Skip to main content

Whisperers as ephemeral containers

This is the most advanced and last breed way of spawning Whisperers.
Everything is managed by the UI:

  • Browse your local or distant Kubernetes workloads
  • Choose the workload to attach a Whisperer to
  • Click ATTACH

And this is all!
In a few clicks the Whisperers are attach to any POD, service, job, statefulset or daemonset 😮

You are going to love it!

What are ephemeral containers?​

An ephemeral container is a debug container that you can spawn INSIDE a running Pod, without restarting it.
It gains access to the Pod Linux namespace: process, network etc. Even more integrated than for 2 containers running in the same Pod.

A Whisperer can be launched as an ephemeral container inside another Pod and capture its communications.

Setup​

To launch Whisperers from the UI, you need to have Spider Controller running in your cluster.

  • It is available by default in the cluster you installed Spider on
  • You may install another one on any cluster: Installing Spider Controller

Asking for an attachment​

You can ask for an attachment from various places:

  • From the Floating Action button on the top left

AttachFromFab.png

By clicking on the blue link icon.

  • From the Controller details

AttachFromController.png

  • From the Whisperer details

AttachFromWhisperer.png

Configuring the attachment​

Clicking on the Attach buttons above leads to this form:

AttachAWorkload.png

On it, you may select the Workload on which to attach a Whisperer.
Click ATTACH and it is done! 😄

If the Whisperer has a limited timeToLive configured in its configuration:

WhispererConfiguration.png

Then the attachment will have a limited time life before automatic detachment:

TimeToLive.png

Detachment​

The active attachment are displayed in the Attachments tabs.

AttachFromWhisperer.png

From there you see:

  • The Controller
  • The Whisperer
  • The target workload and is attachment status
  • The list of all Pods linked to this workload that have been attached

And you may detach an attachment.

This will ask the Whisperer to stop, independently of the Whisperer capture configuration.
Thus you may spawn a Whisperer for a limited amount of time.

Details​

Ephemeral containers​

  • They have no resources requests or limit
  • You don't see them in many Kubernetes management UIs
  • They last 24h maximum (but the Controller restarts them)
  • They don't have volume, configuration or so. Everything is given by environment configuration
    • In order not to share the private key of the whisperer (which Spider does not have), the authentication is made with JWT tokens

Controllers​

  • They have READ Kubernetes RBAC to watch Kubernetes workloads
  • They act as DNS proxy for Whisperers
  • They take few memory (100MB) and are REALLY stable 💪
  • They are installed with a single line shell instruction using Helm 😮

More info​

Blog item announcing the feature: Spider Controllers