Legacy server support for ephemeral containers were added in kubetl
debug in 1.22. Since now we are in 1.29, we can safely remove ephemeral
container legacy server support because 1.22 is already far away from
supported version skew boundary.
Kubernetes-commit: fdea6ad17d74c7f39e55d4ae2b57f2430c12eaba
Currently, kubectl debug statically relies on handleAttachPod function
in order to attach to the pod.
However, external tools would want to set their own customized attach
function and this commit introduces generic `AttachFunc` function interface
which can also override by external tools.
From the point of kubectl debug, there is no functionality change.
Kubernetes-commit: baed6240468250c855a5ec235e47a64e078bd042
* redo commit
* apply suggestions from liggitt
* update Parse function based on suggestions
Kubernetes-commit: a5b3a4b738e9576b68c3083de8b72002e0b45551
Make it possible to parse jsonpath filter expressions: Split
jsonpath expressions on single '=' only and leave '==' as part of the
string.
Reported-at: https://github.com/kubernetes/kubernetes/issues/119206
Signed-off-by: Andreas Karis <ak.karis@gmail.com>
Kubernetes-commit: 41889984304c44b879d8bcae92c9ed7aa3fd8c67
Since explain openapiv3 has been moved to beta already, there is no
point to having this environment variable.
This PR removes it.
Kubernetes-commit: 4d8f569b037d2979c1d9c5825e5227aadfc8077f
add integration test to wait for json without value
refactor JSON condition value parsing and validating
adjusting test to reflect the error message refactoring
Kubernetes-commit: dbdd861ea366af50fb74983426587dad7222cb89
Extend current JSONPath condition logic to return from wait on "any" value.
Change parsing JSONPath input to support the syntax without value.
Match any simple or complex (object or array) values.
Kubernetes-commit: 9d3e55ec431f3f595a7739fcc592602f7cc1d69b
This PR decouples the command options from the input flags.
The input flags from the command are then translated to
options which are further used while running the command.
Signed-off-by: Varsha Prasad Narsing <varshaprasad96@gmail.com>
Kubernetes-commit: 8f229057484453bd1b820d00c940efbbc56addc5
This touches cases where FromInt() is used on numeric constants, or
values which are already int32s, or int variables which are defined
close by and can be changed to int32s with little impact.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Kubernetes-commit: 45836971f27ca70cd7742e8ee66e99e3c648cf9f
- test.args should be passed instead of the os.Args of the test framework
to prevent simple invocation of kubectl without args that could
manifest in false positive test runs
- plugin execution should have a different test path
- tests should invoke functioning kubectl commands instead of the mock
ones to ensure the correct subcommand is executed without a failure
Kubernetes-commit: 8b9cbe62025da49a31518870f2aea0ce9797d3ce
Plugin subcommand resolution is relatively less used than the
builtin subcommands. That's why, instead always initializing a
hash map on memory, it would be better to use a getter function only
serves as needed.
In addition to that this function will be exported that external
libraries can use it.
Kubernetes-commit: 4634073d0b979d2827106a0a1010456ac420baa8
* add no resources found message to rollout-status command
* return err if not nil before no resource message
Kubernetes-commit: a5575425b039bf7c15dfaa9a7acf257fdc4fde3f
T.Setenv ensures that the environment is returned to its prior state
when the test ends. It also panics when called from a parallel test to
prevent racy test interdependencies.
Kubernetes-commit: 2181eea48435310d1b6e366ea8db2968c4941b93
kubectl defaults to /bin/bash if the SHELL environment variable isn't
set. Updating the docs to mention that you can override the shell
location by setting the SHELL environment variable.
Kubernetes-commit: 0a508ad8067dcc8d48420daca536fca09df5846b
Users can pass resources into `kubectl events` command via `--for` flag,
if they have desire to only get events for the resource they specify.
However, current `kubectl events` does not support passing fully qualified
names(e.g. `replicasets.apps`, `cronjobs.v1.batch`, etc.). This PR adds support
for this.
Kubernetes-commit: 457bb58ebbf5a863ce30f51c53a84bc41c2380dc
To improve wall-clock speed, we run list operations in parallel. This
particularly helps when the round-trip time is high.
We issue requests as quickly as possible, kube-apiservers should all
have priority and fairness at this point and we don't want to
duplicate/fight that system.
Kubernetes-commit: 82eee59d0feb4b303e6ef78ebb7ec646a059f266
* Test for ApplySet with --dry-run=client|server
* Use the real format for ApplySet ID
* Incorporate feedback
* Adjustments from rebase
Kubernetes-commit: 6a31757f45693fec5ea4723bcb405ce4437e31ca
This PR sets higher priority to the `share-processes` flag than
provided profile.
For example, if user tries to use copy-to debugging with restricted
profiling, share process namespace should be false if user explicitly
disables it via `--share-processes=false`.
Kubernetes-commit: 0e98533d1b7a4d2ebf414575ff81905933c31c63
Removes the need to pass cmd as an argument to Run(). This change required reading the --sort-by flag in Complete() in a way similar to other flags.
This change allows the cobra.Command not to need to be passed throughout the completion code, which I updated as part of this commit.
It also is a step in the direction of the TODO comment requesting the removal of arguments passed to Run() and watch().
Kubernetes-commit: aa7a828f20b479a8a943d897224e8e76c3bb6cff
* Enable plugin resolution as subcommand for selected builtin commands
This PR adds external plugin resolution as subcommand for selected builtin
commands if subcommand does not exist as builtin.
In it's alpha stage, this will only be enabled for create command and
this feature is hidden behind `KUBECTL_ENABLE_CMD_SHADOW` environment variable.
* Rename parameter to exactMatch to better reflect
Kubernetes-commit: a901bb630b5a353898c1b35df582a7faeef160a0
Ensure that the restricted debug profile with the node debugging
styles doesn't clear security context after we have already set
runAsNonRoot and drop-all capabilities.
Kubernetes-commit: f0b7063481828ec632e22cff29c179745bbe23e3
As we apply objects when using apply/prune v2, we want to be sure they
include the label that ties them back to the applyset they are part
of.
Co-Authored-By: Katrina Verey <katrina.verey@shopify.com>
Kubernetes-commit: ab058308401b35b4865424cfa43ed75a554af2a3
Unit test netadmin profile preserves existing capabilities.
Unit test debug profiles in TestGenerateNodeDebugPod
Unit test debug profiles in TestGeneratePodCopyWithDebugContainer
Organize Go imports in unit tests
Signed-off-by: Will Daly <widaly@microsoft.com>
Kubernetes-commit: 21e8d2958190e9813fe1122d1e7a91e8143a5193
As the move towards using `restClientGetter` interface instead
gigantic `cmd.Factory`, this PR does that change.
Kubernetes-commit: f5b0d728c59fbcca571e4a21ca2f473149e72f03
Since, `explicitNamespace` is set by kubeconfig automatically, we can
safely add this field into ignore list.
Kubernetes-commit: c40f9f8bbb34d9bc58dbf8e6c7f664aacb0c5b91
Currently `kubectl debug` only supports passing names in command line.
However, users might want to pass resources in files by passing `-f` flag like
in all other kubectl commands.
This PR adds this ability.
Kubernetes-commit: e0fedec69d494cf02ac99a83733d7d92f6cc0c51
* feat(debug): add more profiles
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
* feat(debug): implment serveral debugging profiles
Including `general`, `baseline` and `restricted`.
I plan to add more profiles afterwards, but I'd like to get early
reviews.
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
* test: add some basic tests
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
* chore: add some helper functions
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
* ensure pod copies always get their probes cleared
not wanting probes to be present is something we want
for all the debug profiles; so an easy place to implement
this is at the time of pod copy generation.
* ensure debug container in pod copy is added before the profile application
The way that the container list modification was defered causes the
debug container to be added after the profile applier runs. We now
make sure to have the container list modification happen before
the profile applier runs.
* make switch over pod copy, ephemeral, or node more clear
* use helper functions
added a helper function to modify a container out of a list that
matches the provided container name.
also added a helper function that adds capabilities to container
security.
* add tests for the debug profiles
* document new debugging profiles in command line help text
* add file header to profiles_test.go
* remove URL to KEP from help text
* move probe removal to the profiles
* remove mustNewProfileApplier in tests
* remove extra whiteline from import block
* remove isPodCopy helper func
* switch baselineProfile to using the modifyEphemeralContainer helper
* rename addCap to addCapability, and don't do deep copy
* fix godoc on modifyEphemeralContainer
* export DebugOptions.Applier for extensibility
* fix unit test
* fix spelling on overriden
* remove debugStyle facilities
* inline setHostNamespace helper func
* remove modifyContainer, modifyEphemeralContainer, and remove probes
their logic have been in-lined at call sites
* remove DebugApplierFunc convenience facility
* fix baseline profile implementation
it shouldn't have SYS_PTRACE base on
https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/1441-kubectl-debug#profile-baseline
* remove addCapability helper, in-lining at call sites
* address Arda's code review comments
1 use Bool instead of BoolPtr (now deprecated)
2 tweak for loop to continue when container name is not what we expect
3 use our knowledge on how the debug container is generated to simplify
our modification to the security context
4 use our knowledge on how the pod for node debugging is generated to no
longer explicit set pod's HostNework, HostPID and HostIPC fields to
false
* remove tricky defer in generatePodCopyWithDebugContainer
* provide helper functions to make debug profiles more readable
* add note to remind people about updating --profile's help text when adding new profiles
* Implement helper functions with names that improve readability
* add styleUnsupported to replace debugStyle(-1)
* fix godoc on modifyContainer
* drop style prefix from debugStyle values
* put VisitContainers in podutils & use that from debug
* cite source for ContainerType and VisitContainers
* pull in AllContainers ContainerType value
* have VisitContainer take pod spec rather than pod
* in-line modifyContainer
* unexport helper funcs
* put debugStyle at top of file
* merge profile_applier.go into profile.go
* tweak dropCapabilities
* fix allowProcessTracing & add a test for it
* drop mask param from help funcs, since we can already unambiguous identify the container by name
* fix grammar in code comment
---------
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
Co-authored-by: Jian Zeng <anonymousknight96@gmail.com>
Kubernetes-commit: d35da348c60a3c7505419741f2546ff8b0e38454
Matches same behavior as for kubectl apply
Signed-off-by: Daniel Lenar <dlenar@vailsys.com>
Kubernetes-commit: d53af227870a8e4434a0bf2f58770ec4dbec241f
* Wire generic context to better handle timeout
* Add integration test for wait timeout
* kubectl wait: Fix integration test always passing issue
Currently, `kubectl wait` integration test always passes even if
it gets an error. Problem is object check is done after errexit is
turned off.
This PR redirects error to output and correctly assures that
object is expected status and if it is not, test should fail.
Kubernetes-commit: 369534c6ec625ed9b251b453215c9578cdeb59bc
ithrael