Merge pull request #116366 from ardaguclu/fix-shareprocess-explicit

kubectl debug: Not share process namespace if user explicitly disables it

Kubernetes-commit: 3ed9c61864864eb70de4126790ba90a5c05e9fd5

go.mod

@@ -30,10 +30,10 @@ require (
 	github.com/stretchr/testify v1.8.1
 	golang.org/x/sys v0.5.0
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.0.0-20230310084041-7785f7653f92
-	k8s.io/apimachinery v0.0.0-20230310083533-ca95f42b2383
+	k8s.io/api v0.0.0-20230310084044-182afbd21219
+	k8s.io/apimachinery v0.0.0-20230310083535-8fccf3d61224
 	k8s.io/cli-runtime v0.0.0-20230310093857-5c6f9c63192f
-	k8s.io/client-go v0.0.0-20230310084519-d2ebc4d27c5a
+	k8s.io/client-go v0.0.0-20230310170151-6df09021f998
 	k8s.io/component-base v0.0.0-20230310085212-d69652187fff
 	k8s.io/component-helpers v0.0.0-20230310085329-cb3213391b8c
 	k8s.io/klog/v2 v2.90.1
@@ -91,10 +91,10 @@ require (
 )
 
 replace (
-	k8s.io/api => k8s.io/api v0.0.0-20230310084041-7785f7653f92
-	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20230310083533-ca95f42b2383
+	k8s.io/api => k8s.io/api v0.0.0-20230310084044-182afbd21219
+	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20230310083535-8fccf3d61224
 	k8s.io/cli-runtime => k8s.io/cli-runtime v0.0.0-20230310093857-5c6f9c63192f
-	k8s.io/client-go => k8s.io/client-go v0.0.0-20230310084519-d2ebc4d27c5a
+	k8s.io/client-go => k8s.io/client-go v0.0.0-20230310170151-6df09021f998
 	k8s.io/code-generator => k8s.io/code-generator v0.0.0-20230310082919-4a4a238d07ff
 	k8s.io/component-base => k8s.io/component-base v0.0.0-20230310085212-d69652187fff
 	k8s.io/component-helpers => k8s.io/component-helpers v0.0.0-20230310085329-cb3213391b8c

go.sum

@@ -531,14 +531,14 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.0.0-20230310084041-7785f7653f92 h1:Bcf6XSNDjTLbkKqalEH4WESD5jGuuMg56WfZBxye6Oc=
-k8s.io/api v0.0.0-20230310084041-7785f7653f92/go.mod h1:54YtNzxdtIDMfqQTVaBmptCRgtrUw9mSUMvt9sCX3fI=
-k8s.io/apimachinery v0.0.0-20230310083533-ca95f42b2383 h1:hc7CTuFg8uUBL3NHB1LPOj6xlSyy52zvy4rwyPtrils=
-k8s.io/apimachinery v0.0.0-20230310083533-ca95f42b2383/go.mod h1:RWA+8iKvi6iwtPZ0MMwtZSlZRiH+SnmQH2SbXJrVDPQ=
+k8s.io/api v0.0.0-20230310084044-182afbd21219 h1:Zi16ywjzp2CqeHJZoz3N0RlFu20NqeuIzqY1RkRg4FU=
+k8s.io/api v0.0.0-20230310084044-182afbd21219/go.mod h1:BufeAXF75avqFSWCYqXkvwYrwI4ZAem3uLWUZFS14hw=
+k8s.io/apimachinery v0.0.0-20230310083535-8fccf3d61224 h1:LhE0BNPRZYIEMmTBywXwvw3P3YtfPIo3xRefHYrbR0s=
+k8s.io/apimachinery v0.0.0-20230310083535-8fccf3d61224/go.mod h1:RWA+8iKvi6iwtPZ0MMwtZSlZRiH+SnmQH2SbXJrVDPQ=
 k8s.io/cli-runtime v0.0.0-20230310093857-5c6f9c63192f h1:u47kCmJLLP6yqafHhGlUS0xEnD+nrcSr6ZvXKnMD/9M=
 k8s.io/cli-runtime v0.0.0-20230310093857-5c6f9c63192f/go.mod h1:5DoshHAhpomXS+3lFu3kcyXmaEbK7Rs6UVmdz+bDafo=
-k8s.io/client-go v0.0.0-20230310084519-d2ebc4d27c5a h1:YPm/O39dwIK1TccLAPI4kqp5cgyR5069FnrUeTDfcEM=
-k8s.io/client-go v0.0.0-20230310084519-d2ebc4d27c5a/go.mod h1:RYmoEfRTbcCyQuxzOrnKnLil0oReXeKAYKHP6h5V6oM=
+k8s.io/client-go v0.0.0-20230310170151-6df09021f998 h1:gxGnQVRtt2NmwPYoPu+6xp+Y1lB3srWAA/kkXTQmQUQ=
+k8s.io/client-go v0.0.0-20230310170151-6df09021f998/go.mod h1:seT1S8LUx48CIppmquME8d52oZQTiI2CX577lxB8cXA=
 k8s.io/component-base v0.0.0-20230310085212-d69652187fff h1:xIjiK+aBPzY5Mqh/lFvmlfgvS1O35/hyhPw/LTmYyNA=
 k8s.io/component-base v0.0.0-20230310085212-d69652187fff/go.mod h1:Z2LoX89dLUu0xNvMSY057kEMNJjD/XD53nEyD0Lji2s=
 k8s.io/component-helpers v0.0.0-20230310085329-cb3213391b8c h1:qnXD7igEVg82/LZYld7bs2tJvYa4ODJkaGohe9Hy4yA=

pkg/cmd/debug/debug_test.go

@@ -1201,6 +1201,46 @@ func TestGeneratePodCopyWithDebugContainer(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "baseline profile not share process when user explicitly disables it",
+			opts: &DebugOptions{
+				CopyTo:                "debugger",
+				Container:             "debugger",
+				Image:                 "busybox",
+				PullPolicy:            corev1.PullIfNotPresent,
+				Profile:               ProfileBaseline,
+				ShareProcesses:        false,
+				shareProcessedChanged: true,
+			},
+			havePod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "target",
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name: "debugger",
+						},
+					},
+					NodeName: "node-1",
+				},
+			},
+			wantPod: &corev1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "debugger",
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:            "debugger",
+							Image:           "busybox",
+							ImagePullPolicy: corev1.PullIfNotPresent,
+						},
+					},
+					ShareProcessNamespace: pointer.Bool(false),
+				},
+			},
+		},
 		{
 			name: "restricted profile",
 			opts: &DebugOptions{

pkg/cmd/debug/profiles.go

@@ -250,7 +250,9 @@ func useHostNamespaces(p *corev1.Pod) {
 // shareProcessNamespace configures all containers in the pod to share the
 // process namespace.
 func shareProcessNamespace(p *corev1.Pod) {
-	p.Spec.ShareProcessNamespace = pointer.Bool(true)
+	if p.Spec.ShareProcessNamespace == nil {
+		p.Spec.ShareProcessNamespace = pointer.Bool(true)
+	}
 }
 
 // clearSecurityContext clears the security context for the container.