Running kubectl-trace in openshift

a_README.md

kubectl trace in openshift

trace runs as a Job, if there are problems look there: oc get jobs.

oc trace run  --serviceaccount=kubectltrace pod/machine-api-controllers-56db5fcc9c-n9f4d -c machine-controller -f vsphere-session.bt 

serviceaccount.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubectltrace
  namespace: openshift-machine-api 
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: kubectltrace
spec:
  fsGroup:
    rule: RunAsAny
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'
  allowedCapabilities:
  - '*'
  hostPID: true
  hostIPC: true
  hostNetwork: true
  hostPorts:
  - min: 1
    max: 65536
---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubectltrace-psp
rules:
- apiGroups:
  - policy
  - security.openshift.io
  resources:
  - podsecuritypolicies
  - securitycontextconstraints
  resourceNames:
  - kubectltrace
  - privileged
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
    name: kubectltrace-psp
subjects:
- kind: ServiceAccount
  name: kubectltrace
  namespace: openshift-machine-api 
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: kubectltrace-psp

vsphere-session.bt

#!/usr/bin/env bpftrace

uprobe:/proc/$container_pid/exe:"github.com/vmware/govmomi/session.(*Manager).SessionIsActive",
uprobe:/proc/$container_pid/exe:"github.com/openshift/machine-api-operator/pkg/controller/vsphere/session.GetOrCreate",
uprobe:/proc/$container_pid/exe:"github.com/vmware/govmomi.NewClient"
{
	@[probe] = count();
}

interval:s:600
{
	exit(); 
}