cilium-dbg exec commands missing -n kube-system namespace flag

[Prefix]

cilium-dbg exec commands missing -n kube-system namespace flag

Bug Description

The runCiliumDbgCommandWithContext function in pkg/cilium/cilium.go finds the cilium pod using -n kube-system but then runs kubectl exec without specifying the namespace. This causes all cilium-dbg based tools to fail when the kagent-tools pod runs in a different namespace.

Root Cause

In pkg/cilium/cilium.go, line 604-628:

func getCiliumPodNameWithContext(ctx context.Context, nodeName string) (string, error) {
	args := []string{"get", "pods", "-n", "kube-system", "--selector=k8s-app=cilium", ...}
	// ✅ correctly uses -n kube-system to find the pod
	...
}

func runCiliumDbgCommandWithContext(ctx context.Context, command, nodeName string) (string, error) {
	podName, err := getCiliumPodNameWithContext(ctx, nodeName)
	...
	args := []string{"exec", "-it", podName, "--", "cilium-dbg", command}
	// ❌ missing -n kube-system
	// ❌ -it flag causes issues in non-interactive/automated contexts
	...
}

The pod name is resolved correctly from kube-system, but the subsequent kubectl exec defaults to the namespace of the kagent-tools pod (e.g. kagent-tools), so it fails with:

Error from server (NotFound): pods "cilium-rwzxv" not found

Reproduction

1. Deploy kagent-tools in a namespace other than kube-system (e.g. kagent-tools)
2. Call any cilium debug tool (e.g. cilium_get_endpoints_list, cilium_get_endpoint_health) with a valid node_name
3. The tool finds the cilium pod name but kubectl exec fails because it looks in the wrong namespace

Manual verification:

# Fails (no namespace specified, defaults to kagent-tools ns):
kubectl exec cilium-rwzxv -- cilium-dbg endpoint list
# Error from server (NotFound): pods "cilium-rwzxv" not found

# Works (with namespace):
kubectl exec cilium-rwzxv -n kube-system -- cilium-dbg endpoint list
# ENDPOINT   POLICY (ingress)   ...

Affected Tools

All tools that go through runCiliumDbgCommandWithContext:

• cilium_get_endpoints_list
• cilium_get_endpoint_health
• cilium_get_endpoint_details
• cilium_get_endpoint_logs
• cilium_list_identities
• cilium_get_identity_details
• cilium_request_debugging_information
• cilium_display_encryption_state
• cilium_get_daemon_status
• cilium_show_configuration_options
• cilium_list_envoy_config
• cilium_fqdn_cache
• cilium_show_dns_names
• cilium_list_ip_addresses
• cilium_show_ip_cache_information
• cilium_list_bpf_map_events
• cilium_list_bpf_maps
• cilium_get_bpf_map
• cilium_list_metrics
• cilium_list_cluster_nodes
• cilium_list_node_ids
• cilium_list_services
• cilium_get_service_information
• cilium_display_policy_node_information
• cilium_display_selectors
• cilium_list_pcap_recorders
• cilium_get_pcap_recorder
• And all write variants

Suggested Fix

func runCiliumDbgCommandWithContext(ctx context.Context, command, nodeName string) (string, error) {
	podName, err := getCiliumPodNameWithContext(ctx, nodeName)
	if err != nil {
		return "", err
	}
	args := []string{"exec", "-n", "kube-system", podName, "--", "cilium-dbg", command}
	kubeconfigPath := utils.GetKubeconfig()
	return commands.NewCommandBuilder("kubectl").
		WithArgs(args...).
		WithKubeconfig(kubeconfigPath).
		Execute(ctx)
}

Changes:

1. Add -n kube-system to the kubectl exec command
2. Remove -it flag (not needed for non-interactive execution, can cause TTY errors)

Environment

• kagent-tools chart version: 0.1.2
• kagent-tools deployed in namespace: kagent-tools
• Cilium pods running in: kube-system