Header Banner Image
Your
Trusted
Get Fully AWS Funded
Cloud Migration

How to: Ephemeral Debug Container

Ephemeral debug containers are one of the most practical additions to the Kubernetes toolbox. They give engineers a safe, controlled way to troubleshoot production-like environments without rebuilding images, deploying temporary manifests, or modifying a running workload. This guide explains why they are useful, what exactly you can do with them, and how to use them effectively in day‑to‑day operations.

1. Overview

Modern containers are intentionally minimal. Many run on alpine, busybox, or distroless images that intentionally exclude tools like curl, ps, or dig. This is good for security and footprint, but painful when debugging.

Ephemeral debug containers solve this gap. You can temporarily attach a fully equipped container into an existing pod, sharing namespaces with your target container. This gives you the tools you need without touching the production image or triggering a redeploy.

They are ideal when you want deeper insight into what your application is actually doing right now, not what it should be doing.

2. Primary Use Cases

These are the scenarios where ephemeral debug containers shine:

• Inspecting the runtime environment

You can directly inspect the live filesystem, configuration files, mounted volumes, permissions, and environment variables of the target container.

• Debugging networking problems

This includes DNS failures, network policy issues, certificate validation problems, or unexpected routing.

• Investigating performance or process issues

With access to tools like top, ps, lsof, or ss, you can inspect running processes and open connections.

• Debugging sidecars

Often you want to isolate if an issue is caused by the main container or a sidecar. You can attach to one without altering the other.

• When the base image is too minimal

If your image intentionally comes with no debugging tools, an ephemeral container gives you what you need without violating image policies.

3. What You Can Do

Once attached, you share the process, network, and IPC namespaces of the target container. This allows you to:

  • Explore the live filesystem and config

  • Examine running processes and memory usage

  • Inspect network routes, DNS, and connectivity

  • Look at open sockets, ports, and active connections

  • Run utilities such as curl, dig, nc, tcpdump, or any custom diagnostic tool

You can treat the debug container as a full-fledged toolbox injected directly into a running pod.

4. How to Use It

This is a typical working command:

kubectl debug \
  <pod-name> \
  --image=alpine:latest \
  --target=<container-name> \
  --stdin --tty --profile=general
Key points

  • --target tells Kubernetes which container's namespaces to join.

  • --profile=general uses a namespace‑sharing setup suitable for most cases.

  • --image defines the toolbox image. Alpine is fine for many situations; you can also use a richer image.

Common tasks once inside

  • Inspect file system: ls, cat, find

  • Check processes: ps aux, top

  • Network debugging: curl, wget, dig, netstat -tulpn, ip route

  • Socket inspection: lsof -i

This gives you immediate visibility into what is happening without stopping or modifying the workload.

5. Recommended Tooling in Your Debug Image

A good debug image should include:

  • curl / wget

  • nc or socat

  • iproute2 (ip, ss)

  • dnsutils (dig, nslookup)

  • jq for JSON output

  • CA certificates

Common choices:

  • alpine

  • ubuntu

  • busybox

  • A custom, standardized internal debug image

Using a consistent image ensures predictable debugging experience across environments.

6. Limitations

Ephemeral debug containers are powerful but not magic. Some limitations:

  • They require Kubernetes 1.23+ and enabled feature gates.

  • You cannot modify the target container’s filesystem.

  • If the pod crashes before fully starting, namespace attach may not work.

  • RBAC must explicitly allow ephemeralcontainers.

  • Network policies still apply, so debugging is limited to allowed traffic.

  • Distroless containers expose fewer mount points and paths.

7. Security Considerations

Debugging tools give deep visibility, so use them responsibly:

  • Debug sessions expose environment variables and secrets.

  • Access should be tightly controlled via RBAC.

  • Kubernetes audit logs record ephemeral container usage.

  • Avoid running debug sessions directly in production unless approved.

Debug containers do not persist after the pod restarts, reducing long-term risk.

8. Best Practices

  • Maintain a standardized debug image for all clusters.

  • Keep sessions short; disconnect when finished.

  • Document each debugging session and its findings.

  • Prefer read‑only inspection—avoid making changes inside the container.

  • Use meaningful image versions, not latest.

9. Troubleshooting
Debug container fails to attach

  • Ensure the Kubernetes version supports ephemeral containers.

  • Check RBAC permissions for pods/ephemeralcontainers.

Image won't pull

  • Confirm the image is public or accessible via imagePullSecrets.

Wrong container name

  • Inspect containers with:

Namespace issues

  • If the pod crashes immediately, use a full debug pod instead of attaching.

Ephemeral debug containers give teams a safe, reversible, and powerful way to troubleshoot complex Kubernetes workloads. When used correctly, they eliminate the need for one‑off images, temp deployments, and risky production changes, making them one of the most useful operational tools available today.