concepts/workloads/pods/ephemeral-containers/

Ephemeral Containers

FEATURE STATE: Kubernetes v1.16 alpha

This page provides an overview of ephemeral containers: a special type of container that runs temporarily in an existing Pod to accomplish user-initiated actions such as troubleshooting. You use ephemeral containers to inspect services rather than to build applications. 本页提供了短暂容器的概述：一种特殊类型的容器，在现有的POD中临时运行，以完成用户发起的操作，例如故障排除。您使用临时容器来检查服务，而不是构建应用程序。

Warning: Ephemeral containers are in early alpha state and are not suitable for production clusters. You should expect the feature not to work in some situations, such as when targeting the namespaces of a container. In accordance with the Kubernetes Deprecation Policy, this alpha feature could change significantly in the future or be removed entirely. 警告：临时容器处于早期alpha状态，不适合生产集群。您应该期望该功能在某些情况下不起作用，例如在以容器的名称空间为目标时。根据kubernetes的deprecation策略，这个alpha特性在未来可能会发生显著变化，或者被完全删除。

• Understanding ephemeral containers
• Uses for ephemeral containers

Understanding ephemeral containers

Pods are the fundamental building block of Kubernetes applications. Since Pods are intended to be disposable and replaceable, you cannot add a container to a Pod once it has been created. Instead, you usually delete and replace Pods in a controlled fashion using deployments. pods是kubernetes应用程序的基本构建块。由于pod是一次性和可替换的，因此一旦创建了容器，就不能将其添加到pod中。相反，您通常使用部署以受控方式删除和替换pod。

Sometimes it’s necessary to inspect the state of an existing Pod, however, for example to troubleshoot a hard-to-reproduce bug. In these cases you can run an ephemeral container in an existing Pod to inspect its state and run arbitrary commands. 有时，有必要检查现有POD的状态，例如，为了解决难以重现的bug。在这些情况下，可以在现有的POD中运行一个短暂容器，以检查其状态并运行任意命令。

What is an ephemeral container?

Ephemeral containers differ from other containers in that they lack guarantees for resources or execution, and they will never be automatically restarted, so they are not appropriate for building applications. Ephemeral containers are described using the same ContainerSpec as regular containers, but many fields are incompatible and disallowed for ephemeral containers. 临时容器与其他容器的不同之处在于，它们缺乏对资源或执行的保证，并且永远不会自动重新启动，因此不适合构建应用程序。使用与常规容器相同的“containerspec”来描述临时容器，但许多字段不兼容，不允许用于临时容器。

• Ephemeral containers may not have ports, so fields such as ports, livenessProbe, readinessProbe are disallowed. 临时容器可能没有端口，因此不允许使用如“ports”、“livenessprobe”、“readinessprobe”等字段。
• Pod resource allocations are immutable, so setting resources is disallowed. POD资源分配是不可变的，因此不允许设置资源。
• For a complete list of allowed fields, see the EphemeralContainer reference documentation. 有关允许字段的完整列表，请参阅ephemeralcontainer参考文档。

Ephemeral containers are created using a special ephemeralcontainers handler in the API rather than by adding them directly to pod.spec, so it’s not possible to add an ephemeral container using kubectl edit. 临时容器是使用API中的特殊临时容器处理程序创建的，而不是直接将它们添加到pod.spec中，因此不可能使用kubectl edit添加临时容器。

Like regular containers, you may not change or remove an ephemeral container after you have added it to a Pod. 与常规容器一样，在将临时容器添加到pod后，不能更改或移除该容器。

Uses for ephemeral containers

Ephemeral containers are useful for interactive troubleshooting when kubectl exec is insufficient because a container has crashed or a container image doesn’t include debugging utilities. 当“kubectl exec”因容器崩溃或容器映像不包含调试实用程序而不足时，临时容器对于交互式故障排除非常有用。

In particular, distroless images enable you to deploy minimal container images that reduce attack surface and exposure to bugs and vulnerabilities. Since distroless images do not include a shell or any debugging utilities, it’s difficult to troubleshoot distroless images using kubectl exec alone. 特别是，无发行版映像使您能够部署最小的容器映像，从而减少攻击面和暴露于错误和漏洞的风险。由于无发行版映像不包括shell或任何调试实用程序，因此仅使用kubectl exec很难排除无发行版映像的故障。

When using ephemeral containers, it’s helpful to enable process namespace sharing so you can view processes in other containers. 使用临时容器时，启用进程命名空间共享很有帮助，这样您可以查看其他容器中的进程。

Examples

Note: The examples in this section require the EphemeralContainers feature gate to be enabled and kubernetes client and server version v1.16 or later. 注意：本节中的示例要求启用ephemeralcontainers特性门，并启用kubernetes客户机和服务器版本v1.16或更高版本。

The examples in this section demonstrate how ephemeral containers appear in the API. Users would normally use a kubectl plugin for troubleshooting that would automate these steps. 本节中的示例演示了短暂容器在api中的显示方式。用户通常会使用kubectl插件进行故障排除，从而自动执行这些步骤。

Ephemeral containers are created using the ephemeralcontainers subresource of Pod, which can be demonstrated using kubectl --raw. First describe the ephemeral container to add as an EphemeralContainers list: 短命容器是使用pod的短命容器子资源创建的，可以使用kubectl--raw演示。首先描述要作为临时容器列表添加的临时容器：

{
    "apiVersion": "v1",
    "kind": "EphemeralContainers",
    "metadata": {
            "name": "example-pod"
    },
    "ephemeralContainers": [{
        "command": [
            "sh"
        ],
        "image": "busybox",
        "imagePullPolicy": "IfNotPresent",
        "name": "debugger",
        "stdin": true,
        "tty": true,
        "terminationMessagePolicy": "File"
    }]
}

To update the ephemeral containers of the already running example-pod: 要更新已运行示例pod的临时容器，请执行以下操作：

kubectl replace --raw /api/v1/namespaces/default/pods/example-pod/ephemeralcontainers  -f ec.json

This will return the new list of ephemeral containers: 这将返回临时容器的新列表：

{
   "kind":"EphemeralContainers",
   "apiVersion":"v1",
   "metadata":{
      "name":"example-pod",
      "namespace":"default",
      "selfLink":"/api/v1/namespaces/default/pods/example-pod/ephemeralcontainers",
      "uid":"a14a6d9b-62f2-4119-9d8e-e2ed6bc3a47c",
      "resourceVersion":"15886",
      "creationTimestamp":"2019-08-29T06:41:42Z"
   },
   "ephemeralContainers":[
      {
         "name":"debugger",
         "image":"busybox",
         "command":[
            "sh"
         ],
         "resources":{

         },
         "terminationMessagePolicy":"File",
         "imagePullPolicy":"IfNotPresent",
         "stdin":true,
         "tty":true
      }
   ]
}

You can view the state of the newly created ephemeral container using kubectl describe: 可以使用kubectl descripe查看新创建的临时容器的状态：

kubectl describe pod example-pod
...
Ephemeral Containers:
  debugger:
    Container ID:  docker://cf81908f149e7e9213d3c3644eda55c72efaff67652a2685c1146f0ce151e80f
    Image:         busybox
    Image ID:      docker-pullable://busybox@sha256:9f1003c480699be56815db0f8146ad2e22efea85129b5b5983d0e0fb52d9ab70
    Port:          <none>
    Host Port:     <none>
    Command:
      sh
    State:          Running
      Started:      Thu, 29 Aug 2019 06:42:21 +0000
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:         <none>
...

You can attach to the new ephemeral container using kubectl attach: 您可以使用kubectl attach连接到新的临时容器：

kubectl attach -it example-pod -c debugger

If process namespace sharing is enabled, you can see processes from all the containers in that Pod. For example, after attaching, you run ps in the debugger container: 如果启用了进程命名空间共享，则可以看到该pod中所有容器中的进程。例如，附加后，在调试器容器中运行“ps”：

ps auxww

The output is similar to: 输出类似于：

PID   USER     TIME  COMMAND
    1 root      0:00 /pause
    6 root      0:00 nginx: master process nginx -g daemon off;
   11 101       0:00 nginx: worker process
   12 101       0:00 nginx: worker process
   13 101       0:00 nginx: worker process
   14 101       0:00 nginx: worker process
   15 101       0:00 nginx: worker process
   16 101       0:00 nginx: worker process
   17 101       0:00 nginx: worker process
   18 101       0:00 nginx: worker process
   19 root      0:00 /pause
   24 root      0:00 sh
   29 root      0:00 ps auxww

Feedback

Was this page helpful?

Yes

本作品采用《CC 协议》，转载必须注明作者和本文链接