Skip to content

Instantly share code, notes, and snippets.

@jjo
Last active May 11, 2023 15:34
Show Gist options
  • Save jjo/5169651d450be8cdcd95f3ba6bfe9959 to your computer and use it in GitHub Desktop.
Save jjo/5169651d450be8cdcd95f3ba6bfe9959 to your computer and use it in GitHub Desktop.
#!/bin/sh
# Launch a Pod ab-using a privileged=true to land on a Kubernetes node cluster as root,
# uses `privileged: true` to then nsenter init mount its (root) namespace,
# hostPID and hostNetwork already set for the Pod.
node=${1}
case "${node}" in
"")
nodeSelector=''
podName=${USER+${USER}-}sudo-any
;;
--master)
shift
nodeSelector='"nodeSelector": { "kubernetes.io/role": "master"},'
podName=${USER+${USER}-}sudo-master
;;
*)
shift
nodeName=$(kubectl get node ${node} ${@} -o template --template='{{index .metadata.labels "kubernetes.io/hostname"}}') || exit 1
nodeSelector='"nodeSelector": { "kubernetes.io/hostname": "'${nodeName:?}'" },'
podName=${USER+${USER}-}sudo-${node}
;;
esac
set -x
kubectl run ${podName:?} --restart=Never -it \
--image overriden --overrides '
{
"spec": {
"hostPID": true,
"hostNetwork": true,
'"${nodeSelector?}"'
"tolerations": [
{ "effect": "NoSchedule", "operator": "Exists" },
{ "effect": "NoExecute", "operator": "Exists" }
],
"containers": [
{
"name": "alpine",
"image": "alpine:3.7",
"command": [
"nsenter", "--mount=/proc/1/ns/mnt", "--", "su", "-"
],
"stdin": true,
"tty": true,
"resources": {"requests": {"cpu": "10m"}},
"securityContext": {
"privileged": true
}
}
]
}
}' --rm --attach "$@"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment