Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ephemeral Containers #277

Open
17 of 21 tasks
verb opened this issue Apr 25, 2017 · 158 comments
Open
17 of 21 tasks

Ephemeral Containers #277

verb opened this issue Apr 25, 2017 · 158 comments
Assignees
Labels
kind/api-change kind/feature sig/cli sig/node stage/beta tracked/no

Comments

@verb
Copy link
Contributor

@verb verb commented Apr 25, 2017

Feature Description

  • One-line feature description (can be used as a release note): Support advanced troubleshooting of running pods by running a new container image in shared pod namespaces.
  • Kubernetes Enhancement Proposal: https://git.k8s.io/enhancements/keps/sig-node/277-ephemeral-containers
  • Primary contact (assignee): @verb
  • Responsible SIGs: sig-node
  • Feature target (which target equals to which milestone):
    • Alpha release target (1.16)
    • Beta release target (1.23)
    • Stable release target (x.y)

Documentation

Milestones

These are the user-visible milestones on the way towards a Kubernetes release that will support kubectl debug functionality. Those interested can follow this issue for updates. I've included estimated release targets, but these are highly dependent on reviewer availability and should not be relied upon.

  • Ephemeral containers added to core API (landed 1.16)
  • kubelet support for creating basic ephemeral containers (landed 1.16)
  • kubectl command to launch ephemeral containers (landed 1.17)
  • kubelet support for namespace targeting (landed 1.18)
  • kubectl support for adding ephemeral containers (landed 1.18)
  • Switch API to use Pod kind (target 1.22)
  • allow setting securityContext (target 1.22)
  • Beta graduation (target 1.23)
  • allow removing ephemeralContainers (no target)

Related Enhancements and Proposals

  • #495: Process Namespace Sharing
  • #1441: kubectl debug command

Issues & Feature Requests

Completed features

Scheduled for work in 1.23

Future work

Contribute to these features or help prioritize by voting for these issues.

@dchen1107 dchen1107 added this to the v1.7 milestone May 1, 2017
@dchen1107 dchen1107 added the sig/node label May 1, 2017
@idvoretskyi idvoretskyi added the stage/alpha label May 3, 2017
@idvoretskyi idvoretskyi added this to In Progress in Kubernetes 1.7 features May 3, 2017
@liggitt liggitt added the sig/cli label May 23, 2017
@liggitt
Copy link
Member

@liggitt liggitt commented May 23, 2017

cc @kubernetes/sig-cli-feature-requests

@verb
Copy link
Contributor Author

@verb verb commented Jun 1, 2017

@dchen1107 @idvoretskyi This should move to 1.8 milestone & features.

/sig api-machinery

@k8s-ci-robot k8s-ci-robot added the sig/api-machinery label Jun 1, 2017
@verb verb changed the title Pod Troubleshooting Debug Containers Jun 1, 2017
@idvoretskyi idvoretskyi added this to the next-milestone milestone Jun 1, 2017
@idvoretskyi idvoretskyi removed this from the v1.7 milestone Jun 1, 2017
@idvoretskyi idvoretskyi removed this from In Progress in Kubernetes 1.7 features Jun 1, 2017
@idvoretskyi
Copy link
Member

@idvoretskyi idvoretskyi commented Jun 1, 2017

@verb thanks, updated.

@calebamiles calebamiles added this to the 1.8 milestone Jul 25, 2017
@calebamiles calebamiles removed this from the next-milestone milestone Jul 25, 2017
@pwittrock
Copy link
Member

@pwittrock pwittrock commented Aug 17, 2017

@verb Is this still targeted for 1.8?

@verb
Copy link
Contributor Author

@verb verb commented Aug 18, 2017

@pwittrock No, let's bump to 1.9

@pwittrock pwittrock removed this from the 1.8 milestone Sep 7, 2017
@idvoretskyi
Copy link
Member

@idvoretskyi idvoretskyi commented Oct 2, 2017

@verb still on track for 1.9?

@idvoretskyi idvoretskyi added this to the next-milestone milestone Oct 2, 2017
@verb
Copy link
Contributor Author

@verb verb commented Oct 7, 2017

@verb
Copy link
Contributor Author

@verb verb commented Oct 24, 2017

/remove-sig api-machinery
/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth and removed sig/api-machinery labels Oct 24, 2017
@radu-matei
Copy link

@radu-matei radu-matei commented Jan 19, 2018

Hi!
Is there anyone actively working on this?

I would really like to start contributing on it (realistically starting next week or so).

@verb
Copy link
Contributor Author

@verb verb commented Jan 19, 2018

@radu-matei Yes, I'm actively working on it. I have some PRs lined up but we haven't quite finalized the API yet, see kubernetes/community#1269.

I'd love to have some help here, of course. Was there a particular area to which you'd like to contribute?

@radu-matei
Copy link

@radu-matei radu-matei commented Jan 20, 2018

@verb I probably can work on kubectl right away, but I would also very much want to understand the API server and kubelet.

@salaxander salaxander added the tracked/yes label Aug 31, 2021
@salaxander
Copy link

@salaxander salaxander commented Aug 31, 2021

/milestone v1.23

@k8s-ci-robot k8s-ci-robot removed this from the v1.22 milestone Aug 31, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Aug 31, 2021
@salaxander
Copy link

@salaxander salaxander commented Sep 1, 2021

Hi @verb! 1.23 Enhancements team here. Just checking in as we approach enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:

  • [X ] KEP file using the latest template has been merged into the k/enhancements repo.
  • [X ] KEP status is marked as implementable
  • [X ] KEP has a test plan section filled out.
  • [ X] KEP has up to date graduation criteria.
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

Starting with 1.23, we have implented a soft freeze on production readiness reviews beginning on Thursday 09/02. If your enhancement needs a PRR, please make sure to try and complete it by that date!

For this enhancements it looks like we would need a PRR for the beta release, as well as updating the key.yaml for the correct latest release and stage.

Thanks!

@verb
Copy link
Contributor Author

@verb verb commented Sep 1, 2021

Hi @salaxander, just to make sure I understand the PRR process: the KEP should be ready for PRR by tomorrow so that the PRR reviewers have time to review it before enhancement freeze, right? You're not expecting PRR review to be finished by tomorrow? Thanks!

@salaxander
Copy link

@salaxander salaxander commented Sep 1, 2021

Hi @verb - sorry for the confusion. The soft PRR freeze is something new we're trying, and we'll definitely iterate on it. We are hoping to have PRRs completed and reviewed by midnight PST tomorrow.

That said, this is a soft freeze so as long as things get as far as possible before then, we should be fine. If you need any help moving things along feel free to post in the #release-enhancements slack channel on K8s slack

@verb
Copy link
Contributor Author

@verb verb commented Sep 1, 2021

@salaxander Whoops, I misunderstood then. I think #2892 is close, and we've been approved for beta once before, so maybe we'll be ok. I'll ping the PRR reviewer.

@jlbutler
Copy link

@jlbutler jlbutler commented Sep 17, 2021

Hi @verb! 1.23 Docs team here.

This enhancement issue is listed as 'None required' for docs in the tracking sheet. Though docs are complete, I believe we need a small PR to update the feature gate to 'beta'. If I'm mistaken, let me know!

Otherwise, please follow the steps detailed in the documentation to open a PR against the dev-1.23 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thu November 18, 11:59 PM PDT.

Thanks!

@bbkgh
Copy link

@bbkgh bbkgh commented Sep 22, 2021

Hi. Can we have this feature as Beta in 1.23?

@MadhavJivrajani
Copy link
Contributor

@MadhavJivrajani MadhavJivrajani commented Sep 22, 2021

Yes, it's targetted for beta in 1.23 :)

@verb
Copy link
Contributor Author

@verb verb commented Sep 30, 2021

Hi @jlbutler, I agree. I've opened placeholder kubernetes/website#29871 for the website update. Thanks!

@verb
Copy link
Contributor Author

@verb verb commented Oct 6, 2021

@lizzzcai
Copy link

@lizzzcai lizzzcai commented Oct 22, 2021

Hi @verb, just want to check if kube debug will support accessing the storage of the container (not root user) after 1.23.

My use case: I have a sidecar container with distroless image running as a user. And I want to debug it without restarting the pod as the issue may not be reproduceable.
I tried both kube debug pod and node, both return me Permission denied error when I am trying to access the storage of the process. /proc/$pid/root. The workaround for me is to deploy a privileged pod on that node (similar to kube debug node but with privileged) and I can access everything.

@verb
Copy link
Contributor Author

@verb verb commented Nov 1, 2021

Hi @verb, just want to check if kube debug will support accessing the storage of the container (not root user) after 1.23.

Hi @lizzzcai, it's supported but in my testing either shareProcessNamespace or SYS_PTRACE needs to be enabled for the /proc/$pid/root link to work. shareProcessNamespace has always been supported, setting SYS_PTRACE on an ephemeral container has been allowed since 1.22, but kubectl debug doesn't support it yet. Maybe in 1.23. Follow #1441 for that 👍

@salaxander
Copy link

@salaxander salaxander commented Nov 4, 2021

Hi @verb. Checking in once more as we approach 1.23 code freeze at 6:00 pm PST on Tuesday, November 16.

Please ensure the following items are completed:

  • All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
  • All PRs are fully merged by the code freeze deadline.
  • Have a documentation placeholder PR open by Thursday, November 18.

As always, we are here to help should questions come up.

Thanks!!

@lizzzcai
Copy link

@lizzzcai lizzzcai commented Nov 9, 2021

Hi @verb, thanks for your reply. I know there is a debug profile coming in the future and a lot of new features for the ephemeral container. but for the current kubectl debug node, can you consider enabling the privileged by default? as it should be a privileged container to access the volume when the user is trying to debug the node. Here is some comments" kubernetes/kubernetes#105847 (comment)

@verb
Copy link
Contributor Author

@verb verb commented Nov 16, 2021

@salaxander All PRs for 1.23 have merged and docs PR is open. I think this should be "Tracked" rather than "At Risk" in the tracking sheet. Thanks!

@salaxander
Copy link

@salaxander salaxander commented Nov 16, 2021

@verb updating now. Thanks for all the work on this! I'm personally really excited about this feature :)

@gracenng gracenng added tracked/no and removed tracked/yes labels Jan 9, 2022
@gracenng gracenng removed this from the v1.23 milestone Jan 9, 2022
@k8s-triage-robot
Copy link

@k8s-triage-robot k8s-triage-robot commented Apr 9, 2022

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale label Apr 9, 2022
@verb
Copy link
Contributor Author

@verb verb commented Apr 29, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale label Apr 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/api-change kind/feature sig/cli sig/node stage/beta tracked/no
Projects
None yet
Development

No branches or pull requests