How to Debug Kubernetes Container Networks with nsenter and DaemonSet

Debugging Container Network

Use nsenter to enter a container's network namespace from the host. The following commands set the container ID, retrieve its PID, and enter the network namespace:

# set containerid
containerid=xxx
# get container PID
pid=$(docker inspect -f {{.State.Pid}} $containerid)
# enter network namespace
nsenter -n --target $pid

After entering, you can run host tools such as tcpdump, netstat, and other network commands.

Logging into a Kubernetes Node

If you only have Apiserver permissions, you can also use nsenter. A temporary script can log into a node as follows:

node=xxx
cmd='[ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--"]'
overrides="$(cat <<EOT
{
  "spec": {
    "nodeName": "$node",
    "hostPID": true,
    "hostNetwork": true,
    "containers": [
      {
        "securityContext": {"privileged": true},
        "image": "alpine",
        "name": "nsenter",
        "stdin": true,
        "stdinOnce": true,
        "tty": true,
        "command": $cmd
      }
    ],
    "tolerations": [{"operator": "Exists"}]
  }
}
EOT
)"
pod="kube-nodeshell-$(env LC_ALL=C tr -dc a-z0-9 </dev/urandom | head -c 6)"
kubectl run --image=alpine --restart=Never --rm --overrides="$overrides" -it $pod

The principle is sharing the host PID ( hostPID=true) so the container sees all host processes; then nsenter can enter the host's mount, uts, ipc, net, and pid namespaces to obtain a shell that behaves like the host.

If frequent access is needed, you can deploy a DaemonSet that runs nsenter on each node (recommended only in test environments due to security risks).

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-nodehsell
  labels:
    app: kube-nodehsell
spec:
  selector:
    matchLabels:
      app: kube-nodehsell
  template:
    metadata:
      labels:
        app: kube-nodehsell
    spec:
      tolerations:
        - operator: "Exists"
      containers:
        - name: kube-nodehsell
          image: alpine
          command:
            - nsenter
            - --target
            - "1"
            - --mount
            - --uts
            - --ipc
            - --net
            - --pid
            - --
            - sleep
            - infinity
          securityContext:
            privileged: true
      hostIPC: true
      hostPID: true
      hostNetwork: true
      priorityClassName: system-node-critical

Temporary Containers (kubectl debug)

Since Kubernetes 1.18, you can add a temporary container to a pod using kubectl debug, which also allows node‑shell access. Compared with the nsenter method, kubectl debug shares only the PID and hostNetwork, while nsenter provides full host tools and privileged operations.

All related files are available in the kube-nodeshell repository.

Source: https://qingwave.github.io/k8s-debug-nsenter/