search by tags

for the user

adventures into the land of the command line

how to get onto a k8s node from a pod

just say, you forgot your ssh key and ure at home, and you need to do something, but u have a kubeconfig which has rbac permissions to create pods and deployments.

run a busybox deployment:

★ kubectl run busybox --image busybox -- sleep 99999

edit it and add the below things related to:
• securityContext (run as root user with privilege escalation)
• volumeMounts & volumes (mount the root file system into the pod)
• hostNetwork (via the network the k8s node is on)

★ kubectl edit deploy busybox


apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    run: busybox
  name: busybox
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      run: busybox
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        run: busybox
    spec:
      containers:
      - args:
        - sleep
        - "99999"
        image: busybox
        imagePullPolicy: Always
        name: busybox
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        .
        .
        securityContext:
          allowPrivilegeEscalation: true
          runAsUser: 0
        volumeMounts:
        - mountPath: /rootfs
          name: rootfs
      volumes:
      - hostPath:
          path: /
          type: ""
        name: rootfs
      hostNetwork: true
      .
      .
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30

exec into your pod and you’ll see this directory called rootfs in the root of the pod:

★ kubectl get pods
NAME                       READY     STATUS    RESTARTS   AGE
busybox-5c7f574bd4-96h84   1/1       Running   0          12m

★ kubectl exec -it busybox-5c7f574bd4-96h84 /bin/sh
/ # ls -l
total 40
drwxr-xr-x    2 root     root         12288 Jul 31 20:20 bin
drwxr-xr-x    5 root     root           360 Sep 26 15:14 dev
drwxr-xr-x    1 root     root          4096 Sep 26 15:14 etc
drwxr-xr-x    2 nobody   nogroup       4096 Jul 31 20:20 home
dr-xr-xr-x  395 root     root             0 Sep 26 15:14 proc
drwx------    1 root     root          4096 Sep 26 15:14 root
drwxr-xr-x   23 root     root          4096 Sep 12 06:04 rootfs  <-------- THIS GUY
dr-xr-xr-x   12 root     root             0 Aug 27 11:16 sys
drwxrwxrwt    2 root     root          4096 Jul 31 20:20 tmp
drwxr-xr-x    3 root     root          4096 Jul 31 20:20 usr
drwxr-xr-x    1 root     root          4096 Sep 26 15:14 var

hmmm, what’s this?

/ # chroot rootfs
[email protected]:/#

:O

[email protected]:/# ls -l
total 88
drwxr-xr-x   2 root root  4096 May 25 06:16 bin
drwxr-xr-x   3 root root  4096 Sep 12 06:04 boot
drwxr-xr-x  15 root root  3780 Sep 24 09:05 dev
drwxr-xr-x  99 root root  4096 Sep 21 06:56 etc
drwxr-xr-x  12 root root  4096 Mar 12  2018 home
lrwxrwxrwx   1 root root    33 Sep 12 06:04 initrd.img -> boot/initrd.img-4.15.0-1023-azure
lrwxrwxrwx   1 root root    33 Sep 12 06:04 initrd.img.old -> boot/initrd.img-4.15.0-1022-azure
drwxr-xr-x  22 root root  4096 Mar  9  2018 lib
drwxr-xr-x   2 root root  4096 Jan 26  2018 lib64
drwx------   2 root root 16384 Jan 26  2018 lost+found
drwxr-xr-x   2 root root  4096 Jan 26  2018 media
drwxr-xr-x   3 root root  4096 Mar  9  2018 mnt
drwxr-xr-x   3 root root  4096 Mar  9  2018 opt
dr-xr-xr-x 402 root root     0 Aug 27 11:16 proc
drwx------   4 root root  4096 Aug 28 13:38 root
drwxr-xr-x  31 root root  1300 Sep 11 08:26 run
drwxr-xr-x   2 root root 12288 May 25 06:16 sbin
drwxr-xr-x   2 root root  4096 Nov 30  2017 snap
drwxr-xr-x   3 root root  4096 Mar  9  2018 srv
dr-xr-xr-x  12 root root     0 Aug 27 11:16 sys
drwxrwxrwt   8 root root  4096 Sep 26 15:17 tmp
drwxr-xr-x  10 root root  4096 Jan 26  2018 usr
drwxr-xr-x  13 root root  4096 Jan 26  2018 var
lrwxrwxrwx   1 root root    30 Sep 12 06:04 vmlinuz -> boot/vmlinuz-4.15.0-1023-azure
lrwxrwxrwx   1 root root    30 Sep 12 06:04 vmlinuz.old -> boot/vmlinuz-4.15.0-1022-azure

:O :O :O

[email protected]:/# docker ps -a
CONTAINER ID        IMAGE                                                                                                                          COMMAND                  CREATED             STATUS                         PORTS               NAMES
90172dd0edd8        [email protected]:cb63aa0641a885f54de20f61d152187419e8f6b159ed11a251a09d115fdff9bd                                                "sleep 99999"            20 minutes ago      Up 20 minutes                                      k8s_busybox_busybox-5c7f574bd4-96h84_default_cf6dae51-c19e-11e8-87c4-000d3a389f22_0

so remember that anyone with k8s api perms to create pods can dew it.

★ kubectl delete deploy busybox