* Remove KUBECTL_DEBUG_CUSTOM_PROFILE env var
* Add e2e test for custom profile in kubectl debug
* Keep feature flag until 1.33
* Update comment
* Simplify tests by relying on test framework functionality
* Rename import alias to better to pass verify-import-alias
Kubernetes-commit: 1caf9a150b794a7c4a17e63a54b902ec0b0be570
This PR adds `custom` flag to let user customizes debug resources.
`custom` flag accepts partial container spec in json format.
Kubernetes-commit: af2dadcb18a0411a0f9aa286c743801efdb81049
github.com/docker/distribution/reference has a new home github.com/distribution/reference
and a new tag v0.5.0. Let's switch to that.
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: 889c8e919bdc8115ad579bb092a4dafdf695754e
Legacy server support for ephemeral containers were added in kubetl
debug in 1.22. Since now we are in 1.29, we can safely remove ephemeral
container legacy server support because 1.22 is already far away from
supported version skew boundary.
Kubernetes-commit: fdea6ad17d74c7f39e55d4ae2b57f2430c12eaba
Currently, kubectl debug statically relies on handleAttachPod function
in order to attach to the pod.
However, external tools would want to set their own customized attach
function and this commit introduces generic `AttachFunc` function interface
which can also override by external tools.
From the point of kubectl debug, there is no functionality change.
Kubernetes-commit: baed6240468250c855a5ec235e47a64e078bd042
As the move towards using `restClientGetter` interface instead
gigantic `cmd.Factory`, this PR does that change.
Kubernetes-commit: f5b0d728c59fbcca571e4a21ca2f473149e72f03
Currently `kubectl debug` only supports passing names in command line.
However, users might want to pass resources in files by passing `-f` flag like
in all other kubectl commands.
This PR adds this ability.
Kubernetes-commit: e0fedec69d494cf02ac99a83733d7d92f6cc0c51
* feat(debug): add more profiles
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
* feat(debug): implment serveral debugging profiles
Including `general`, `baseline` and `restricted`.
I plan to add more profiles afterwards, but I'd like to get early
reviews.
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
* test: add some basic tests
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
* chore: add some helper functions
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
* ensure pod copies always get their probes cleared
not wanting probes to be present is something we want
for all the debug profiles; so an easy place to implement
this is at the time of pod copy generation.
* ensure debug container in pod copy is added before the profile application
The way that the container list modification was defered causes the
debug container to be added after the profile applier runs. We now
make sure to have the container list modification happen before
the profile applier runs.
* make switch over pod copy, ephemeral, or node more clear
* use helper functions
added a helper function to modify a container out of a list that
matches the provided container name.
also added a helper function that adds capabilities to container
security.
* add tests for the debug profiles
* document new debugging profiles in command line help text
* add file header to profiles_test.go
* remove URL to KEP from help text
* move probe removal to the profiles
* remove mustNewProfileApplier in tests
* remove extra whiteline from import block
* remove isPodCopy helper func
* switch baselineProfile to using the modifyEphemeralContainer helper
* rename addCap to addCapability, and don't do deep copy
* fix godoc on modifyEphemeralContainer
* export DebugOptions.Applier for extensibility
* fix unit test
* fix spelling on overriden
* remove debugStyle facilities
* inline setHostNamespace helper func
* remove modifyContainer, modifyEphemeralContainer, and remove probes
their logic have been in-lined at call sites
* remove DebugApplierFunc convenience facility
* fix baseline profile implementation
it shouldn't have SYS_PTRACE base on
https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/1441-kubectl-debug#profile-baseline
* remove addCapability helper, in-lining at call sites
* address Arda's code review comments
1 use Bool instead of BoolPtr (now deprecated)
2 tweak for loop to continue when container name is not what we expect
3 use our knowledge on how the debug container is generated to simplify
our modification to the security context
4 use our knowledge on how the pod for node debugging is generated to no
longer explicit set pod's HostNework, HostPID and HostIPC fields to
false
* remove tricky defer in generatePodCopyWithDebugContainer
* provide helper functions to make debug profiles more readable
* add note to remind people about updating --profile's help text when adding new profiles
* Implement helper functions with names that improve readability
* add styleUnsupported to replace debugStyle(-1)
* fix godoc on modifyContainer
* drop style prefix from debugStyle values
* put VisitContainers in podutils & use that from debug
* cite source for ContainerType and VisitContainers
* pull in AllContainers ContainerType value
* have VisitContainer take pod spec rather than pod
* in-line modifyContainer
* unexport helper funcs
* put debugStyle at top of file
* merge profile_applier.go into profile.go
* tweak dropCapabilities
* fix allowProcessTracing & add a test for it
* drop mask param from help funcs, since we can already unambiguous identify the container by name
* fix grammar in code comment
---------
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
Co-authored-by: Jian Zeng <anonymousknight96@gmail.com>
Kubernetes-commit: d35da348c60a3c7505419741f2546ff8b0e38454
- Run hack/update-codegen.sh
- Run hack/update-generated-device-plugin.sh
- Run hack/update-generated-protobuf.sh
- Run hack/update-generated-runtime.sh
- Run hack/update-generated-swagger-docs.sh
- Run hack/update-openapi-spec.sh
- Run hack/update-gofmt.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes-commit: a9593d634c6a053848413e600dadbf974627515f
Validate function is used to validate command options and should not get
any additional parameter. To preserve compatibility across all
kubectl commands, this PR removes all parameters in validate functions.
Kubernetes-commit: 8fb423bfabe0d53934cc94c154c7da2dc3ce1332
* kubectl debug: print container messages
This provides feedback to the user, for example that the server is
unable to pull the debug container image.
* Label debug container updates as warnings
Co-authored-by: Eddie Zaneski <eddiezane@gmail.com>
Co-authored-by: Eddie Zaneski <eddiezane@gmail.com>
Kubernetes-commit: 90956e6d3e9df02d932f9954911b89a3fd1619fb
The ephemeral containers API changed in 1.22. As a result, kubectl
debug (currently) cannot create ephemeral containers in clusters prior
to 1.22.
This change causes kubectl to retry the request using the old API when
it receives a specific error message from the server.
Kubernetes-commit: 06124c1d1c68ec4a30406bf585df2ec83231cb65
Add a warning message to `kubectl debug` when using the `--target`
option as many runtimes don't support it yet.
Kubernetes-commit: 968185e1f7c4aee739d5abe6133a690c70e87d5e
* Use deep copies in `PrepareForUpdate()`
* Preserve select metadata from new pod
* Use patch to add ephemeral container `kubectl debug`
* Distinguish between pod vs /ephemeralcontainers NotFound
Kubernetes-commit: 97726a50c138557522def7f753ec8581d00f0b02
This changes the `/ephemeralcontainers` subresource of `/pods` to use
the `Pod` kind rather than `EphemeralContainers`.
When designing this API initially it seemed preferable to create a new
kind containing only the pod's ephemeral containers, similar to how
binding and scaling work.
It later became clear that this made admission control more difficult
because the controller wouldn't be presented with the entire Pod, so we
updated this to operate on the entire Pod, similar to how `/status`
works.
Kubernetes-commit: d22dc5cb72a627341f4004b5d58d275f3d8773b3
Fix containerNameToRef func to get init containers and ephemeral containers properly.
Set EphemeralContainers in generatePodCopyWithDebugContainer func to nil which means
dropping ephemeral containers from a copy of pod so that it can be created successfully,
otherwise it is rejected by the API server.
Kubernetes-commit: bf3dfaf99942eab20fac1570ca0146d32cb93b57
When called with a node target, `kubectl debug` will create a run-once
pod in the target node's namespaces.
Kubernetes-commit: 7e63cc8b9d592abbb8a659205555e67b57080837
Keita Mochizuki
Arda Güçlü
Brian Pursley
mochizuki875
Francis Laniel
Davanum Srinivas
Will Daly
Shang Jian Ding
Paco Xu
Sean Sullivan
Lee Verberne
Maciej Szulik
Jian Zeng
jlsong01
Lee Verberne
wawa0210
xiongzhongliang
Kiyoshi Muranaka
Aylei
wojtekt
Kazuki Suda