kubectl debug netadmin profile
Sometimes at work I need to troubleshoot iptables rules in a Kubernetes cluster. The intuitive approach is to use kubectl debug
to start a container, then run the iptables
command.1 However, this fails with a confusing error:
root@minikube:/# iptables -nvL
iptables v1.8.7 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)
Permission denied? As the root user?
It turns out that being root isn’t enough – the container also needs the NET_ADMIN
capability. This wasn’t possible with kubectl debug
… until now!
With Kubernetes 1.27, kubectl debug
now has a --profile=netadmin
flag that provides the NET_ADMIN
capability to the debug container. I implemented this in PR #115712, building on a lot of work from the community.2
With --profile=netadmin
in kubectl versions >= 1.27, you can now run a command like:
kubectl debug -it --profile=netadmin --image=<image> <node or pod>
and iptables
will work!
kubectl debug
is nice because you can use an image with the tools you need (likeiptables
andtcpdump
), and you can run the container in either the host or pod network namespace (especially useful when debugging a pod stuck in CrashLoopBackoff). ↩︎This was one of several profiles defined in KEP 1441. Shang Jian Ding implemented the general, baseline, and restricted profiles in PR #114280. ↩︎