DEV Community

Cover image for k8s debug pod
AWS Community Builders profile image dejanualex
dejanualex for AWS Community Builders

Posted on • Originally published at dejanualex.Medium

k8s debug pod

#kubernetes #eks #devops #containers

At various points in an Amazon EKS cluster’s lifecycle, direct access to a worker node may be required. This can be done using kubectl debug to open an interactive shell on the target node.

# start debug container
kubectl debug nodes/<nodename> --profile=sysadmin -it --image=<image>
Enter fullscreen mode Exit fullscreen mode
  • The root filesystem of the Node will be mounted at /host.
  • The container runs in the host IPC, Network, and PID namespaces, although the pod isn’t privileged, so reading some process information may fail, and chroot /host may fail.
  • If you need a privileged pod, create it manually or use the --profile=sysadmin flag.

The sysadmin profile typically sets up the pod with:

  • privileged: true
  • hostPID: true (for node networking)
  • hostNetwork: true (for process visibility)
  • host filesystem mounted at /host

debug pod

Next to “switch” from the container filesystem you need to chroot /host And from there you are effectively in the node’s userland, and you can use the node’s binaries:

interactive debug pod

kubectl debug creates a debug pod with a name derived from the node name, so remember to delete the pod once you’re done debugging.

debug pods

Top comments (0)