Ephemeral Containers

FEATURE STATE: Kubernetes v1.16 [alpha]

This page provides an overview of ephemeral containers: a special type of container that runs temporarily in an existing Pod to accomplish user-initiated actions such as troubleshooting. You use ephemeral containers to inspect services rather than to build applications.

Warning: Ephemeral containers are in early alpha state and are not suitable for production clusters. In accordance with the Kubernetes Deprecation Policy, this alpha feature could change significantly in the future or be removed entirely.

Understanding ephemeral containers

Pods are the fundamental building block of Kubernetes applications. Since Pods are intended to be disposable and replaceable, you cannot add a container to a Pod once it has been created. Instead, you usually delete and replace Pods in a controlled fashion using deployments.

Sometimes it’s necessary to inspect the state of an existing Pod, however, for example to troubleshoot a hard-to-reproduce bug. In these cases you can run an ephemeral container in an existing Pod to inspect its state and run arbitrary commands.

What is an ephemeral container?

Ephemeral containers differ from other containers in that they lack guarantees for resources or execution, and they will never be automatically restarted, so they are not appropriate for building applications. Ephemeral containers are described using the same ContainerSpec as regular containers, but many fields are incompatible and disallowed for ephemeral containers.

  • Ephemeral containers may not have ports, so fields such as ports, livenessProbe, readinessProbe are disallowed.
  • Pod resource allocations are immutable, so setting resources is disallowed.
  • For a complete list of allowed fields, see the EphemeralContainer reference documentation.

Ephemeral containers are created using a special ephemeralcontainers handler in the API rather than by adding them directly to pod.spec, so it’s not possible to add an ephemeral container using kubectl edit.

Like regular containers, you may not change or remove an ephemeral container after you have added it to a Pod.

Uses for ephemeral containers

Ephemeral containers are useful for interactive troubleshooting when kubectl exec is insufficient because a container has crashed or a container image doesn’t include debugging utilities.

In particular, distroless images enable you to deploy minimal container images that reduce attack surface and exposure to bugs and vulnerabilities. Since distroless images do not include a shell or any debugging utilities, it’s difficult to troubleshoot distroless images using kubectl exec alone.

When using ephemeral containers, it’s helpful to enable process namespace sharing so you can view processes in other containers.

See Debugging with Ephemeral Debug Container for examples of troubleshooting using ephemeral containers.

Ephemeral containers API

Note: The examples in this section require the EphemeralContainers feature gate to be enabled, and Kubernetes client and server version v1.16 or later.

The examples in this section demonstrate how ephemeral containers appear in the API. You would normally use kubectl debug or another kubectl plugin to automate these steps rather than invoking the API directly.

Ephemeral containers are created using the ephemeralcontainers subresource of Pod, which can be demonstrated using kubectl --raw. First describe the ephemeral container to add as an EphemeralContainers list:

  1. {
  2.     "apiVersion": "v1",
  3.     "kind": "EphemeralContainers",
  4.     "metadata": {
  5.             "name": "example-pod"
  6.     },
  7.     "ephemeralContainers": [{
  8.         "command": [
  9.             "sh"
  10.         ],
  11.         "image": "busybox",
  12.         "imagePullPolicy": "IfNotPresent",
  13.         "name": "debugger",
  14.         "stdin": true,
  15.         "tty": true,
  16.         "terminationMessagePolicy": "File"
  17.     }]
  18. }

To update the ephemeral containers of the already running example-pod:

  1. kubectl replace --raw /api/v1/namespaces/default/pods/example-pod/ephemeralcontainers  -f ec.json

This will return the new list of ephemeral containers:

  1. {
  2.    "kind":"EphemeralContainers",
  3.    "apiVersion":"v1",
  4.    "metadata":{
  5.       "name":"example-pod",
  6.       "namespace":"default",
  7.       "selfLink":"/api/v1/namespaces/default/pods/example-pod/ephemeralcontainers",
  8.       "uid":"a14a6d9b-62f2-4119-9d8e-e2ed6bc3a47c",
  9.       "resourceVersion":"15886",
  10.       "creationTimestamp":"2019-08-29T06:41:42Z"
  11.    },
  12.    "ephemeralContainers":[
  13.       {
  14.          "name":"debugger",
  15.          "image":"busybox",
  16.          "command":[
  17.             "sh"
  18.          ],
  19.          "resources":{
  21.          },
  22.          "terminationMessagePolicy":"File",
  23.          "imagePullPolicy":"IfNotPresent",
  24.          "stdin":true,
  25.          "tty":true
  26.       }
  27.    ]
  28. }

You can view the state of the newly created ephemeral container using kubectl describe:

  1. kubectl describe pod example-pod
  1. ...
  2. Ephemeral Containers:
  3.   debugger:
  4.     Container ID:  docker://cf81908f149e7e9213d3c3644eda55c72efaff67652a2685c1146f0ce151e80f
  5.     Image:         busybox
  6.     Image ID:      docker-pullable://busybox@sha256:9f1003c480699be56815db0f8146ad2e22efea85129b5b5983d0e0fb52d9ab70
  7.     Port:          <none>
  8.     Host Port:     <none>
  9.     Command:
  10.       sh
  11.     State:          Running
  12.       Started:      Thu, 29 Aug 2019 06:42:21 +0000
  13.     Ready:          False
  14.     Restart Count:  0
  15.     Environment:    <none>
  16.     Mounts:         <none>
  17. ...

You can interact with the new ephemeral container in the same way as other containers using kubectl attach, kubectl exec, and kubectl logs, for example:

  1. kubectl attach -it example-pod -c debugger