If you want to debug an existing Pod, simply attach to it like this:
kubectl debug -it -n <NAMESPACE> <POD> --image=ghcr.io/boomer41/debug-container --image-pull-policy=AlwaysYou are then dropped into a shell - by default zsh.
It is good practice to run Pods as non-root. However, debugging sometimes needs root.
This images comes with a privilege escalation by design, to facilitate easy root access.
If you are not root, simply type get-root, and you'll be dropped into a new root shell.
Sometimes there is just the need to see exactly what is being handled by the Pod. This image contains an easy way to push the traffic to your local computer in order to decode it with Wireshark.
To dump the traffic, follow those steps:
-
Ensure you are root. If not, execute
get-root. -
Execute
tcpdump-port. By default, it listens to port10000/tcp. If that port is already in use, select another port by using--port <PORT>. -
In a second shell: Create a Port-Forward to the Pod:
kubectl port-forward -n <NAMESPACE> pods/<POD> 10001:10000. This opens port10001/tcpon your local machine and forwards it to the pod's port10000/tcp. Remember to adjust this command if you had to use a different port in step 2! -
In a third shell: Launch Wireshark. Remember to adjust the port here if you had to use a different local port in step 3!
For Linux:
nc -v 127.0.0.1 10001 | wireshark -k -i -For macOS:
nc -v 127.0.0.1 10001 | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -
If you want to see all parameters of the program, execute tcpdump-port --help.