The "opensnoop" gadget

    The opensnoop gadget watches files that programs in pods open. Pods can be selected by Kubernetes labels, pod names, namespaces, and nodes. Here we deploy a small demo pod “mypod”:

    $ kubectl run --restart=Never -ti --image=busybox mypod -- sh -c 'while /bin/true ; do whoami ; sleep 3 ; done'

    Using the opensnoop gadget, we can see which processes open what files. We can simply filter for the pod “mypod” and omit specifying the node, thus snooping on all nodes for pod “mypod”:

    $ kubectl gadget opensnoop --podname mypod
    PID    COMM               FD ERR PATH
    18455  whoami              3   0 /etc/passwd
    18521  whoami              3   0 /etc/passwd
    18525  whoami              3   0 /etc/passwd
    18530  whoami              3   0 /etc/passwd

    Seems the whoami command opens “/etc/passwd” to map the user ID to a user name. We can leave opensnoop by hitting Ctrl-C.

    Finally, we need to clean up our pod:

    $ kubectl delete pod mypod