kubectl debug: add netadmin profile #115712
Conversation
k8s-ci-robot
added
release-note
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Hi @wedaly. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-priority
k8s-ci-robot
added
area/kubectl
sig/cli
|
@wedaly: GitHub didn't allow me to request PR reviews from the following users: sding3. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| return false | ||
| }) | ||
| } | ||
|
|
||
| func addCapability(c *corev1.Container, capability corev1.Capability) { |
There was a problem hiding this comment.
Thank you for factoring this out into its own function. 👍
There was a problem hiding this comment.
+1
I'm wondering if we even need allowNetadminCapability() and allowProcessTracing(), or if we should just be using allowCapability(pod, containerName, capability) for both, but then I decided it's probably easier to make these decisions after all of the profiles have been added.
| switch style { | ||
| case node: | ||
| allowNetadminCapability(pod, containerName) | ||
| useHostNamespaces(pod) | ||
| setPrivileged(pod, containerName) | ||
|
|
||
| case podCopy: | ||
| allowNetadminCapability(pod, containerName) | ||
|
|
||
| case ephemeral: | ||
| allowNetadminCapability(pod, containerName) | ||
| } |
There was a problem hiding this comment.
Looks like allowNetadminCapability is used in all three debugging styles, so we could shift it up to before the switch:
| switch style { | |
| case node: | |
| allowNetadminCapability(pod, containerName) | |
| useHostNamespaces(pod) | |
| setPrivileged(pod, containerName) | |
| case podCopy: | |
| allowNetadminCapability(pod, containerName) | |
| case ephemeral: | |
| allowNetadminCapability(pod, containerName) | |
| } | |
| allowNetadminCapability(pod, containerName) | |
| switch style { | |
| case node: | |
| useHostNamespaces(pod) | |
| setPrivileged(pod, containerName) | |
| case podCopy, ephemeral: | |
| // no additional modifications needed | |
| } |
| return false | ||
| }) | ||
| } | ||
|
|
||
| func addCapability(c *corev1.Container, capability corev1.Capability) { |
There was a problem hiding this comment.
+1
I'm wondering if we even need allowNetadminCapability() and allowProcessTracing(), or if we should just be using allowCapability(pod, containerName, capability) for both, but then I decided it's probably easier to make these decisions after all of the profiles have been added.
k8s-ci-robot
added
ok-to-test
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 937ab9e471f94e9d7a93e463069952069146b6d3
|
|
/assign @soltysh |
k8s-ci-robot
removed
the
lgtm
k8s-ci-robot
added
the
do-not-merge/contains-merge-commits
Add the netadmin profile from KEP 1441 https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/1441-kubectl-debug#debugging-profiles Signed-off-by: Will Daly <widaly@microsoft.com>
wedaly
force-pushed
the
kubectl-netadmin-debug-profile
branch
from
454c846 to
f5095bf
Compare
|
Rebased to address merge conflict. |
k8s-ci-robot
removed
the
do-not-merge/contains-merge-commits
|
@ardaguclu Do you have time to review this for approval? |
| if c.SecurityContext == nil { | ||
| c.SecurityContext = &corev1.SecurityContext{} | ||
| } | ||
| c.SecurityContext.Privileged = pointer.BoolPtr(true) |
There was a problem hiding this comment.
nit: BoolPtr is deprecated, pointer.Bool is recommended.
| SecurityContext: &corev1.SecurityContext{ | ||
| Privileged: pointer.BoolPtr(true), | ||
| Capabilities: &corev1.Capabilities{ | ||
| Add: []corev1.Capability{"NET_ADMIN"}, |
There was a problem hiding this comment.
nit: Could you please add a test case to cover that already existed capability in the container is also shown.
There was a problem hiding this comment.
added in followup PR: #115839
| @@ -294,6 +294,27 @@ func TestGenerateDebugContainer(t *testing.T) { | |||
| }, | |||
| }, | |||
| }, | |||
| { | |||
| name: "netadmin profile", | |||
There was a problem hiding this comment.
nit: I think we need to add unit tests also in TestGenerateNodeDebugPod and TestGeneratePodCopyWithDebugContainer.
There was a problem hiding this comment.
added in followup PR: #115839
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ardaguclu, sding3, verb, wedaly The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 300b30552472fc3748ffd52a2057f853d238a90e
|
What type of PR is this?
/kind feature
What this PR does / why we need it:
Add the netadmin profile from KEP 1441
https://github.com/kubernetes/enhancements/tree/master/keps/sig-cli/1441-kubectl-debug#debugging-profiles
Which issue(s) this PR fixes:
xref kubernetes/kubectl#1108
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
KEP 1441