kubernetes - Kubernetes 中的临时容器

Question

我创建了一个标准 nginx pod，并且想运行一个 sidecar 容器，但它在 Kubernetes 1.18 - 1.20 中不适用于我。

# kubectl alpha debug nginx --image=busybox --target=nginx
Defaulting debug container name to debugger-6wlb5.

# kubectl attach nginx -c debugger-6wlb5
If you don't see a command prompt, try pressing enter.
error: unable to upgrade connection: container debugger-6wlb5 not found in pod nginx_default 

我在 apiserver、调度程序和 Controller 管理器中启用了门功能。 pod 上的描述不显示错误或其他内容:

Mounts:
    /var/run/secrets/kubernetes.io/serviceaccount from default-token-4jhz2 (ro)
Ephemeral Containers:
  debugger-6wlb5:
    Image:        busybox
    Port:         <none>
    Host Port:    <none>
    Environment:  <none>
    Mounts:       <none>
Conditions:
  Type              Status

我在这里想念什么？

Answer 1

背景

不幸的是，这仍然是 alfa feature并且不适合生产。如 Ephemeral Containers 中所述文档。

This page provides an overview of ephemeral containers: a special type of container that runs temporarily in an existing Pod to accomplish user-initiated actions such as troubleshooting. You use ephemeral containers to inspect services rather than to build applications.

Warning: Ephemeral containers are in early alpha state and are not suitable for production clusters.

测试

我已经在 Kubeadm 上对此进行了测试使用 Kubernetes 1.19。 Feature Gates标志已在配置文件中设置，如 apiserver , scheduler和controller-manager ---feature-gates=EphemeralContainers=true 。另外kubelet被修改。 因为这是alpha它需要特定的步骤才能使其发挥作用。

选项 1

此方法在Debug Running Pods - Debugging with an ephemeral debug container中有描述。 .

$ kubectl run ephemeral-demo --image=k8s.gcr.io/pause:3.1 --restart=Never
pod/ephemeral-demo created
$ kubectl alpha debug -it ephemeral-demo --image=busybox --target=ephemeral-demo
Defaulting debug container name to debugger-hnr2w.
If you don't see a command prompt, try pressing enter.
/ # ps aux
PID   USER     TIME  COMMAND
    1 root      0:00 /pause
    7 root      0:00 sh
   12 root      0:00 ps aux
/ # Now, you are in the debugger-hnr2w container which is in the same pod as container ephemeral-demo
/ # exit
$ 

描述 Pod

Containers:
  ephemeral-demo:
    Container ID:   docker://e24cf29efdab9fbf8180ec6c8a9539cdfbdfc490b3b4a4d5dd02d419887c8486
    Image:          k8s.gcr.io/pause:3.1
    ...
Ephemeral Containers:
  debugger-hnr2w:
    Container ID:   docker://649d020e92eedbe03d281fb2368f33ceec176eaaa340fb52af5bf59fc269c701
    Image:          busybox
    ...

在上面的示例中，attach是使用 -i 制成的旗帜。 Copying a Pod while adding a new container中有说明.

The -i flag causes kubectl debug to attach to the new container by default. You can prevent this by specifying --attach=false.

旁注

引文的第二部分是If your session becomes disconnected you can reattach using kubectl attach.然而它适用于另一种方法，而不是 Ephemeral Containers .

选项 2

此选项和所有先决条件在 Ephemeral Containers — the future of Kubernetes workload debugging 中进行了描述。文章。而不是Deployment我用过nginx pods 。

$ kubectl run nginx --image=nginx .

接下来您必须创建 .json具有以下配置的文件。请更改metadata.name到你的 Pod 名称。

{
    "apiVersion": "v1",
    "kind": "EphemeralContainers",
    "metadata": {
            "name": "nginx"
    },
    "ephemeralContainers": [{
        "command": [
            "sh"
        ],
        "image": "busybox:latest",
        "imagePullPolicy": "IfNotPresent",
        "name": "debugger",
        "stdin": true,
        "tty": true,
        "terminationMessagePolicy": "File"
    }]
}

重要

您必须使用kubectl replace --raw来应用它

$ kubectl replace --raw /api/v1/namespaces/default/pods/<podName>/ephemeralcontainers -f <jsonFileName>.json

否则，你会得到错误:

kubectl apply -f debug.json 
error: unable to recognize "debug.json": no matches for kind "EphemeralContainers" in version "v1"

应用正确的命令后:

$ kubectl replace --raw /api/v1/namespaces/default/pods/nginx/ephemeralcontainers -f debug.json
{"kind":"EphemeralContainers","apiVersion":"v1","metadata":{"name":"nginx","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx/ephemeralcontainers","uid":"...}

使用kubectl describe <podname>验证是否 EphemeralContainer已创建。

$ kubectl describe po | grep 'Container ID' -B 2
Containers:
  nginx:
    Container ID:   docker://a410b326cdc3b95abb2edff8cdb4d7edca9498ba44b54ca6a448967596391813
--
Ephemeral Containers:
  debugger:
    Container ID:  docker://a1357c0daed0ad5664b8c838183a3eb0716339020e829077c14e7438fa5e1cf5

使用此方法，您将能够使用kubectl attach

$ kubectl attach -it nginx -c debugger
If you don't see a command prompt, try pressing enter.
/ # 

结论

Ephemeral Container是一种特殊类型的容器，临时在现有 Pod 中运行以完成用户发起的操作，例如故障排除。一旦您终止 session ，您将无法再次连接。

你会得到错误:

$ kubectl attach -it nginx -c debugger
If you don't see a command prompt, try pressing enter.
error: unable to upgrade connection: container debugger not found in pod nginx_default

将来可能会更改，但根据我的测试，您只能连接到此容器一次。