CODEWITHSUNDEEP
kubernetesgoogle-cloud-platformkubernetes-pod
Manomugdha
Manomugdha

Reputation: 11

k8s: Unable to run commands (e.g. ip add route ... ) from ephemeral container in a pod in kubernetes

I have a pod named test-pod in k8s in GCP. this pod has a container named test-pod (same name as pod). I want to attach an ephemeral container to this container and want to run few commands e.g. ip route add command to add some routes on the "test-pod" container from ephemeral container. I have created pod/container test-pod with following securityContext:

Spec section of the pod of the yaml file:

spec:     
  shareProcessNamespace: true  
  containers:            
   name: test-pod  
   image: xxx:1.0  
   securityContext:  
   privileged: true  
   capabilities:  
     add: ["SYS_ADMIN", "NET_ADMIN", "SYS_PTRACE"]

this pod is up and running. now i am trying to attach a debug container as follows:

kubectl debug -it test-pod --image=yyy:1.0 -n test

In the debugger container I am giving the following command:

ip route add 10.10.10.0/24 dev eth2

it gives me following error

RTNETLINK answers: Operation not permitted

where as this route add command is working fine in test-pod container.

"ip route show" command is working fine from debugger container.

Is it possible to run this command from debugger container? if yes then what I am missing? please let me know.

Upvotes: 0

Views: 1026

Answers (2)

Manomugdha
Manomugdha

Reputation: 11

I have got a way to do it. Kubectl does not support it. but can be done using kube api. please check following link https://betterprogramming.pub/debugging-kubernetes-pods-deep-dive-d6b2814cd8ce

Upvotes: 0

Srividya
Srividya

Reputation: 2323

The error RTNETLINK answers: Operation not permitted is prompted because of executing some tasks in ephemeral containers. Ephemeral containers share the same container spec as regular containers. However, some fields are disabled, and some behaviors are changed in ephemeral containers. These are special types of containers that run temporarily in an existing pod to accomplish user-initiated actions such as troubleshooting.

You use ephemeral containers to inspect services rather than to build applications.

  • Ephemeral containers may not have ports, so fields such as ports, livenessProbe, readinessProbe are disallowed.

  • Pod resource allocations are immutable, so setting resources is disallowed.

This is why you cannot add routes to the regular container through ephemeral containers.

Refer to the ephemeral container spec for a complete list of fields.

Upvotes: 0

Related Questions