zarf icon indicating copy to clipboard operation
zarf copied to clipboard

Published 20 hours ago verified publisher icon defenseunicorns

EphemeralContainers via kubectl debug bypass Zarf webhook

Open mjnagel opened this issue 1 year ago • 2 comments

Environment

Device and OS: macOS App version: 0.31.1 Kubernetes distro being used: k3d

Steps to reproduce

  1. Zarf init
  2. Deploy some things with zarf
  3. kubectl debug -it -n test test-pod --image busybox (with some pod in cluster)

Expected result

Zarf would mutate the image to be one from zarf's registry.

Actual Result

The update to the pod bypasses zarf's webhook.

Severity/Priority

Not critical, user can always specify the zarf image registry directly.

Additional Context

There are two issues at play:

  • Zarf's webhook needs pods/ephemeralcontainers added as a resource (see https://www.github.com/kyverno/kyverno/issues/2821 as an example of this)
  • Even with ^ added kubectl debug call would not get patched because the pod itself already went through the patching lifecycle - https://github.com/defenseunicorns/zarf/blob/06c8e53e6a88ced00f1d8bc769e3d3f8efe7751a/src/internal/agent/hooks/pods.go#L50

mjnagel avatar Nov 17 '23 19:11 mjnagel

This issue came up in discussion recently.

Another reason this is important is to support kubectl debug in an air gapped environment. If a user has included a debug image in a Zarf package, they can get it loaded into their Zarf registry. This webhook rewrite is needed to actually start the ephemeral debug container using an image from the registry.

bburky avatar Mar 27 '24 17:03 bburky

@bburky would note it's still possible, albeit not ideal, to use kubectl debug in airgap. The pull secrets will already be on the pod so as long as they debug with the zarf registry image name it would work. Not a great user experience though since they would have to figure out the registry address, name, and tag that is pushed to zarf vs just being able to use the upstream image name/tag.

mjnagel avatar Mar 27 '24 17:03 mjnagel