At various points in an Amazon EKS cluster’s lifecycle, direct access to a worker node may be required. This can be done using kubectl debug to open an interactive shell on the target node.
# start debug container
kubectl debug nodes/ --profile=sysadmin -it --image=
- The root filesystem of the Node will be mounted at
/host. - The container runs in the host IPC, Network, and PID namespaces, although the pod isn’t privileged, so reading some process information may fail, and
chroot /hostmay fail. - If you need a privileged pod, create it manually or use the
--profile=sysadminflag.
The sysadmin profile typically sets up the pod with:
- privileged: true
- hostPID: true (for node networking)
- hostNetwork: true (for process visibility)
- host filesystem mounted at
/host
Next to “switch” from the container filesystem you need to chroot /host And from there you are effectively in the node’s userland, and you can use the node’s binaries:
kubectl debug creates a debug pod with a name derived from the node name, so remember to delete the pod once you’re done debugging.
![[boost]](https://prodsens.live/wp-content/uploads/2025/06/35711-boost-380x250.png)
