Merged
Conversation
As a drive-by, enforce the linux/amd64 to be safe.
Workloads in the kube-system namespace would block cluster-autoscaler from evicting workloads unless a PDB was defined (see also [1]). Set an annotation to disregard the constraint for doks-debug which should never block evictions and node draining. [1]: https://github.com/kubernetes/autoscaler/blob/7c86e2813d20db8a943e69e447413ca859b92f97/cluster-autoscaler/FAQ.md#how-to-set-pdbs-to-enable-ca-to-move-kube-system-pods
doks-debug should always terminate immediately.
…n-base-image Upgrade Debian base image to bookworm
Never block cluster-autoscaler
…race-period Eliminate termination grace period
These are important for node debugging.
re-add iptables binaries
Simplifies testing in-cluster DNS as the policy enables to query CoreDNS for such requests.
…WithHostNet-dnspolicy Use ClusterFirstWithHostNet DNS policy
doks switched to containerd container runtime a while ago (https://docs.digitalocean.com/products/kubernetes/details/changelog/#1.20.2-do.0), so while docker is still installed on the nodes it's not useful for debugging k8s containers anymore
…cker remove docker socket mounts and cli
addn: fix the > as for some reason it was incorrect
Add support for crictl into the base images
moving to PAT auth
Buster is the current release, so we need the backports of the next one. Please check https://backports.debian.org/ for more details.
Signed-off-by: João Trigo Soares <joao.soares@parceiros.nos.pt>
* Added wget to the Docker image. * Installed Azure CLI using the installation script.
- Upgrade base image from Debian 12 to Debian 13. - Update curl version to 8.18.0 with HTTP/3 support. - Improve installation of dependencies for building curl. - Replace deprecated tools and update package installations. - Enhance README with updated tooling information and descriptions.
* Change image in DaemonSet and Deployment to ghcr.io/nosportugal/debug-pod * Update Docker repository in env script * Remove disabled checks annotation
Signed-off-by: João Trigo Soares <joao.soares@parceiros.nos.pt>
* Updated DaemonSet and Deployment names and labels to debug-pod. * Ensured consistency across test workflow and container names.
There was a problem hiding this comment.
Pull request overview
This pull request modernizes the Kubernetes debug pod project by upgrading the base OS to Debian 13 (Trixie), replacing Docker with containerd/crictl, rebuilding curl from source with HTTP/3 support, and significantly expanding the debugging toolkit. The project is rebranded from DigitalOcean's doks-debug to NOS Portugal's debug-pod with migration to GitHub Container Registry.
Changes:
- Upgraded base image from Debian 12 to Debian 13 (testing), rebuilt curl 8.18 with HTTP/3 (QUIC) using ngtcp2/nghttp3 and OpenSSL 3.5
- Replaced Docker runtime with containerd and crictl for container inspection
- Expanded tooling with httpie, hey, speedtest, kcat, redis-tools, sysstat, and Azure CLI
- Updated Kubernetes manifests to use containerd socket, added ClusterFirstWithHostNet DNS policy, and changed safe-to-evict annotations
- Completely rewrote README with comprehensive documentation, usage examples, and tool descriptions
- Updated CI/CD workflows for GitHub Container Registry with multi-arch builds and image signing
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| Dockerfile | Upgraded to Debian 13, custom curl build with HTTP/3, replaced Docker with crictl, added numerous debugging tools |
| k8s/daemonset.yaml | Updated image reference (inconsistent tag), switched to containerd socket, improved DNS policy |
| k8s/deployment.yaml | Updated image reference to :master tag, switched to containerd socket, improved DNS policy |
| README.md | Complete rewrite with detailed documentation, quick start guide, tool inventory, and usage examples |
| LICENSE | Added NOS Portugal copyright 2025-2026 |
| script/env | Updated Docker repository name |
| .github/workflows/test.yaml | Added platform specification for consistent builds |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
* Upgrade actions/checkout to v6 * Upgrade sigstore/cosign-installer to v4 * Upgrade docker/setup-buildx-action to v3 * Upgrade docker/login-action to v3 * Upgrade docker/metadata-action to v5 * Upgrade docker/build-push-action to v6 * Remove release_slim.yaml workflow * Update test workflow to use buildx for image building
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: João Trigo Soares <joao@jtsoar.es>
* Use `make --jobs=$(nproc)` for faster builds of nghttp3, ngtcp2, and curl. * Improves build efficiency by utilizing available CPU cores.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request modernizes and significantly expands the Kubernetes debug pod image and its supporting infrastructure. The changes migrate the project from DigitalOcean's doks-debug to NOS Portugal's debug-pod, update the base OS to Debian 13, introduce a custom-built curl with HTTP/3 support, and add numerous new debugging tools. The CI/CD workflows are updated for GitHub Container Registry and image signing, and documentation is rewritten for clarity and completeness.
Major enhancements to the Docker image:
debian:13, rebuiltcurlfrom source with HTTP/3 (QUIC) support using ngtcp2/nghttp3 and OpenSSL 3.5, and added many new debugging tools includinghttpie,hey,speedtest,kcat,redis-tools,nghttp2, andcrictl(preconfigured for containerd). [1] [2]ghcr.io/nosportugal/debug-pod:latest), improved node scheduling safety, and setdnsPolicyfor better DNS resolution. [1] [2]CI/CD and registry improvements:
ghcr.io), replacing Docker Hub; added multi-architecture support and image signing with cosign and Rekor transparency log.Documentation and licensing updates:
README.mdfor clarity, with detailed quick start, tool descriptions, usage tips, and advanced debugging scenarios; credits NOS Portugal as maintainer and acknowledges DigitalOcean's original project.LICENSEto include NOS Portugal copyright.Summary:
These changes make the debug pod image more powerful, portable, and easier to use for Kubernetes troubleshooting, with extensive new tooling and improved build/release processes.