b/go.sum
@ -198,8 +198,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.0.0-20250319053034-feb95d943ada h1:jkgp/vD+5CoL2n17AMKQ3g3ELsKmn+zBDXqwvpPvmXw=
 k8s.io/api v0.0.0-20250319053034-feb95d943ada/go.mod h1:MsIjX9SIqRiiwfw1r0s0lMHaMw6jhSX8h4VjblK393I=
-k8s.io/apimachinery v0.0.0-20250319052758-7e8c77e774c9 h1:vw/UFDFjwXc5W6nMCOUmIaFX19fkQ720CygFuZOS9jM=
-k8s.io/apimachinery v0.0.0-20250319052758-7e8c77e774c9/go.mod h1:D2UW665TVSpInyOuG6C+PMtC1MZheP0KQz65UPQEiI4=
+k8s.io/apimachinery v0.0.0-20250319092800-e8a77bd768fd h1:KoXgjwEokLM8o95kMxowg5vp5iQ4v46Kk+zobsqeTgU=
+k8s.io/apimachinery v0.0.0-20250319092800-e8a77bd768fd/go.mod h1:D2UW665TVSpInyOuG6C+PMtC1MZheP0KQz65UPQEiI4=
 k8s.io/cli-runtime v0.0.0-20250319060948-178adec27e2b h1:U2IpmC0Xy+HhTucipOTB8bW6K9swj0MxHk0QUa1DsRo=
 k8s.io/cli-runtime v0.0.0-20250319060948-178adec27e2b/go.mod h1:NrI3OaU2ZafaHBAFm1ao0G1jXkMseiOF+zx3O47n/Ig=
 k8s.io/client-go v0.0.0-20250319053412-169f1af1bf07 h1:UmlJkL72Xyrfs30rqXWtVUcjV15AeOggxctLIiKuNsE=
--- a/pkg/cmd/debug/debug.go
+++ b/pkg/cmd/debug/debug.go
@ -75,6 +75,9 @@ var (
 		            debugging utilities without restarting the pod.
 		* Node: Create a new pod that runs in the node's host namespaces and can access
 		        the node's filesystem.
+
+		Note: When a non-root user is configured for the entire target Pod, some capabilities granted 
+		by debug profile may not work.
 `))

 	debugExample = templates.Examples(i18n.T(`
@ -495,6 +498,8 @@ func (o *DebugOptions) debugByEphemeralContainer(ctx context.Context, pod *corev
 	}
 	klog.V(2).Infof("new ephemeral container: %#v", debugContainer)

+	o.displayWarning((*corev1.Container)(&debugContainer.EphemeralContainerCommon), pod)
+
 	debugJS, err := json.Marshal(debugPod)
 	if err != nil {
 		return nil, "", fmt.Errorf("error creating JSON for debug container: %v", err)
@ -611,6 +616,16 @@ func (o *DebugOptions) debugByCopy(ctx context.Context, pod *corev1.Pod) (*corev
 	if err != nil {
 		return nil, "", err
 	}
+
+	var debugContainer *corev1.Container
+	for i := range copied.Spec.Containers {
+		if copied.Spec.Containers[i].Name == dc {
+			debugContainer = &copied.Spec.Containers[i]
+			break
+		}
+	}
+	o.displayWarning(debugContainer, copied)
+
 	created, err := o.podClient.Pods(copied.Namespace).Create(ctx, copied, metav1.CreateOptions{})
 	if err != nil {
 		return nil, "", err
@ -624,6 +639,32 @@ func (o *DebugOptions) debugByCopy(ctx context.Context, pod *corev1.Pod) (*corev
 	return created, dc, nil
 }

+// Display warning message if some capabilities are set by profile and non-root user is specified in .Spec.SecurityContext.RunAsUser.(#1650)
+func (o *DebugOptions) displayWarning(container *corev1.Container, pod *corev1.Pod) {
+	if container == nil {
+		return
+	}
+
+	if pod.Spec.SecurityContext.RunAsUser == nil || *pod.Spec.SecurityContext.RunAsUser == 0 {
+		return
+	}
+
+	if container.SecurityContext == nil {
+		return
+	}
+
+	if container.SecurityContext.RunAsUser != nil && *container.SecurityContext.RunAsUser == 0 {
+		return
+	}
+
+	if (container.SecurityContext.Privileged == nil || !*container.SecurityContext.Privileged) &&
+		(container.SecurityContext.Capabilities == nil || len(container.SecurityContext.Capabilities.Add) == 0) {
+		return
+	}
+
+	_, _ = fmt.Fprintln(o.ErrOut, `Warning: Non-root user is configured for the entire target Pod, and some capabilities granted by debug profile may not work. Please consider using "--custom" with a custom profile that specifies "securityContext.runAsUser: 0".`)
+}
+
 // generateDebugContainer returns a debugging pod and an EphemeralContainer suitable for use as a debug container
 // in the given pod.
 func (o *DebugOptions) generateDebugContainer(pod *corev1.Pod) (*corev1.Pod, *corev1.EphemeralContainer, error) {