Sysdig is a powerful open source tool for container troubleshooting, performance tunning and security investigation.
This repository implements a
kubectl plugin which triggers a capture in the
underlying host which is running a pod. A capture file is created for a
duration of time and is download locally in order to use it with
In order to use this plugin, just copy the
kubectl-capture to your
PATH, and ensure it has execution permissions.
You can verify its installation using
$ kubectl plugin list The following kubectl-compatible plugins are available: /usr/local/bin/kubectl-capture
In this case is installed into /usr/local/bin, but will work with another location listed in PATH.
Once you have the
kubectl plugin installed, you can start taking captures:
$ kubectl capture nginx-78f5d695bd-bcbd8 Sysdig is starting to capture system calls: Node: gke-sysdig-work-default-pool-e35da3a1-m8vp Pod: nginx-78f5d695bd-bcbd8 Duration: 30 seconds Parameters for Sysdig: -S -M 30 -pk -z -w /capture-nginx-78f5d695bd-bcbd8-1550246926.scap.gz The capture has been downloaded to your hard disk at: ~/captures/capture-nginx-78f5d695bd-bcbd8-1550246926.scap.gz
And then, you can start troubleshooting with Sysdig Inspect.
When the capture container is being spinned, it takes some time to compile the Sysdig Kernel module and start to capture system calls. You can check the logs of the Sysdig Capture Pod if you need to know with accuracy when Sysdig starts to capture.
There are a few parameters for this plugin:
||The namespace scope of the target Pod|
||Use eBPF probe instead of kernel module for capturing syscalls|
Aditionally, all the flags for the
sysdig cli tool are supported. You can
check more of these parameters in its
You can uninstall this plugin from
kubectl by simply removing it from your
$ rm /usr/local/bin/kubectl-capture