List all k8s debuggable containers (#84)

eharris128 · web-flow · commit 47a5711b11ed · 2024-11-16T19:09:17.000-07:00
* Run make fmt

Signed-off-by: Evan Harris &lt;echarris@smcm.edu&gt;

* Support getting debuggable containers across more than one pod

Signed-off-by: Evan Harris &lt;echarris@smcm.edu&gt;

---------

Signed-off-by: Evan Harris &lt;echarris@smcm.edu&gt;
diff --git a/pkg/app/master/command/debug/handle_kubernetes_runtime.go b/pkg/app/master/command/debug/handle_kubernetes_runtime.go
@@ -96,6 +96,23 @@ func HandleKubernetesRuntime(
 		return
 	}
 
+	if commandParams.ActionListDebuggableContainers {
+		xc.Out.State("action.list_debuggable_containers",
+			ovars{"namespace": nsName})
+
+		result, err := listK8sDebuggableContainers(ctx, api, nsName, "")
+		if err != nil {
+			logger.WithError(err).Error("listK8sDebuggableContainers")
+			xc.FailOn(err)
+		}
+
+		for cname, iname := range result {
+			xc.Out.Info("debuggable.container", ovars{"name": cname, "image": iname})
+		}
+
+		return
+	}
+
 	pod, podName, err := ensurePod(ctx, api, nsName, commandParams.TargetPod)
 	if apierrors.IsNotFound(err) {
 		logger.WithError(err).
@@ -136,22 +153,6 @@ func HandleKubernetesRuntime(
 			"ec.count": len(pod.Spec.EphemeralContainers),
 		}).Debug("target pod info")
 
-	if commandParams.ActionListDebuggableContainers {
-		xc.Out.State("action.list_debuggable_containers",
-			ovars{"namespace": nsName, "pod": podName})
-		result, err := listK8sDebuggableContainers(ctx, api, nsName, podName)
-		if err != nil {
-			logger.WithError(err).Error("listK8sDebuggableContainers")
-			xc.FailOn(err)
-		}
-
-		for cname, iname := range result {
-			xc.Out.Info("debuggable.container", ovars{"name": cname, "image": iname})
-		}
-
-		return
-	}
-
 	//todo: need to check that if targetRef is not empty it is valid
 
 	if commandParams.ActionListSessions {
@@ -1033,6 +1034,37 @@ func listK8sDebuggableContainers(
 	api *kubernetes.Clientset,
 	nsName string,
 	podName string) (map[string]string, error) {
+	activeContainers := map[string]string{}
+	debuggableContainers := map[string]string{}
+
+	// List all pods in the namespace
+	if podName == "" {
+		pods, err := api.CoreV1().Pods(nsName).List(ctx, metav1.ListOptions{})
+		if err != nil {
+			return nil, err
+		}
+
+		for _, pod := range pods.Items {
+			if pod.Status.Phase != corev1.PodRunning {
+				continue
+			}
+
+			activeNames := getActiveContainerNames(pod.Status.ContainerStatuses)
+			for _, name := range activeNames {
+				activeContainers[name] = ""
+			}
+
+			for _, c := range pod.Spec.Containers {
+				_, found := activeContainers[c.Name]
+				if found {
+					containerKey := fmt.Sprintf("%s/%s", pod.Name, c.Name)
+					debuggableContainers[containerKey] = c.Image
+				}
+			}
+		}
+
+		return debuggableContainers, nil
+	}
 
 	pod, err := api.CoreV1().Pods(nsName).Get(ctx, podName, metav1.GetOptions{})
 	if err != nil {
@@ -1044,19 +1076,18 @@ func listK8sDebuggableContainers(
 	}
 
 	activeNames := getActiveContainerNames(pod.Status.ContainerStatuses)
-	activeContainers := map[string]string{}
 	for _, name := range activeNames {
-		activeContainers[name] = ""
+		debuggableContainers[name] = ""
 	}
 
 	for _, c := range pod.Spec.Containers {
-		_, found := activeContainers[c.Name]
+		_, found := debuggableContainers[c.Name]
 		if found {
-			activeContainers[c.Name] = c.Image
+			debuggableContainers[c.Name] = c.Image
 		}
 	}
 
-	return activeContainers, nil
+	return debuggableContainers, nil
 }
 
 func listDebuggableK8sContainersWithConfig(
diff --git a/pkg/system/syscalls_armf32.go b/pkg/system/syscalls_armf32.go
@@ -7,6 +7,7 @@ const (
 	SyscallArmMaxNum32    = 462
 	SyscallArmLastName32  = "mseal"
 )
+
 // https://github.com/torvalds/linux/blob/master/arch/arm64/tools/syscall_32.tbl , https://github.com/torvalds/linux/blob/master/arch/arm/tools/syscall.tbl
 var syscallNumTableArmFamily32 = map[uint32]string{
 	0:   "restart_syscall",
diff --git a/pkg/system/syscalls_armf64.go b/pkg/system/syscalls_armf64.go
@@ -7,6 +7,7 @@ const (
 	SyscallArmMaxNum64      = 462
 	SyscallArmLastName64    = "mseal"
 )
+
 // https://github.com/torvalds/linux/blob/master/scripts/syscall.tbl
 var syscallNumTableArmFamily64 = map[uint32]string{
 	0:   "io_setup",
@@ -290,7 +291,6 @@ var syscallNumTableArmFamily64 = map[uint32]string{
 	293: "rseq",
 	294: "kexec_file_load",
 
-
 	424: "pidfd_send_signal",
 	425: "io_uring_setup",
 	426: "io_uring_enter",
diff --git a/pkg/system/syscalls_x86f32.go b/pkg/system/syscalls_x86f32.go
@@ -4,6 +4,7 @@ const (
 	SyscallX86MaxNum32   = 462
 	SyscallX86LastName32 = "mseal"
 )
+
 // https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_32.tbl
 // line numbers are aligned with the syscall number (-10)
 var syscallNumTableX86Family32 = [...]string{
@@ -442,34 +443,34 @@ var syscallNumTableX86Family32 = [...]string{
 	"fsmount",
 	"fspick",
 	"pidfd_open",
-	"clone3", // 435
-	"close_range", // 436
-	"openat2", // 437
-	"pidfd_getfd", // 438
-	"faccessat2", // 439
-	"process_madvise", // 440
-	"epoll_pwait2", // 441
-	"mount_setattr", // 442
-	"quotactl_fd", // 443
+	"clone3",                  // 435
+	"close_range",             // 436
+	"openat2",                 // 437
+	"pidfd_getfd",             // 438
+	"faccessat2",              // 439
+	"process_madvise",         // 440
+	"epoll_pwait2",            // 441
+	"mount_setattr",           // 442
+	"quotactl_fd",             // 443
 	"landlock_create_ruleset", // 444
-	"landlock_add_rule", // 445
-	"landlock_restrict_self", // 446
-	"memfd_secret", // 447
-	"process_mrelease", // 448
-	"futex_waitv", // 449
+	"landlock_add_rule",       // 445
+	"landlock_restrict_self",  // 446
+	"memfd_secret",            // 447
+	"process_mrelease",        // 448
+	"futex_waitv",             // 449
 	"set_mempolicy_home_node", // 450
-	"cachestat", // 451
-	"fchmodat2", // 452
-	"map_shadow_stack", // 453
-	"futex_wake", // 454
-	"futex_wait", // 455
-	"futex_requeue", // 456
-	"statmount", // 457
-	"listmount", // 458
-	"lsm_get_self_attr", // 459
-	"lsm_set_self_attr", // 460
-	"lsm_list_modules", // 461
-	"mseal", // 462
+	"cachestat",               // 451
+	"fchmodat2",               // 452
+	"map_shadow_stack",        // 453
+	"futex_wake",              // 454
+	"futex_wait",              // 455
+	"futex_requeue",           // 456
+	"statmount",               // 457
+	"listmount",               // 458
+	"lsm_get_self_attr",       // 459
+	"lsm_set_self_attr",       // 460
+	"lsm_list_modules",        // 461
+	"mseal",                   // 462
 }
 
 func callNameX86Family32(num uint32) string {
diff --git a/pkg/system/syscalls_x86f64.go b/pkg/system/syscalls_x86f64.go
@@ -4,6 +4,7 @@ const (
 	SyscallX86MaxNum64   = 462
 	SyscallX86LastName64 = "mseal"
 )
+
 // https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl , https://github.com/torvalds/linux/blob/master/scripts/syscall.tbl
 // line numbers are aligned with the syscall number (-10)
 var syscallNumTableX86Family64 = [...]string{
@@ -341,7 +342,7 @@ var syscallNumTableX86Family64 = [...]string{
 	"pkey_free",
 	"statx",
 	"io_pgetevents",
-	"rseq", // 334
+	"rseq",      // 334
 	"uretprobe", // 335
 	"reserved.336",
 	"reserved.337",
@@ -441,35 +442,35 @@ var syscallNumTableX86Family64 = [...]string{
 	"fsconfig",
 	"fsmount",
 	"fspick",
-	"pidfd_open", // 434
-	"clone3", // 435
-	"close_range", // 436
-	"openat2", // 437
-	"pidfd_getfd", // 438
-	"faccessat2", // 439
-	"process_madvise", // 440
-	"epoll_pwait2", // 441
-	"mount_setattr", // 442
-	"quotactl_fd", // 443
+	"pidfd_open",              // 434
+	"clone3",                  // 435
+	"close_range",             // 436
+	"openat2",                 // 437
+	"pidfd_getfd",             // 438
+	"faccessat2",              // 439
+	"process_madvise",         // 440
+	"epoll_pwait2",            // 441
+	"mount_setattr",           // 442
+	"quotactl_fd",             // 443
 	"landlock_create_ruleset", // 444
-	"landlock_add_rule", // 445
-	"landlock_restrict_self", // 446
-	"memfd_secret", // 447
-	"process_mrelease", // 448
-	"futex_waitv", // 449
+	"landlock_add_rule",       // 445
+	"landlock_restrict_self",  // 446
+	"memfd_secret",            // 447
+	"process_mrelease",        // 448
+	"futex_waitv",             // 449
 	"set_mempolicy_home_node", // 450
-	"cachestat", // 451
-	"fchmodat2", // 452
-	"map_shadow_stack", // 453
-	"futex_wake", // 454
-	"futex_wait", // 455
-	"futex_requeue", // 456
-	"statmount", // 457
-	"listmount", // 458
-	"lsm_get_self_attr", // 459
-	"lsm_set_self_attr", // 460
-	"lsm_list_modules", // 461
-	"mseal", // 462
+	"cachestat",               // 451
+	"fchmodat2",               // 452
+	"map_shadow_stack",        // 453
+	"futex_wake",              // 454
+	"futex_wait",              // 455
+	"futex_requeue",           // 456
+	"statmount",               // 457
+	"listmount",               // 458
+	"lsm_get_self_attr",       // 459
+	"lsm_set_self_attr",       // 460
+	"lsm_list_modules",        // 461
+	"mseal",                   // 462
 }
 
 func callNameX86Family64(num uint32) string {

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ const (`
`7`	`7`	`SyscallArmMaxNum32 = 462`
`8`	`8`	`SyscallArmLastName32 = "mseal"`
`9`	`9`	`)`
	`10`	`+`
`10`	`11`	`// https://github.com/torvalds/linux/blob/master/arch/arm64/tools/syscall_32.tbl , https://github.com/torvalds/linux/blob/master/arch/arm/tools/syscall.tbl`
`11`	`12`	`var syscallNumTableArmFamily32 = map[uint32]string{`
`12`	`13`	`0: "restart_syscall",`