0

Some helpful Kubernetes bits

 3 years ago
source link: https://sj14.gitlab.io/post/2021/02-15-some-k8s-bits/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
2021-02-15

Start a fresh container

Handy for some quick testing.

Run a new container and get to the shell. As soon as you exit the container it will be removed from the cluster:

kubectl run -it --rm --restart=Never debian --image=debian bash

Run a pod but won’t get you into the shell immediately. Will stay until it crashes or you delete the pod:

kubectl run --restart=Never debian --image=debian -- sleep infinity

Will deploy a container which will stay until you delete the deployment:

kubectl create deployment debian --image=debian -- sleep infinity

Run Security Checks

Test if there are any security flaws with your cluster.

kube-bench

Start the pod which will run the checks:

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml

Wait a moment and then check the logs:

kubectl logs -f pod/kube-bench-<xyz>

kube-hunter

Outside the cluster

This will give you a limited view from the outside of the cluster.

docker run --rm aquasec/kube-hunter --remote <IP of the node>

For a more detailed analysis, run the container inside the cluster.

Inside the cluster

Run the pod:

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-hunter/main/job.yaml

Wait a moment and then check the logs:

kubectl logs -f kube-hunter-<xyz>

Enter container namespace from cluster node

You can enter the namespace of your running containers from the cluster node which is running the container, thus, you first have to login/ssh into the cluster node. One use case for doing this might be capturing traffic (e.g. with tcpdump) of the given container. Depending on the container runtime of your cluster, you might need the Docker or the containerd approach. While the runtime specific sections show you an alternative approch of listing the container id, you can also get this value with good old kubectl:

kubectl describe pod/<pod name> | grep "Container ID"

Using Docker

Get the container ID (alternative):

docker ps | grep <container name>

Get the pid:

docker inspect <container id> | grep Pid

Enter the namespace:

Adjust nsenter with the namespaces you need. For example, when you want to capture the network traffic, use --net:

sudo nsenter --net --target <pid>

Using containerd CLI (ctr)

Please be aware that ctr does not guarantee backward compatibility and you might need to adjust the given commands listed in this section.

Get the container ID (alternative):

sudo ctr containers list | grep <image name>

Get the pid:

sudo ctr containers info <container id> | grep "path"

This will give you a list similar to the one below where 3833 represents the pid.

"path": "rootfs"
        "path": "/proc/3833/ns/ipc"
        "path": "/proc/3833/ns/uts"
        "path": "/proc/3833/ns/net"

Enter the namespace (again, adjust the namespaces as required):

sudo nsenter --net --target <pid>

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK