Support for a container debug (attaching ephemeral containers) in ArgoCD UI

[danmx]

Summary

I would like to do a kubectl debug a container of a Pod in ArgoCD UI similar to currently available kubectl exec option.

Motivation

As a security engineer I think kubectl debug (attaching ephemeral container) is more secure than kubectl exec when debugging a container. You can:

• use vetted images containing all necessary debug tools,
• have bareminimum application container images (e.g. distroless or scratch),
• specify (in some CNIs) separate k8s Network Policies for ephemeral containers which prevent access remote storage that debugged application has access to.

Proposal

How do you think this should be implemented?

• It should be behind a feature flag similar to current start.exec option.
• It should look similar to current Terminal (exec) tab that is in Web UI.
• Depending on ArgoCD central configuration, Web UI should allow to input an image used by debug or pick one from a list.
• Each debug session should leave an entry in an audit log (preferably start and end).
• (Nice to have) Content of the session should be recorded/logged (configuration for capturing only stdin or stdin and stdout because of a potential data leak - e.g. PII, secrets).

[tooptoop4]

this would be great, as currently can't exec into distroless images

[dhirschfeld]

I came here looking for the same thing. As mentioned this is particularly important for images which don't have a shell to exec into.

[meastp]

When developers only have access to Argo UI, and not kubectl, this feature would be very useful for debugging, profiling etc.!

[blakepettersson]

Feel free to create a proposal + PR for kubectl debug, it would be very welcome.