laurigates/kubectl-debugging
kubernetes-plugin/skills/kubectl-debugging/SKILL.md
Debug K8s pods/nodes with kubectl debug — ephemeral containers, pod copying, debug profiles, interactive sessions. Use when the user mentions kubectl debug or debugging pods.
$ install --global
skillsauthnpx skillsauth add laurigates/claude-plugins kubectl-debuggingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 8:26 AM131.7s2 files scanned
SKILL.md
- created:
- 2025-12-16
- modified:
- 2026-05-09
- reviewed:
- 2026-04-25
- name:
- kubectl-debugging
- description:
- Debug K8s pods/nodes with kubectl debug — ephemeral containers, pod copying, debug profiles, interactive sessions. Use when the user mentions kubectl debug or debugging pods.
- user-invocable:
- false
- allowed-tools:
- Glob, Grep, Read, Bash(kubectl *), Bash(stern *), Edit, Write, TodoWrite, WebFetch
kubectl debug - Interactive Kubernetes Debugging
Expert knowledge for debugging Kubernetes resources using kubectl debug - ephemeral containers, pod copies, and node access.
When to Use This Skill
| Use this skill when... | Use <sibling> instead when... |
|---|---|
| Attaching an ephemeral debug container to a running pod with kubectl debug | Use kubernetes-operations for general kubectl workflows (apply, get, describe, logs) |
| Creating a pod copy with a different image or command for interactive troubleshooting | Use helm-debugging when the failure is in template rendering or chart configuration, not the running container |
| Opening a node-level debug session to inspect host namespaces or filesystems | Use helm-release-recovery when the recovery action is a Helm rollback rather than per-pod debugging |
Core Capabilities
kubectl debug automates common debugging tasks:
- Ephemeral Containers: Add debug containers to running pods without restart
- Pod Copying: Create modified copies for debugging (different images, commands)
- Node Debugging: Access node host namespaces and filesystem
Context Safety (CRITICAL)
Always specify --context explicitly in every kubectl command:
# CORRECT: Explicit context
kubectl --context=prod-cluster debug mypod -it --image=busybox
# WRONG: Relying on current context
kubectl debug mypod -it --image=busybox # Which cluster?
Quick Reference
Add Ephemeral Debug Container
# Interactive debugging with busybox
kubectl --context=my-context debug mypod -it --image=busybox
# Target specific container's process namespace
kubectl --context=my-context debug mypod -it --image=busybox --target=mycontainer
# Use a specific debug profile
kubectl --context=my-context debug mypod -it --image=busybox --profile=netadmin
Copy Pod for Debugging
# Create debug copy
kubectl --context=my-context debug mypod -it --copy-to=mypod-debug --image=busybox
# Copy and change container image
kubectl --context=my-context debug mypod --copy-to=mypod-debug --set-image=app=busybox
# Copy and modify command
kubectl --context=my-context debug mypod -it --copy-to=mypod-debug --container=myapp -- sh
# Copy on same node
kubectl --context=my-context debug mypod -it --copy-to=mypod-debug --same-node --image=busybox
Debug Node
# Interactive node debugging (host namespaces, filesystem at /host)
kubectl --context=my-context debug node/mynode -it --image=busybox
# With sysadmin profile for full capabilities
kubectl --context=my-context debug node/mynode -it --image=ubuntu --profile=sysadmin
Debug Profiles
| Profile | Use Case | Capabilities |
|---------|----------|--------------|
| legacy | Default, unrestricted | Full access (backwards compatible) |
| general | General purpose | Moderate restrictions |
| baseline | Minimal restrictions | Pod security baseline |
| netadmin | Network troubleshooting | NET_ADMIN capability |
| restricted | High security environments | Strictest restrictions |
| sysadmin | System administration | SYS_PTRACE, SYS_ADMIN |
# Network debugging (tcpdump, netstat, ss)
kubectl --context=my-context debug mypod -it --image=nicolaka/netshoot --profile=netadmin
# System debugging (strace, perf)
kubectl --context=my-context debug mypod -it --image=ubuntu --profile=sysadmin
Common Debug Images
| Image | Size | Use Case |
|-------|------|----------|
| busybox | ~1MB | Basic shell, common utilities |
| alpine | ~5MB | Shell with apk package manager |
| ubuntu | ~77MB | Full Linux with apt |
| nicolaka/netshoot | ~350MB | Network debugging (tcpdump, dig, curl, netstat) |
| gcr.io/k8s-debug/debug | Varies | Official Kubernetes debug image |
Debugging Patterns
Network Connectivity Issues
# Add netshoot container for network debugging
kubectl --context=my-context debug mypod -it \
--image=nicolaka/netshoot \
--profile=netadmin
# Inside container:
# - tcpdump -i any port 80
# - dig kubernetes.default
# - curl -v http://service:port
# - ss -tlnp
# - netstat -an
Application Crashes
# Copy pod with different entrypoint to inspect
kubectl --context=my-context debug mypod -it \
--copy-to=mypod-debug \
--container=app \
-- sh
# Inside: check filesystem, env vars, config files
Process Inspection
# Target container's process namespace
kubectl --context=my-context debug mypod -it \
--image=busybox \
--target=mycontainer
# Inside: ps aux, /proc inspection
Node-Level Issues
# Debug node with host access
kubectl --context=my-context debug node/worker-1 -it \
--image=ubuntu \
--profile=sysadmin
# Inside:
# - Host filesystem at /host
# - chroot /host for full access
# - journalctl, systemctl, dmesg
Non-Destructive Debugging
# Create copy, keeping original running
kubectl --context=my-context debug mypod -it \
--copy-to=mypod-debug \
--same-node \
--share-processes \
--image=busybox
# Original pod continues serving traffic
# Debug copy shares storage if on same node
Key Options
| Option | Description |
|--------|-------------|
| -it | Interactive TTY (required for shell access) |
| --image | Debug container image |
| --container | Name for the debug container |
| --target | Share process namespace with this container |
| --copy-to | Create a copy instead of ephemeral container |
| --same-node | Schedule copy on same node (with --copy-to) |
| --set-image | Change container images in copy |
| --profile | Security profile (legacy, netadmin, sysadmin, etc.) |
| --share-processes | Enable process namespace sharing (default: true with --copy-to) |
| --replace | Delete original pod when creating copy |
Best Practices
- Use appropriate profiles - Match capabilities to debugging needs
- Prefer ephemeral containers - Less disruptive than pod copies
- Use
--copy-tofor invasive debugging - Preserve original pod - Clean up debug pods - Delete copies after debugging
- Use
--same-node- For accessing shared storage/network conditions
Cleanup
# List debug pod copies
kubectl --context=my-context get pods | grep -E "debug|copy"
# Delete debug pods
kubectl --context=my-context delete pod mypod-debug
Requirements
- Kubernetes 1.23+ for ephemeral containers (stable)
- Kubernetes 1.25+ for debug profiles
- RBAC permissions for pods/ephemeralcontainers
For detailed option reference, examples, and troubleshooting patterns, see REFERENCE.md.
Related Skills
laurigates/workflow-verify-before-filing
testing
VerifiedTrustedCommunity
Verify accumulated bug claims at upstream HEAD and dedup against trackers before filing issues. Use when filing upstream reports from backlogs, audit docs, or git-history findings.
38SKILL.mdUpdated Jun 12, 2026
laurigates/cold-read-gate
documentation
VerifiedTrustedCommunity
Gate outward-bound text (upstream issues, docs, PR bodies) through isolated haiku fresh-reader critique before publishing. Use when an artifact must survive a reader with zero project context.
38SKILL.mdUpdated Jun 12, 2026
laurigates/evaluate-improve
tools
VerifiedTrustedCommunity
Suggest improvements to SKILL.md content, descriptions, or tool config from eval results. Use when raising pass rates, fixing triggering, or iterating on a skill after evaluation.
38SKILL.mdUpdated Apr 16, 2026
laurigates/deadbranch
tools
VerifiedTrustedCommunity
deadbranch CLI for stale-branch cleanup — dry-run preview, TUI or non-interactive delete, protects main/develop/WIP. Use when asked to clean up branches, prune branches, or remove stale branches.
37SKILL.mdUpdated Jun 11, 2026