Skip to content

Instantly share code, notes, and snippets.

@PhilipSchmid

PhilipSchmid/privileged-node-debugging-pod.md

Created February 13, 2024 19:40
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save PhilipSchmid/3be919fec45dd4417cf46e51230f10c7 to your computer and use it in GitHub Desktop.
Save PhilipSchmid/3be919fec45dd4417cf46e51230f10c7 to your computer and use it in GitHub Desktop.
Download ZIP
Spin up a privileged K8s node debugging Pod with access to the node's filesystem
Raw
privileged-node-debugging-pod.md

Optional: Disable PSA

k label ns default pod-security.kubernetes.io/enforce=privileged
k label ns default pod-security.kubernetes.io/audit=privileged # optional
k label ns default pod-security.kubernetes.io/warn=privileged # optional

Start tshoot pod:

echo '
---
apiVersion: v1
kind: Pod
metadata:
  name: netshoot
  namespace: default
spec:
  containers:
  - name: netshoot
    image: nicolaka/netshoot
    command: ["/bin/sh","-ec","sleep 9999999999d"]
    volumeMounts:
    - mountPath: /host
      name: host-root
    securityContext:
      privileged: true
  dnsPolicy: ClusterFirst
  hostIPC: true
  hostNetwork: true
  hostPID: true
  tolerations:
  - operator: Exists
  volumes:
  - hostPath:
      path: /
    name: host-root
    ' | k apply -f-

Access the tshoot pod:

k exec -it -n default tshoot -- /bin/bash
# "Access" host filesystem in a "native" way:
chroot /host
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment