run debug pod

Here are a few solid ways to spin up a debug pod in EKS (pick the one that matches what you’re troubleshooting).

1) Quick interactive “Swiss-army” debug pod (recommended)

This gives you an ephemeral pod you can exec into and run tools like curl, dig, nslookup, etc.

# Most clusters:

kubectl run -it --rm debug \
--image=nicolaka/netshoot \
--restart=Never \
--command -- bash
Inside the pod you can do stuff like:
ip a
curl -v https://kubernetes.default.svc
dig myservice.myns.svc.cluster.local

If your cluster blocks internet pulls, use an image from your own ECR.

2) Debug pod in a specific namespace + service account

Useful when you need the same IAM/RBAC/namespace behavior as an app.

NAMESPACE=weed
SA=smoker-sakubectl -n "$NAMESPACE" run -it --rm debug \
--image=nicolaka/netshoot \
--restart=Never \
--serviceaccount="$SA" \
--command -- bash

3) Debug from the same node (hostNetwork) to check node/DNS/routing

This makes the pod share the node network namespace (handy for “is the node routing/DNS broken?”).

kubectl run -it --rm debug-hostnet \
--image=nicolaka/netshoot \
--restart=Never \
--overrides='{
"spec": { "hostNetwork": true, "dnsPolicy": "ClusterFirstWithHostNet" }
}' \
--command -- bash

4) Debug an existing pod with kubectl debug (ephemeral container)

Best when you want to debug without restarting the target pod.

kubectl debug -it pod/<pod-name> -n <ns> \
--image=nicolaka/netshoot \
--target=<container-name> \
-- bash

Notes:

  • Requires ephemeral containers enabled on the cluster (most modern EKS versions support it).

  • --target is the container whose namespaces you want to join.

5) Minimal YAML you can apply (if you prefer manifests)

apiVersion: v1
kind: Pod
metadata:
name: debug
namespace: default
spec:
restartPolicy: Never
containers:
- name: netshoot
image: nicolaka/netshoot
command: ["bash","-lc","sleep infinity"]

Apply + exec:

kubectl apply -f debug.yaml
kubectl exec -it debug -- bash

Common EKS debug checks (copy/paste)

# DNS
cat /etc/resolv.conf
nslookup kubernetes.default.svc.cluster.local
dig +short myservice.myns.svc.cluster.local# Service connectivity
curl -vk https://<service-name>.<ns>.svc.cluster.local:<port># Network routes
ip route