Refine documents (#37)

* Refine documents

Signed-off-by: Aylei <[email protected]>

* Fix gif link

* Fix ref link

Signed-off-by: Aylei <[email protected]>

Author: aylei

README.md

@@ -5,7 +5,7 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/aylei/kubectl-debug)](https://goreportcard.com/report/github.com/aylei/kubectl-debug)
 [![docker](https://img.shields.io/docker/pulls/aylei/debug-agent.svg)](https://hub.docker.com/r/aylei/debug-agent)
 
-[中文](./docs/zh-cn.md)
+[简体中文](/docs/zh-cn.md)
 
 # Overview
 
@@ -15,33 +15,18 @@
 - [quick start](#quick-start)
 - [build from source](#build-from-source)
 - [port-forward and agentless](#port-forward-mode-And-agentless-mode)
-- [configuration](#configurations)
-- [future works](#future-works)
-- [implementation details](#details)
+- [configuration](#configuration)
+- [roadmap](#roadmap)
+- [authorization](#authorization)
 - [contribute](#contribute)
 
 # Screenshots
 
-![gif](./docs/kube-debug.gif)
+![gif](/docs/kube-debug.gif)
 
 # Quick Start
 
-`kubectl-debug` is pretty simple, give it a try!
-
-Install the debug agent DaemonSet in your cluster, which is responsible for running the "debug container":
-
-```bash
-kubectl apply -f https://raw.githubusercontent.com/aylei/kubectl-debug/master/scripts/agent_daemonset.yml
-# or using helm
-helm install -n=debug-agent ./contrib/helm/kubectl-debug
-```
-
-Install the kubectl debug plugin:
-
-Using [krew](https://github.com/kubernetes-sigs/krew):
-```shell
-# Waiting the krew index PR to be merged...
-```
+## Install the kubectl debug plugin
 
 Homebrew:
 ```shell
@@ -62,11 +47,28 @@ sudo mv kubectl-debug /usr/local/bin/
 
 For windows users, download the latest archive from the [release page](https://github.com/aylei/kubectl-debug/releases/tag/v0.1.0), decompress the package and add it to your PATH.
 
+## (Optional) Install the debug agent DaemonSet
+
+`kubectl-debug` requires an agent pod to communicate with the container runtime. In the [agentless mode](#port-forward-mode-And-agentless-mode), the agent pod can be created when a debug session starts and to be cleaned up when the session ends.
+
+While convenient, creating pod before debugging can be time consuming. You can install the debug agent DaemonSet in advance to skip this:
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/aylei/kubectl-debug/master/scripts/agent_daemonset.yml
+# or using helm
+helm install -n=debug-agent ./contrib/helm/kubectl-debug
+```
+
+## Debug instructions
+
 Try it out!
+
 ```bash
 # kubectl 1.12.0 or higher
 kubectl debug -h
-kubectl debug POD_NAME
+# you can omit --agentless to reduce start time if you have installed the debug agent daemonset
+# we will omit this flag in the following commands
+kubectl debug POD_NAME --agentless
 
 # in case of your pod stuck in `CrashLoopBackoff` state and cannot be connected to,
 # you can fork a new pod and diagnose the problem in the forked pod
@@ -77,10 +79,10 @@ kubectl debug POD_NAME --port-forward --daemonset-ns=kube-system --daemonset-nam
 
 # old versions of kubectl cannot discover plugins, you may execute the binary directly
 kubect-debug POD_NAME
-
 ```
 
-Any trouble? [file and issue for help](https://github.com/aylei/kubectl-debug/issues/new)
+* You can configure the default arguments to simplify usage, refer to [Configuration](#configuration)
+* Refer to [Examples](/docs/examples.md) for practical debugging examples
 
 # Build from source
 
@@ -101,11 +103,10 @@ make agent-docker
 
 - `port-foward` mode: By default, `kubectl-debug` will directly connect with the target host. When `kubectl-debug` cannot connect to `targetHost:agentPort`, you can enable `port-forward` mode. In `port-forward` mode, the local machine listens on `localhost:agentPort` and forwards data to/from `targetPod:agentPort`.
 
-
 - `agentless` mode: By default, `debug-agent` needs to be pre-deployed on each node of the cluster, which consumes cluster resources all the time. Unfortunately, debugging Pod is a low-frequency operation. To avoid loss of cluster resources, the `agentless` mode has been added in [#31](https://github.com/aylei/kubectl-debug/pull/31). In `agentless` mode, `kubectl-debug` will first start `debug-agent` on the host where the target Pod is located, and then `debug-agent`  starts the debug container. After the user exits, `kubectl-debug` will delete the debug container and `kubectl-debug` will delete the `debug-agent` pod  at last.
 
 
-# Configurations
+# Configuration
 
 `kubectl-debug` uses [nicolaka/netshoot](https://github.com/nicolaka/netshoot) as the default image to run debug container, and use `bash` as default entrypoint.
 
@@ -152,35 +153,25 @@ If the debug-agent is not accessible from host port, it is recommended to set `p
 
 PS: `kubectl-debug` will always override the entrypoint of the container, which is by design to avoid users running an unwanted service by mistake(of course you can always do this explicitly).
 
-# Roadmap
-
-`kubectl-debug` is supposed to be just a troubleshooting helper, and is going be replaced by the native `kubectl debug` command when [this proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/troubleshoot-running-pods.md) is implemented and merged in the future kubernetes release. But for now, there is still some works to do to improve `kubectl-debug`.
-
-If you are interested in any of following features, please file an issue to avoid potential duplication.
-
-- [ ] Security. `kubectl-debug` runs privileged agent on every node, and client talks to the agent directly. A possible solution is introducing a central apiserver to do RBAC, which integrates to the kube apiserver using [aggregation layer](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
-- [ ] Protocol. `kubectl-debug` vendor the SPDY wrapper from `client-go`. SPDY is deprecated now, websockets may be a better choice
-- [ ] e2e tests.
+# Authorization
 
-# Details
+Currently, `kubectl-debug` reuse the privilege of the `pod/exec` sub resource to do authorization, which means that it has the same privilege requirements with the `kubectl exec` command.
 
-`kubectl-debug` consists of 2 components:
+# Roadmap
 
-* the kubectl plugin: a cli client of `node agent`, serves `kubectl debug` command, 
-* the node agent: responsible for manipulating the "debug container"; node agent will also act as a websockets relay for remote tty
+`kubectl-debug` is supposed to be just a troubleshooting helper, and is going be replaced by the native `kubectl debug` command when [this proposal](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/troubleshoot-running-pods.md) is implemented and merged in the future kubernetes release. But for now, there is still some works to do to improve `kubectl-debug`.
 
-When user run `kubectl debug target-pod -c <container-name> /bin/bash`:
+- [ ] Security: Currently, `kubectl-debug` do authorization in the client-side, which should be moved to the server-side (debug-agent)
+- [ ] More unit tests
+- [ ] More real world debugging example
+- [ ] e2e tests
 
-1. The plugin gets the pod info from apiserver and extract the `hostIP`, if the target container does not exist or is not currently running, an error is raised.
-2. The plugin sends an HTTP request to the specific node agent running on the `hostIP`, which includes a protocol upgrade from HTTP to SPDY.
-3. The agent runs a container in the pod's namespaces (ipc, pid, network, etc) with the STDIN stay open (`-i` flag).
-4. The agent checks if the target container is actively running, if not, write an error to client.
-5. The agent runs a `debug container` with `tty` and `stdin` opened, the `debug container` will join the `pid`, `network`, `ipc` and `user` namespace of the target container.
-6. The agent pipes the connection into the `debug container` using `attach`
-7. **Debug in the debug container**.
-8. Job is done, user closes the SPDY connection.
-9. The node agent closes the SPDY connection, then waits for the `debug container` to exit and do the cleanup.
+If you are interested in any of the above features, please file an issue to avoid potential duplication.
 
 # Contribute
 
 Feel free to open issues and pull requests. Any feedback is highly appreciated!
+
+# Acknowledgement
+
+This project would not be here without the effort of [our contributors](https://github.com/aylei/kubectl-debug/graphs/contributors), thanks!

docs/design.md

@@ -0,0 +1,18 @@
+# Under the hood
+
+`kubectl-debug` consists of 2 components:
+
+* the kubectl plugin: a cli client of `node agent`, serves `kubectl debug` command, 
+* the node agent: responsible for manipulating the "debug container"; node agent will also act as a websockets relay for remote tty
+
+When user run `kubectl debug target-pod -c <container-name> /bin/bash`:
+
+1. The plugin gets the pod info from apiserver and extract the `hostIP`, if the target container does not exist or is not currently running, an error is raised.
+2. The plugin sends an HTTP request to the specific node agent running on the `hostIP`, which includes a protocol upgrade from HTTP to SPDY.
+3. The agent runs a container in the pod's namespaces (ipc, pid, network, etc) with the STDIN stay open (`-i` flag).
+4. The agent checks if the target container is actively running, if not, write an error to client.
+5. The agent runs a `debug container` with `tty` and `stdin` opened, the `debug container` will join the `pid`, `network`, `ipc` and `user` namespace of the target container.
+6. The agent pipes the connection into the `debug container` using `attach`
+7. **Debug in the debug container**.
+8. Job is done, user closes the SPDY connection.
+9. The node agent closes the SPDY connection, then waits for the `debug container` to exit and do the cleanup.

docs/zh-cn.md

@@ -1,22 +1,34 @@
 # Kubectl debug
 
+![license](https://img.shields.io/hexpm/l/plug.svg)
+[![travis](https://travis-ci.org/aylei/kubectl-debug.svg?branch=master)](https://travis-ci.org/aylei/kubectl-debug)
+[![Go Report Card](https://goreportcard.com/badge/github.com/aylei/kubectl-debug)](https://goreportcard.com/report/github.com/aylei/kubectl-debug)
+[![docker](https://img.shields.io/docker/pulls/aylei/debug-agent.svg)](https://hub.docker.com/r/aylei/debug-agent)
+
+[English](/README.md)
+
+# Overview
+
 `kubectl-debug` 是一个简单的 kubectl 插件, 能够帮助你便捷地进行 Kubernetes 上的 Pod 排障诊断. 背后做的事情很简单: 在运行中的 Pod 上额外起一个新容器, 并将新容器加入到目标容器的 `pid`, `network`, `user` 以及 `ipc` namespace 中, 这时我们就可以在新容器中直接用 `netstat`, `tcpdump` 这些熟悉的工具来解决问题了, 而旧容器可以保持最小化, 不需要预装任何额外的排障工具.
 
-# Quick Start
+- [截图](#截图)
+- [快速开始](#快速开始)
+- [构建项目](#构建项目)
+- [port-forward 和 agentless 模式](#port-forward-模式和-agentless-模式)
+- [配置](#配置)
+- [权限](#权限)
+- [路线图](#路线图)
+- [贡献代码](#贡献代码)
 
-`kubectl-debug` 包含两部分, 一部分是用户侧的 kubectl 插件, 另一部分是部署在所有 k8s 节点上的 agent(用于启动"新容器", 同时也作为 SPDY 连接的中继). 因此首先要部署 agent.
-```bash
-kubectl apply -f https://raw.githubusercontent.com/aylei/kubectl-debug/master/scripts/agent_daemonset.yml
-# 或者使用 helm 安装
-helm install -n=debug-agent ./contrib/helm/kubectl-debug
-```
+# 截图
 
-安装 kubectl 插件:
+![gif](/docs/kube-debug.gif)
 
-使用 [krew](https://github.com/kubernetes-sigs/krew):
-```shell
-# Waiting the krew index PR to be merged...
-```
+# 快速开始
+
+## 安装 kubectl debug 插件
+
+安装 kubectl 插件:
 
 使用 Homebrew:
 ```shell
@@ -37,26 +49,50 @@ sudo mv kubectl-debug /usr/local/bin/
 
 Windows 用户可以从 [release page](https://github.com/aylei/kubectl-debug/releases/tag/v0.1.0) 进行下载并添加到 PATH 中
 
+## (可选) 安装 debug-agent DaemonSet   
+
+`kubectl-debug` 包含两部分, 一部分是用户侧的 kubectl 插件, 另一部分是部署在所有 k8s 节点上的 agent(用于启动"新容器", 同时也作为 SPDY 连接的中继). 在 `agentless` 中, `kubectl-debug` 会在 debug 开始时创建 debug-agent Pod, 并在结束后自动清理.
+
+`agentless` 虽然方便, 但会让 debug 的启动速度显著下降, 你可以通过预先安装 debug-agent 的 DaemonSet 来使用 agent 模式, 加快启动速度:
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/aylei/kubectl-debug/master/scripts/agent_daemonset.yml
+# 或者使用 helm 安装
+helm install -n=debug-agent ./contrib/helm/kubectl-debug
+```
+
 简单使用:
 ```bash
-# kubectl 1.12.0 or higher
+# kubectl 1.12.0 或更高的版本, 可以直接使用:
 kubectl debug -h
-kubectl debug POD_NAME
+# 假如安装了 debug-agent 的 daemonset, 可以略去 --agentless 来加快启动速度
+# 之后的命令里会略去 --agentless
+kubectl debug POD_NAME --agentless
 
-# in case of your pod stuck in `CrashLoopBackoff` state and cannot be connected to,
-# you can fork a new pod and diagnose the problem in the forked pod
+# 假如 Pod 处于 CrashLookBackoff 状态无法连接, 可以复制一个完全相同的 Pod 来进行诊断
 kubectl debug POD_NAME --fork
 
-# if the node ip is not directly accessible, try port-forward mode
+# 假如 Node 没有公网 IP 或无法直接访问(防火墙等原因), 请使用 port-forward 模式
 kubectl debug POD_NAME --port-forward --daemonset-ns=kube-system --daemonset-name=debug-agent
 
-# old versions of kubectl cannot discover plugins, you may execute the binary directly
+# 老版本的 kubectl 无法自动发现插件, 需要直接调用 binary
 kubect-debug POD_NAME
-
 ```
 
-Any trouble? [file and issue for help](https://github.com/aylei/kubectl-debug/issues/new)
+# 构建项目
 
+克隆仓库, 然后执行:
+```bash
+# make will build plugin binary and debug-agent image
+make
+# install plugin
+mv kubectl-debug /usr/local/bin
+
+# build plugin only
+make plugin
+# build agent only
+make agent-docker
+```
 
 # port-forward 模式和 agentless 模式
 
@@ -65,7 +101,7 @@ Any trouble? [file and issue for help](https://github.com/aylei/kubectl-debug/is
 - `agentless`模式： 默认情况下，`debug-agent`需要预先部署在集群每个节点上，会一直消耗集群资源，然而调试 Pod 是低频操作。为避免集群资源损失，在[#31](https://github.com/aylei/kubectl-debug/pull/31)增加了`agentless`模式。`agentless`模式下，`kubectl-debug`会先在目标Pod所在宿主机上启动`debug-agent`，然后再启动调试容器。用户调试结束后，`kubectl-debug`会依次删除调试容器和在目的主机启动的`degbug-agent`。
 
 
-# 默认镜像和 Entrypoint
+# 配置
 
 `kubectl-debug` 使用 [nicolaka/netshoot](https://github.com/nicolaka/netshoot) 作为默认镜像. 默认镜像和指令都可以通过命令行参数进行覆盖. 考虑到每次都指定有点麻烦, 也可以通过文件配置的形式进行覆盖, 编辑 `~/.kube/debug-config` 文件:
 
@@ -107,3 +143,18 @@ command:
 ```
 
 > `kubectl-debug` 会将容器的 entrypoint 直接覆盖掉, 这是为了避免在 debug 时不小心启动非 shell 进程.
+
+# 权限
+
+目前, `kubectl-debug` 复用了 `pod/exec` 资源的权限来做鉴权. 也就是说, `kubectl-debug` 的权限要求是和 `kubectl exec` 一致的.
+
+# 路线图
+
+- [ ] 安全: 目前, `kubectl-debug` 是在客户端做鉴权的, 这部分应当被移动到服务端(debug-agent) 中
+- [ ] 更多的单元测试
+- [ ] 更多的故障诊断实例
+- [ ] e2e 测试
+
+# 贡献代码
+
+欢迎贡献代码或 issue!