kubernetes: kubectl debug failed to add ephemeral container with kubernetes 1.25

What happened?

We encountered an issue that Ephemeral container created failed using kubectl debug with restricted PSA, the Kubernetes is v1.25.4 and kubectl is v1.24.1.

[root@vz0005-tgh25-master-0 ~]# kubectl debug -n psa testclient-848997fb8-dlcsn -it --image=registry.redhat.io/rhel8/support-tools:latest – bash Defaulting debug container name to debugger-wjzcc. Error from server (Forbidden): pods “testclient-848997fb8-dlcsn” is forbidden: violates PodSecurity “restricted:v1.24”: allowPrivilegeEscalation != false (container “debugger-wjzcc” must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container “debugger-wjzcc” must set securityContext.capabilities.drop=[“ALL”]), runAsNonRoot != true (pod or container “debugger-wjzcc” must set securityContext.runAsNonRoot=true)

What did you expect to happen?

kubectl debug to add ephemeral container successfully base on psa.

How can we reproduce it (as minimally and precisely as possible)?

Add Ephemeral container to one existing running pod with restricted PSA. command like below: kubectl debug testclient-848997fb8-dlcsn -it --image=registry.redhat.io/rhel8/support-tools:latest – bash

Anything else we need to know?

No response

Kubernetes version

# kubectl version WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version. Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.1", GitCommit:"854f807d8a84dde710c062a5281bca5bc07cb562", GitTreeState:"clean", BuildDate:"2023-01-04T23:07:34Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v4.5.7 Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.4+77bec7a", GitCommit:"b6d1f054747e9886f61dd85316deac3415e2726f", GitTreeState:"clean", BuildDate:"2022-12-14T20:18:42Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider

openshift

OS version

# On Linux:
$ cat /etc/os-release
NAME="Red Hat Enterprise Linux CoreOS"
ID="rhcos"
ID_LIKE="rhel fedora"
VERSION="412.86.202301061548-0"
VERSION_ID="4.12"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux CoreOS 412.86.202301061548-0 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://docs.openshift.com/container-platform/4.12/"
BUG_REPORT_URL="https://access.redhat.com/labs/rhir/"
REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform"
REDHAT_BUGZILLA_PRODUCT_VERSION="4.12"
REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform"
REDHAT_SUPPORT_PRODUCT_VERSION="4.12"
OPENSHIFT_VERSION="4.12"
RHEL_VERSION="8.6"
OSTREE_VERSION="412.86.202301061548-0"

$ uname -a
Linux vz0005-tgh25-master-0 4.18.0-372.40.1.el8_6.x86_64 #1 SMP Tue Jan 3 09:45:26 EST 2023 x86_64 x86_64 x86_64 GNU/Linux

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, …) and versions (if applicable)

About this issue

Original URL
State: closed
Created a year ago
Reactions: 2
Comments: 20 (12 by maintainers)

Most upvoted comments

thanks @mochizuki875, that’s the right link to the configuration for PodSecurityAdmission

/close

liggitt on Apr 25, 2023

@catherye

Could you share how to add one specific username into exemption?

It is this:)

Configure the Admission Controller
https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller

mochizuki875 on Apr 25, 2023

@mochizuki875 Good idea. but before that option supported, seems for now kubectl debug does not work anymore when restricted mode after v1.25. is there any workaround we can run kubectl debug in restricted mode?

ryanlyy on Apr 17, 2023