breakglass, and ssh into the container, and do a post mortem for the breakglass

Thanks a ton!

Not really... Kubectl debug command is just a shortcut that contacts kube api to edit the pod definition. You could modify your manifest by adding ephemeral container spec, push it to git, and get the same result. From there on it all depends on whether you have permissions to sh into that container.

@@DevOpsToolkit that's what I thought too, but as you said that would require kubectl exec in the end. I agree with you when you say that even in GitOps world you still need someone authorized to interact directly with the cluster, so I think that Joe would save my day in these corner cases!

To me, ephemeral containers are the last resort when all observability tools )that do not need kubectl) fail to reveal the issue. That's the "break glass" situation which always requires elevated permissions. It's "we do not know what to do so let's dig in" type of situation.

@@DevOpsToolkit I totally agree 👍 now I'm waiting for a video on kubearmor 👍

Most of the time i don't have anything but the app itself in original containers so the only way to debug issues that cannot be observed from outside pods is to add a debug pod.

​@@DevOpsToolkit thanks for the quick reply. Could it be possible that the problem is only in the container?

@toddfinoch i don't have any info so anything could be a problem.

I used them only briefly so I'm not th Best judge of them. What i saw makes me think they're ok.

The `kubectl debug` command does not allow you to specify resource limits and requests. As a matter of fact, `kubectl create` does not have that option either. The logic behind `kubectl` is that it provides only some of the flags when creating resources. The assumption is that anything more needs to be specified as a YAML file. That is equally valid for `kubectl run` as for `kubectl debug`. What that means is that you'd need to define emphemeral containers as part of your manifest if you need resource limits and/or requests. The spec is in: kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#ephemeralcontainer-v1-core So, when you want to debug, add ephemeral container to manifest with the Pod (or Deployment or StatefulSet) and execute `kubectl apply --filename ...` or whatever you're using normally.

The alternative solution is to use Mutating Admission Controllers with, let's say, Kyverno. You can configure it to add resource requests and limit every time an ephemeral container is created. That is probably a more elegant and user-friendly solution.

@@DevOpsToolkit Wow wonderful! thanks a lot!

@@DevOpsToolkit You are really genious!

KubeArmor is on my to-do list. That's why I mentioned it.

@@DevOpsToolkit is it an alternative to Falco Sysdig ?

It is :)

Debugging by entering containers is (should be) the last resort used only when observability fails to show what we're looking for. On top of that, we rarely debug third-party apps like that. That's typically reserved for our own apps. Now, if you do need to debug (like that) third-party apps, and they are stateful, and their containers do not have the tools we need (which they often do), I tend to NOT create a copy but attach ephemeral container directly to one of the STS pods.

@@DevOpsToolkit thanks!

You can create a new pod and then attach a debug container but i think it's easier to simply use the --copy arhument.

@@DevOpsToolkit I am using eks 1.23

la commabd should work

Yeah. That's why creating a copy of a pod is very useful.

For those, i would pick ChainGuard images. They are small, (mostly) without vulnerabilities, abd built daily. You'll find a variation for almost every language.

@@DevOpsToolkit yeah... and they using alpine... Its causes a lot of issues with ffi for example, where we need to use glibc instead. For now we using a mulsistage minideb images with removing of dev packages and other not needed things on latest stage.

I thought that ChainGuard fixed that by using glibc instead of musl.

​@@oleksandrsimonov9200they use Wolfi, not alpine. You can use glibc or musl

this is why Dockerfiles should be multi-stage. build with all necessary bits and then copy to as slimmed down an image as possible for the runtime.