I'm trying to debug a distroless POD by trying kubectl debug which uses ephemeral containers that are disabled by default in aws eks. I'm using aws eks 1.21
✗ kubectl debug -it opentelemetry-collector-agent-6hqvf --image=busybox --target=some-app
error: ephemeral containers are disabled for this cluster (error from server: "the server could not find the requested resource")
So how to enable them for EKS?
The Kubernetes v1.23 release (not yet available on EKS) moved the ephemeral containers feature from alpha to beta.
When EKS adds support for Kubernetes v1.23, it's possible that this will include the ephemeral container API. It's not possible to say with confidence which way AWS will go here.
If EKS does add support for this API, make sure that you're applying appropriate restrictions. The ability to run an ephemeral container changes the attack surface for your workload and for the cluster it runs on.
AWS EKS 1.23 now includes the feature
✗ k exec -ti ebs-csi-node-gn5g6 -- bash
Defaulted container "ebs-plugin" out of: ebs-plugin, node-driver-registrar, liveness-probe, debugger-sbn42 (ephem)
OCI runtime exec failed: exec failed: unable to start container process: exec: "bash": executable file not found in $PATH: unknown
command terminated with exit code 126
and via ephemeral containers:
✗ k debug -ti ebs-csi-node-gn5g6 --image=busybox --target=ebs-plugin
Targeting container "ebs-plugin". If you don't see processes from this container it may be because the container runtime doesn't support this feature.
Defaulting debug container name to debugger-fzpnj.
If you don't see a command prompt, try pressing enter.
/ # ls
bin dev etc home proc root sys tmp usr var
/ #