kubespy is a kubectl plugin to debug a running pod. It creates a short-lived spy container, using specified image containing all the required debugging tools, to "spy" the target container by joining its OS namespaces. So the original target container image can keep clean without sacrificing the convenience for debugging on demand.
kubespy is similar to kubectl-debug. In contrast to the latter, kubespy works without the EphemeralContainers feature which is an experimental alpha feature and needs to be activated per pod.
Meanwhile kubespy has its own prerequisites - the cluster must use docker as container runtime and you need to be able to run privileged pods.
You can install either from source or with krew
$ curl -so kubectl-spy https://raw.githubusercontent.com/huazhihao/kubespy/master/kubespy
$ sudo install kubectl-spy /usr/local/bin/$ kubectl krew install spy$ kubectl spy [-c CONTAINER] [-n NAMESPACE] [--spy-image IMAGE] POD
# debug the primary (first) container in pod mypod
$ kubectl spy mypod
# specify pod namespace
$ kubectl spy mypod -n default
# specify debugee container
$ kubectl spy mypod -c mycontainer
# specify spy-image
$ kubectl spy mypod --spy-image busybox
# specify entrypoint for interaction
$ kubectl spy mypod --entrypoint /bin/shlocal machine: kubectl spy
|
v
master node: kube-apiserver
|
v
worker node: kubelet
| create
v
spy container
| join namespace: pid/net/ipc/mount
v
target container
By using kubespy and kubeproxy together, will be able to expose port for remote debugging on a running pod.
Below is an example illustrating how to remote debug a Go http server.
$ kubectl run --image kubespy-port-demo --port=8000 --restart=Never mypod --dry-run=client -o yaml > kubespy-port-demo.yamlAdd imagePullPolicy: Never if you want kubelet to use local image.
Create pod and service.
$ kubectl apply -f kubespy-port-demo.yaml
$ kubectl expose pod mypod --port=8000 --name=mypod
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
mypod ClusterIP 10.111.9.130 <none> 8000/TCP 9s
$ curl http://10.111.9.130:8000
{"message":"hello"}Run kubespy and install dlv. dlv's remote debugging protocol is json/rpc via tcp/streaming.
$ ./kubespy --spy-image golang mypod
loading spy pod spy-7bdaf6b74933 ...
If you don't see a command prompt, try pressing enter.
# go install github.com/go-delve/delve/cmd/dlv@latestIn this case, ptrace is required on node.
echo 0 > /proc/sys/kernel/yama/ptrace_scopeRun dlv to attach Go process.
Note: dlv will ignore most OS signals except SIGKILL. In order to close dlv and spy container after, it is better run dlv at background.
# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 708144 7012 ? Ssl 03:29 0:00 /go/bin/kubespy-port-demo
root 11 0.4 0.0 2416 576 pts/0 Ss 03:34 0:00 /bin/sh
root 18 0.0 0.1 6696 2892 pts/0 R+ 03:34 0:00 ps aux
# dlv --listen=:2345 --headless=true --log=true --log-output=debugger,debuglineerr,gdbwire,lldbout,rpc --api-version=2 --accept-multiclient attach 1 &>> dlv.log &
Run kubeproxy to forward debug port
$ kubectl port-forward --address 0.0.0.0 mypod 2345
Forwarding from 0.0.0.0:2345 -> 2345
Suppose you are using vscode. Create .vscode/launch.json with below content.
{
"version": "0.2.0",
"configurations": [
{
"name": "go",
"type": "go",
"request": "attach",
"mode": "remote",
"port": 2345,
"host": "your_kubeproxy_IP",
"trace": "verbose"
}
]
}Start debugging in vscode
