How to run kube-bench in my cluster?

First, you have to exec in Deckhouse Pod:

kubectl -n d8-system exec -ti svc/deckhouse-leader -- bash

Then you have to select which node you want to run kube-bench.

  • Run on random node:

    curl -s https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml | kubectl create -f -
    
  • Run on specific node, e.g. control-plane node:

    curl -s https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml | kubectl apply -f - --dry-run=client -o json | jq '.spec.template.spec.tolerations=[{"operator": "Exists"}] | .spec.template.spec.nodeSelector={"node-role.kubernetes.io/control-plane": ""}' | kubectl create -f -
    

Then you can check report:

kubectl logs job.batch/kube-bench

How to collect debug info?

We always appreciate helping users with debugging complex issues. Please follow these steps so that we can help you:

  1. Collect all the necessary information by running the following command:

    kubectl -n d8-system exec deploy/deckhouse -c deckhouse \
      -- deckhouse-controller collect-debug-info \
      > deckhouse-debug-$(date +"%Y_%m_%d").tar.gz
    
  2. Send the archive to the Deckhouse team for further debugging.

Data that will be collected:

  • Deckhouse queue state
  • global Deckhouse values
  • enabled modules list
  • events from all namespaces
  • controllers and pods manifests from namespaces owned by Deckhouse
  • nodegroups state
  • nodes state
  • machines state
  • deckhouse pods version
  • all deckhousereleases objects
  • Deckhouse logs
  • machine controller manager logs
  • cloud controller manager logs
  • cluster autoscaler logs
  • Vertical Pod Autoscaler admission controller logs
  • Vertical Pod Autoscaler recommender logs
  • Vertical Pod Autoscaler updater logs
  • Prometheus logs
  • terraform-state-exporter metrics
  • all firing alerts from Prometheus

How to debug pod problems with ephemeral containers?

Run the following command:

kubectl -n <namespace_name> debug -it <pod_name> --image=ubuntu <container_name>

More info in official documentation.

How to debug node problems with ephemeral containers?

Run the following command:

kubectl debug node/mynode -it --image=ubuntu

More info in official documentation.