kubectl-debug icon indicating copy to clipboard operation
kubectl-debug copied to clipboard
verified publisher icon aylei

Run kubectl-debug from private docker registry (not just https://hub.docker.com/)

Open lukjaw opened this issue 5 years ago • 6 comments

Hi, i really like the tool guys, but is there a way to run this from private docker registry (like nexus) that is inside corporate network.

The reason for this question is that i have some k8s clusters that doesn have access to hub.docker.com (every image is being downloaded from private registry) and want to use this awesome tool.

so basically i pulled both debug-agent:latest and netshoot:latest and pushed to my private docker registry (Sonatype Nexus) and prepared the cfg file ~/.kube/debug-config

agentImage: myregistry:myport/debug-agent:latest (...) image: myregistry:myport/netshoot:latest

ive also modified yaml manifest for debug-agent daemonset and changed Image: to point to image in my private registry

But when starting kubectl-debug i get:

pulling image myregistry:myport/netshoot:latest... Pulling repository myregistry:myport/netshoot starting debug container... error execute remote, Internal error occurred: error attaching to container: Error: No such image: myregistry:myport/netshoot:latest error: Internal error occurred: error attaching to container: Error: No such myregistry:myport/netshoot:latest

I saw that there is possibilty to configure the kubectl-debug-registry-secret but it seems its also only for private repositories in official DockerHub registry.

Is it possible to run it this way ? Are You planning to support this ? I know the easiest solution would be to open traffic to hub.docker.com but i cannot do that on some of our k8s clusters for security reasons.

I was looking long time for such image to debug inside a running container, and never had before found one that contains all the needed troubleshooting tools and also to be so lightweight, already been able to debug bunch of containers (on other k8s clusters that have wide access to official dockerhub registry)

Any feedback would be much appreciated! Cheers

lukjaw avatar Dec 18 '19 12:12 lukjaw

Pulling from private repository with credential is expected to have been supported, what is the output of the log of debug-agent?

aylei avatar Dec 19 '19 14:12 aylei

I have the save problem, we use a private repository(like harbor), I configure this in ~/.kube/debug-config but it doesn't work

RegistrySecretName: myregistrysecret
RegistrySecretNamespace: myregistrysecret_namespace

and I check the debug-agent pod yaml , i doesn't mount imagePullSecrets in pod, like this

  imagePullSecrets:
  - name: myregistrysecret

junjieyjj avatar Mar 11 '20 09:03 junjieyjj

and I check the debug-agent pod yaml , i doesn't mount imagePullSecrets in pod, like this

@junjieyjj The secret is consumed by the plugin and the plugin will send an authstr to agent.

aylei avatar Apr 28 '20 12:04 aylei

@junjieyjj @lukjaw Could you please try out v0.2.0-rc, which has the auth issue fixed

aylei avatar Apr 28 '20 12:04 aylei

The content key in your imagePullSecrets must be "authStr", can you check it? Like this:

# kubectl get secret kubectl-debug-registry-secret -o yaml
apiVersion: v1
data:
  authStr: xxxxxxxxxxxxxxxxxxxxxxxx
kind: Secret

kchenzhi avatar Jun 30 '20 08:06 kchenzhi

@aylei Hi, the newest version works like a charm, thanks :)

lukjaw avatar Jan 24 '22 10:01 lukjaw