Root Access to Fargate Containers deployed on EKS for Troubleshooting

Question

I am troubleshooting application issues on pods/containers deployed using Fargate into an EKS cluster. Using kubectl exec works ok for some things, but it only appears to work as normal/default user, and I need rooty things like listing users/PIDs throughout the system (collecting lsof, netstat type info).

Does anyone know if AWS's new ECS Exec is supposed to be able to access ANY container running on Fargate, even those deployed to EKS clusters (as opposed to ECS). The docs for ecs exec don't mention EKS at all and are quite ambiguous on this question. Except for the following excerpt from the aforelinked docs:

Server-side requirements (AWS Fargate)

If the ECS task and its container(s) are running on Fargate, there is nothing you need to do because Fargate already includes all the infrastructure software requirements to enable this ECS capability. Because the Fargate software stack is managed through so called “Platform Versions” (read this blog if you want have an AWS Fargate Platform Versions primer), you only need to make sure that you are using PV 1.4 (which is the most recent version and ships with the ECS Exec prerequisites).

I'm guessing that it might work, but don't want to waste time if it's not. Anyone know?

If not, how to you do root-level debugging on Fargate-managed containers deployed to EKS?

Are you required to install ssh server/user/creds in the container to do this? This feels like a worst-practice in terms of security.

Answer 1

Pod with securityContext.privileged: true, even hostPort or hostNetwork cannot run on Fargate, no access to resources outside the container boundary including PersistentVolume back by EBS (this one really tell you how strict it is). As a result, it doesn't matter if ecs exec as a command works or not, you simply don't have the privilege to do low level debugging on Fargate infra. Commonly, you run debugging on EC2 and deploy on Fargate when ready.