playbooks

home / skills / laurigates / claude-plugins / kubectl-debugging

kubectl-debugging skill

/kubernetes-plugin/skills/kubectl-debugging

This skill helps you debug Kubernetes resources with kubectl debug, adding ephemeral containers, copying pods, and enabling interactive troubleshooting

npx playbooks add skill laurigates/claude-plugins --skill kubectl-debugging

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
6.3 KB
---
model: haiku
created: 2025-12-16
modified: 2025-12-16
reviewed: 2025-12-16
name: kubectl-debugging
description: |
  Debug Kubernetes pods, nodes, and workloads using kubectl debug. Covers ephemeral containers,
  pod copying, node debugging, debug profiles, and interactive troubleshooting sessions.
  Use when user mentions kubectl debug, debugging pods, ephemeral containers, node debugging,
  or interactive troubleshooting in Kubernetes clusters.
allowed-tools: Glob, Grep, Read, Bash(kubectl *), Bash(stern *), Edit, Write, TodoWrite, WebFetch
---

# kubectl debug - Interactive Kubernetes Debugging

Expert knowledge for debugging Kubernetes resources using `kubectl debug` - ephemeral containers, pod copies, and node access.

## Core Capabilities

**kubectl debug** automates common debugging tasks:

- **Ephemeral Containers**: Add debug containers to running pods without restart
- **Pod Copying**: Create modified copies for debugging (different images, commands)
- **Node Debugging**: Access node host namespaces and filesystem

## Context Safety (CRITICAL)

**Always specify `--context`** explicitly in every kubectl command:

```bash
# CORRECT: Explicit context
kubectl --context=prod-cluster debug mypod -it --image=busybox

# WRONG: Relying on current context
kubectl debug mypod -it --image=busybox  # Which cluster?
```

## Quick Reference

### Add Ephemeral Debug Container

```bash
# Interactive debugging with busybox
kubectl --context=my-context debug mypod -it --image=busybox

# Target specific container's process namespace
kubectl --context=my-context debug mypod -it --image=busybox --target=mycontainer

# Use a specific debug profile
kubectl --context=my-context debug mypod -it --image=busybox --profile=netadmin
```

### Copy Pod for Debugging

```bash
# Create debug copy
kubectl --context=my-context debug mypod -it --copy-to=mypod-debug --image=busybox

# Copy and change container image
kubectl --context=my-context debug mypod --copy-to=mypod-debug --set-image=app=busybox

# Copy and modify command
kubectl --context=my-context debug mypod -it --copy-to=mypod-debug --container=myapp -- sh

# Copy on same node
kubectl --context=my-context debug mypod -it --copy-to=mypod-debug --same-node --image=busybox
```

### Debug Node

```bash
# Interactive node debugging (host namespaces, filesystem at /host)
kubectl --context=my-context debug node/mynode -it --image=busybox

# With sysadmin profile for full capabilities
kubectl --context=my-context debug node/mynode -it --image=ubuntu --profile=sysadmin
```

## Debug Profiles

| Profile | Use Case | Capabilities |
|---------|----------|--------------|
| `legacy` | Default, unrestricted | Full access (backwards compatible) |
| `general` | General purpose | Moderate restrictions |
| `baseline` | Minimal restrictions | Pod security baseline |
| `netadmin` | Network troubleshooting | NET_ADMIN capability |
| `restricted` | High security environments | Strictest restrictions |
| `sysadmin` | System administration | SYS_PTRACE, SYS_ADMIN |

```bash
# Network debugging (tcpdump, netstat, ss)
kubectl --context=my-context debug mypod -it --image=nicolaka/netshoot --profile=netadmin

# System debugging (strace, perf)
kubectl --context=my-context debug mypod -it --image=ubuntu --profile=sysadmin
```

## Common Debug Images

| Image | Size | Use Case |
|-------|------|----------|
| `busybox` | ~1MB | Basic shell, common utilities |
| `alpine` | ~5MB | Shell with apk package manager |
| `ubuntu` | ~77MB | Full Linux with apt |
| `nicolaka/netshoot` | ~350MB | Network debugging (tcpdump, dig, curl, netstat) |
| `gcr.io/k8s-debug/debug` | Varies | Official Kubernetes debug image |

## Debugging Patterns

### Network Connectivity Issues

```bash
# Add netshoot container for network debugging
kubectl --context=my-context debug mypod -it \
  --image=nicolaka/netshoot \
  --profile=netadmin

# Inside container:
# - tcpdump -i any port 80
# - dig kubernetes.default
# - curl -v http://service:port
# - ss -tlnp
# - netstat -an
```

### Application Crashes

```bash
# Copy pod with different entrypoint to inspect
kubectl --context=my-context debug mypod -it \
  --copy-to=mypod-debug \
  --container=app \
  -- sh

# Inside: check filesystem, env vars, config files
```

### Process Inspection

```bash
# Target container's process namespace
kubectl --context=my-context debug mypod -it \
  --image=busybox \
  --target=mycontainer

# Inside: ps aux, /proc inspection
```

### Node-Level Issues

```bash
# Debug node with host access
kubectl --context=my-context debug node/worker-1 -it \
  --image=ubuntu \
  --profile=sysadmin

# Inside:
# - Host filesystem at /host
# - chroot /host for full access
# - journalctl, systemctl, dmesg
```

### Non-Destructive Debugging

```bash
# Create copy, keeping original running
kubectl --context=my-context debug mypod -it \
  --copy-to=mypod-debug \
  --same-node \
  --share-processes \
  --image=busybox

# Original pod continues serving traffic
# Debug copy shares storage if on same node
```

## Key Options

| Option | Description |
|--------|-------------|
| `-it` | Interactive TTY (required for shell access) |
| `--image` | Debug container image |
| `--container` | Name for the debug container |
| `--target` | Share process namespace with this container |
| `--copy-to` | Create a copy instead of ephemeral container |
| `--same-node` | Schedule copy on same node (with `--copy-to`) |
| `--set-image` | Change container images in copy |
| `--profile` | Security profile (legacy, netadmin, sysadmin, etc.) |
| `--share-processes` | Enable process namespace sharing (default: true with --copy-to) |
| `--replace` | Delete original pod when creating copy |

## Best Practices

1. **Use appropriate profiles** - Match capabilities to debugging needs
2. **Prefer ephemeral containers** - Less disruptive than pod copies
3. **Use `--copy-to` for invasive debugging** - Preserve original pod
4. **Clean up debug pods** - Delete copies after debugging
5. **Use `--same-node`** - For accessing shared storage/network conditions

## Cleanup

```bash
# List debug pod copies
kubectl --context=my-context get pods | grep -E "debug|copy"

# Delete debug pods
kubectl --context=my-context delete pod mypod-debug
```

## Requirements

- Kubernetes 1.23+ for ephemeral containers (stable)
- Kubernetes 1.25+ for debug profiles
- RBAC permissions for pods/ephemeralcontainers

For detailed option reference, examples, and troubleshooting patterns, see REFERENCE.md.

Overview

This skill helps you debug Kubernetes pods, nodes, and workloads using kubectl debug. It covers ephemeral containers, pod copying, node access, debug profiles, and interactive troubleshooting patterns for networking and process inspection. Use it to run non-destructive investigations or create isolated debug copies when deeper inspection is required.

How this skill works

The skill maps common troubleshooting tasks to kubectl debug commands: it creates ephemeral containers inside running pods, makes modified pod copies, or launches debug containers against nodes to access host namespaces and filesystem. It emphasizes explicit --context usage, appropriate debug profiles, and options like --target, --copy-to, --same-node, and --profile to control capabilities and scope. Typical sessions are interactive (-it) shells running diagnostic tools inside a chosen debug image.

When to use it

  • You need to attach a temporary shell to a running pod without restarting it (ephemeral container).
  • You want a safe copy of a pod with a different image or entrypoint to reproduce crashes.
  • You must inspect node-level problems with host filesystem or namespaces.
  • Troubleshooting network issues with tcpdump, dig, curl inside a container.
  • When process inspection requires sharing the target container’s PID namespace.

Best practices

  • Always pass --context explicitly to avoid acting on the wrong cluster.
  • Pick the least-privileged debug profile that meets your needs (netadmin, sysadmin, baseline).
  • Prefer ephemeral containers for quick, non-destructive checks; use --copy-to for invasive or persistent debugging.
  • Clean up debug pods after finishing to avoid resource leaks and security exposure.
  • Use small debug images (busybox, alpine) for quick checks; use netshoot or ubuntu when you need richer tooling.

Example use cases

  • Add an ephemeral busybox container to a web pod to inspect /proc and env vars without restarting the service.
  • Create a debug copy of a crashing pod with --copy-to and a different entrypoint to explore filesystem and logs.
  • Run a netshoot container with --profile=netadmin to capture tcpdump and verify service connectivity.
  • Debug a node by launching a debug container that mounts the host at /host and chroot for system-level investigation.
  • Reproduce a process-level issue by targeting a container’s namespace with --target and running strace or ps within the debug container.

FAQ

Do I need special RBAC to use kubectl debug?

Yes. You need permissions to create ephemeralcontainers, pods, and, for node debugging, appropriate node-level privileges. Check your cluster RBAC and PodSecurity policies.

When should I use --copy-to instead of ephemeral containers?

Use --copy-to when you need an isolated pod to change images, commands, or to run invasive debugging without affecting the original workload. Ephemeral containers are better for quick, non-destructive checks.