2 min read
Ephemeral Containers: Debugging Kubernetes Pods
Ephemeral containers, now GA in Kubernetes 1.24, allow you to add debugging containers to running pods without restarting them. This feature revolutionizes troubleshooting in production.
Basic Usage
# Add debug container to running pod
kubectl debug -it myapp-pod --image=busybox --target=myapp
# Use a more capable debug image
kubectl debug -it myapp-pod --image=nicolaka/netshoot --target=myapp
# Debug with Ubuntu for package installation
kubectl debug -it myapp-pod --image=ubuntu --target=myappSharing Process Namespace
# Share process namespace with target container
kubectl debug -it myapp-pod \
--image=busybox \
--target=myapp \
--share-processesInside the debug container:
# View processes from target container
ps aux
# Trace system calls
strace -p <pid>
# Network debugging
netstat -tulpn
ss -tulpnCreating Debug Copies
# Create a copy of the pod for debugging
kubectl debug myapp-pod -it --copy-to=myapp-debug --container=debug --image=ubuntu
# Copy with modified command
kubectl debug myapp-pod -it \
--copy-to=myapp-debug \
--container=myapp \
--image=myapp:debug \
-- /bin/shDebug Profiles
# Use predefined profiles
kubectl debug -it myapp-pod --image=busybox --profile=general
kubectl debug -it myapp-pod --image=busybox --profile=baseline
kubectl debug -it myapp-pod --image=busybox --profile=restrictedCommon Debugging Scenarios
Network Troubleshooting
kubectl debug -it myapp-pod --image=nicolaka/netshoot --target=myapp
# Inside debug container
curl -v http://service-name.namespace.svc.cluster.local
nslookup service-name
tcpdump -i any port 80File System Inspection
kubectl debug -it myapp-pod --image=busybox --target=myapp
# Access target container filesystem
ls /proc/1/root/app/
cat /proc/1/root/app/config.yamlSummary
Ephemeral containers enable live debugging of production pods without disruption, making troubleshooting faster and safer.
References: