Specifying capabilities with kubectl debug

[ve...@google.com]

Hi all,

We've had requests to be able to set capabilities in debugging containers added by kubectl debug. As a reminder, kubectl debug creates new containers in these scenarios:

1. Creating a copy of a pod with a new container added.

2. Creating a privileged pod on a particular node

3. Creating an ephemeral container in a running pod (currently capabilities are disallowed here, but #1690 proposes changing this)

#53188 and #97103 track these requests, but so far we've had requests for NET_ADMIN, SYS_PTRACE and SYS_ADMIN.

The simplest way to support arbitrary capabilities would be to allow specifying a list as a flag, something like:

kubectl debug mypod -it --copy-to=my-debugger --capabilities=NET_ADMIN,SYS_PTRACE

I'm not sure this is the best way to proceed, though. I can imagine an ever-growing list of flags as we want to add additional knobs. We could allow specifying via some sort of patch or template syntax, but that doesn't seem very user friendly.

Does anyone have any opinions or suggestions for how we could make this easier? Let's capture the discussion in #97103 if possible.

Thanks,