skip to Main Content

I want to delete a specific file from a cronJob to the following container, the problem is that when I run exec I got error, how can I exec to distroless container (k8s v1.22.5) and delte the file from a cronJob, which option do we have?

this is the deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: distro
  labels:
    app: distro
spec:
  replicas: 1
  selector:
    matchLabels:
      app: distro
  template:
    metadata:
      labels:
        app: distro
    spec:
      containers:
        - name: edistro
          image: timberio/vector:0.21.X-distroless-libc
          ports:
            - containerPort: 80

what I tried is

kubectl exec -i -t -n apits aor-agent-zz -c tor "--" sh -c "clear; (bash || ash || sh)"

The error is:

error: Internal error occurred: error executing command in container: failed to exec in container: failed to start exec

I tried it out like following

kubectl debug -it distro-d49b456cf-t85cm --image=ubuntu --target=edistro  --share-processes -n default

And got error:

Targeting container "edistro". If you don't see processes from this container it may be because the container runtime doesn't support this feature. Defaulting debug container name to debugger-fvfxs. error: ephemeral containers are disabled for this cluster (error from server: "the server could not find the requested resource").

As I guess (not sure) that our the container runtime doesnt support it which option do we have?

The answer below doesn’t solve the issue, I need a way to access from outside the distroless pod and delete specific file there, how can I do this?

2

Answers


  1. The point of using distro-less is to have a minimal amount of tools/software packaged in the image. This means the removal of unnecessary tools like shell from the image.

    You may work around using, however it may depend on your objective:

    kubectl debug -it <POD_TO_DEBUG> --image=<helper-image> --target=<CONTAINER_TO_DEBUG> --share-processes
    

    Eg:

    kubectl debug -it distro-less-pod   --image=ubuntu --target=edistro  --share-processes
    
    Login or Signup to reply.
  2. Not a great option but it is the only option I can think of.

    If you are able to enter the nodes where the pods are running and you have permissions to execute commands (most likely as root) in there, you can try nsenter or any other way to enter the container mount namespace directly.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search