The "execsnoop" gadget
Pods can be selected by Kubernetes labels. Here we deploy a myapp which creates pods with the role=demo
label:
$ kubectl apply -f docs/examples/ds-myapp.yaml
daemonset.apps/myapp1-pod created
daemonset.apps/myapp2-pod created
$ kubectl get pod --show-labels -o wide
NAME READY STATUS RESTARTS AGE IP NODE LABELS
myapp1-pod-4kz56 1/1 Running 0 2m24s 10.2.232.6 ip-10-0-30-247 myapp=app-one,name=myapp1-pod,role=demo
myapp1-pod-qnj4d 1/1 Running 0 2m24s 10.2.249.6 ip-10-0-44-74 myapp=app-one,name=myapp1-pod,role=demo
myapp2-pod-s5kvv 1/1 Running 0 2m24s 10.2.249.7 ip-10-0-44-74 myapp=app-two,name=myapp2-pod,role=demo
myapp2-pod-tnthg 1/1 Running 0 2m24s 10.2.232.5 ip-10-0-30-247 myapp=app-two,name=myapp2-pod,role=demo
Using the execsnoop gadget, we can see which new processes are spawned on node ip-10-0-30-247 where myapp1-pod-4kz56 and myapp2-pod-tnthg are running:
$ kubectl gadget execsnoop --selector role=demo --node ip-10-0-30-247
PCOMM PID PPID RET ARGS
true 16510 11179 0 /bin/true
date 16511 11179 0 /usr/bin/date
cat 16512 11179 0 /usr/bin/cat /proc/version
sleep 16513 11179 0 /usr/bin/sleep 1
true 16514 11179 0 /bin/true
date 16515 11179 0 /usr/bin/date
cat 16516 11179 0 /usr/bin/cat /proc/version
sleep 16517 11179 0 /usr/bin/sleep 1
true 16520 11179 0 /bin/true
date 16521 11179 0 /usr/bin/date
cat 16522 11179 0 /usr/bin/cat /proc/version
sleep 16523 11179 0 /usr/bin/sleep 1
true 16524 10972 0 /bin/true
date 16525 10972 0 /usr/bin/date
echo 16526 10972 0 /bin/echo sleep-10
sleep 16527 10972 0 /bin/sleep 10
true 16528 11179 0 /bin/true
date 16529 11179 0 /usr/bin/date
cat 16530 11179 0 /usr/bin/cat /proc/version
sleep 16531 11179 0 /usr/bin/sleep 1
^CInterrupted!
Processes of both pods are spawned: myapp1 spawns cat /proc/version
and sleep 1
,
myapp2 spawns echo sleep-10
and sleep 10
, both spawn true
and date
.
We can stop to trace again by hitting Ctrl-C.
Finally, we clean up our demo app.
$ kubectl delete -f docs/examples/ds-myapp.yaml