Tired of discovering that that recalcitrant container you need to debug has no root, no tcpdump, no ptrace permission, no gdb, and the wrong shell? Tired of then building a debug version and changing your tooling to deploy a ‘privileged’ version?
Endoscope might be for you. Its a container with a bunch of tools (but you can use any container) and a python script which launches it side-car style into an existing namespace/pod. It runs privileged, in the pid + network namespace of the debugee, but its own filesystem (meaning you’d have to chroot/cd into the debugee if you want to get its files directly.
I’ve only tried this on GKE, Code is on github. Pull requests most welcome!