kubectl debug netadmin profile

Sometimes at work I need to troubleshoot iptables rules in a Kubernetes cluster. The intuitive approach is to use kubectl debug to start a container, then run the iptables command.1 However, this fails with a confusing error:

root@minikube:/# iptables -nvL
iptables v1.8.7 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)

Permission denied? As the root user?

It turns out that being root isn’t enough – the container also needs the NET_ADMIN capability. This wasn’t possible with kubectl debug… until now!

With Kubernetes 1.27, kubectl debug now has a --profile=netadmin flag that provides the NET_ADMIN capability to the debug container. I implemented this in PR #115712, building on a lot of work from the community.2

With --profile=netadmin in kubectl versions >= 1.27, you can now run a command like:

kubectl debug -it --profile=netadmin --image=<image> <node or pod>

and iptables will work!

  1. kubectl debug is nice because you can use an image with the tools you need (like iptables and tcpdump), and you can run the container in either the host or pod network namespace (especially useful when debugging a pod stuck in CrashLoopBackoff). ↩︎

  2. This was one of several profiles defined in KEP 1441. Shang Jian Ding implemented the general, baseline, and restricted profiles in PR #114280↩︎