[BUG] ptrace not available in 1.23.8, available in 1.24. change in default policy or a bug.

AdamGlass commented 2 years ago

Describe the bug Same container that invokes gdb around an executable i'm trying to debug. Fails on 1.23.8,, works on 1.24.0. This may be an bug or not. There are some security issues associated with using ptrace in kubernetes -- eg. it should fail. There is a way i think through securityCapabilities to enable its use but there is nothing in the release notes suggesting a change in default.

Have specifically reproed with two distinct clusters and by upgrading a 1.23.8 cluster to 1.24.

On 1.23.8,

[2022-07-16T16:21:25Z INFO osmingester] OSM2PGSQL: warning: Could not trace the inferior process. [2022-07-16T16:21:25Z INFO osmingester] OSM2PGSQL: warning: ptrace: Permission denied

on 1.24.0 (preview)

i get a bunch of debugging printfs indicating gdb is working eg. [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/libthread_db.so.1". [New Thread 0x7ffff5b73640 (LWP 29)]....

To Reproduce run gdb against a executable within a container on aks 1.23.8 vs. aks 1.24.0 previw

Expected behavior Behavior should be the same between 1.23.8 and 1.24.0

Screenshots If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

Kubernetes version [e.g. 1.24.3] (1.23.8, 1.24)

Additional context adamg@microsoft.com