openshift-eng/openshift-node-kernel
plugins/openshift/skills/openshift-node-kernel/SKILL.md
Inspect kernel-level networking configuration on OpenShift/Kubernetes nodes using oc debug
$ install --global
skillsauthnpx skillsauth add openshift-eng/ai-helpers openshift-node-kernelInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 21, 2026, 6:17 AM113.5s6 files scanned
SKILL.md
- name:
- openshift-node-kernel
- description:
- Inspect kernel-level networking configuration on OpenShift/Kubernetes nodes using oc debug
OpenShift Node Kernel Inspection Skill
This skill provides utilities for inspecting kernel-level networking configuration on OpenShift/Kubernetes nodes using oc debug.
Overview
The skill enables interaction with kernel networking tools on Kubernetes nodes without requiring SSH access. It uses oc debug to create ephemeral containers with host network access and executes kernel commands in the host's namespace.
Commands Provided
node-kernel-ip
Executes ip commands to inspect routing tables, network devices, and interfaces.
Script: node-kernel-ip.sh
Usage:
./node-kernel-ip.sh <node> <image> --command <cmd> [--options <opts>] [--filter <params>]
Example:
./node-kernel-ip.sh worker-1 registry.redhat.io/rhel9/support-tools --command "route show"
node-kernel-iptables
Executes iptables or ip6tables commands to inspect packet filter rules.
Script: node-kernel-iptables.sh
Usage:
./node-kernel-iptables.sh <node> <image> --command <cmd> [--table <table>] [--filter <params>]
Example:
./node-kernel-iptables.sh worker-1 registry.redhat.io/rhel9/support-tools --command "-L POSTROUTING" --table nat --filter "-nv4"
node-kernel-nft
Executes nft commands to inspect nftables packet filtering and classification rules.
Script: node-kernel-nft.sh
Usage:
./node-kernel-nft.sh <node> <image> --command <cmd> [--family <family>]
Example:
./node-kernel-nft.sh worker-1 registry.redhat.io/rhel9/support-tools --command "list tables" --family inet
node-kernel-conntrack
Executes conntrack commands or reads /proc/net/nf_conntrack to inspect connection tracking entries.
Script: node-kernel-conntrack.sh
Usage:
./node-kernel-conntrack.sh <node> <image> [--command <cmd>] [--filter <params>]
Example:
./node-kernel-conntrack.sh worker-1 registry.redhat.io/rhel9/support-tools --command "-L" --filter "-s 1.2.3.4"
Helper Functions
The kernel-helper.sh script provides shared functions:
check_utility_exists: Verifies a utility exists in the debug imageexecute_kernel_command: Executes commands on a node viaoc debugfilter_warnings: Removes common oc debug warning messages from outputvalidate_node_exists: Validates node name exists in clusterdetect_and_set_kubeconfig: Auto-detects and configures kubeconfig
Output Handling
All commands ensure:
- stdout contains only the actual command output (routing tables, interface info, etc.)
- stderr contains warnings, debug messages, and errors
- Common
oc debugwarnings are filtered out automatically using improved regex patterns - Output is explicitly captured and returned to ensure proper data flow to calling processes
Improvements
The execute_kernel_command() function explicitly captures all output from oc debug and filters warnings before returning results, ensuring:
- Complete output capture: All stdout/stderr is captured in a variable
- Reliable filtering: Uses single
grep -Ewith multiple patterns for efficiency - Guaranteed output: The
|| catfallback ensures output passes through even if no warnings are found - Explicit return: Output is explicitly sent to stdout using
printffor reliable data flow
Related Skills
openshift-eng/status-analysis
research
VerifiedTrustedCommunity
Shared engine for analyzing Jira issue activity and generating status summaries
98SKILL.mdUpdated Apr 28, 2026
openshift-eng/payload-snapshot
testing
VerifiedTrustedCommunity
Snapshot OpenShift payload data (release controller, PR diffs, comments, CI jobs, JUnit results, regression tracking) to a local directory for offline analysis
96SKILL.mdUpdated Jun 4, 2026
openshift-eng/payload-analysis
development
VerifiedTrustedCommunity
Analyze a payload snapshot to identify root causes of blocking job failures, score candidate PRs, and produce an HTML report with revert recommendations
96SKILL.mdUpdated Jun 4, 2026
openshift-eng/stage-payload-reverts
tools
VerifiedTrustedCommunity
Create TRT JIRA bugs, open revert PRs, and trigger payload jobs for high-confidence revert candidates
96SKILL.mdUpdated Apr 28, 2026