Post

Ephemeral Containers

Posted Updated
By Nikos Nikolakakis 1 min read

In Kubernetes environments, particularly for versions 1.25 and beyond, traditional methods of diagnosing issues within containers are becoming outdated. The introduction of ephemeral debug containers offers a modernized, preferable alternative for troubleshooting. This means that the practice of directly executing commands inside a container using kubectl exec is strongly discouraged, to the point where it’s suggested those who use it should face consequences.

Do not do this! ⚠️ 

Enter inside a container

The use of ephemeral containers is a significant shift in how we approach problem-solving within Kubernetes. By executing a command such as:

1

kubectl -n demo debug $POD --image alpine --stdin --tty --target dynamic-welcome-service

we essentially spawn a new container within the same pod as the problematic application. This new container shares the same namespace as the application container, allowing us to interact with it as if we were inside the original container. This setup facilitates troubleshooting with the added benefits of an alpine image, which comes equipped with a shell and a package manager for installing necessary diagnostic tools.

Use this! 🤘 

Directly interfering with a production application is generally not advisable. In most cases, leveraging observability tools to gather metrics, logs, traces, and events should suffice for diagnosing issues. Direct intervention is typically reserved for critical and urgent problems when other methods have failed. However, it’s important to note that ephemeral containers, once created, remain operational indefinitely.

To mitigate this, an alternative command creates a duplicate of the original pod, embedding the ephemeral container within this clone:

1

kubectl --namespace demo debug $POD --image alpine --stdin --tty --share-processes --copy-to dynamic-welcome-service

This method isolates the ephemeral container’s impact, as it resides in a separate pod copy. Eliminating this temporary container—and, by extension, any potential interference with the application—is as simple as deleting the entire duplicate pod:

1

kubectl --namespace demo delete pod dynamic-welcome-service-debug

By adopting ephemeral containers for debugging, Kubernetes users can maintain the integrity and stability of their applications while ensuring that diagnostic processes are both effective and minimally invasive.

sre kubernetes containers
This post is licensed under CC BY 4.0 by the author.