kubectl debug netadmin profile
Sometimes at work I need to troubleshoot iptables rules in a Kubernetes cluster. The intuitive approach is to use
kubectl debug to start a container, then run the
iptables command.1 However, this fails with a confusing error:
root@minikube:/# iptables -nvL iptables v1.8.7 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)
Permission denied? As the root user?
It turns out that being root isn’t enough – the pod also needs the
NET_ADMIN capability. This wasn’t possible with
kubectl debug… until now!
With Kubernetes 1.27,
kubectl debug now has a
--profile=netadmin flag that provides the
NET_ADMIN capability to the debug container. I implemented this in PR #115712, building on a lot of work from the community.2
--profile=netadmin in kubectl versions >= 1.27, you can now run a command like:
kubectl debug -it --profile=netadmin --image=<image> <node or pod>
iptables will work!
kubectl debugis nice because you can use an image with the tools you need (like
tcpdump), and you can run the container in either the host or pod network namespace (especially useful when debugging a pod stuck in CrashLoopBackoff). ↩︎