![](/style/images/good.png)
![](/style/images/bad.png)
Some helpful Kubernetes bits
source link: https://sj14.gitlab.io/post/2021/02-15-some-k8s-bits/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Start a fresh container
Handy for some quick testing.
Run a new container and get to the shell. As soon as you exit the container it will be removed from the cluster:
kubectl run -it --rm --restart=Never debian --image=debian bash
Run a pod but won’t get you into the shell immediately. Will stay until it crashes or you delete the pod:
kubectl run --restart=Never debian --image=debian -- sleep infinity
Will deploy a container which will stay until you delete the deployment:
kubectl create deployment debian --image=debian -- sleep infinity
Run Security Checks
Test if there are any security flaws with your cluster.
kube-bench
Start the pod which will run the checks:
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
Wait a moment and then check the logs:
kubectl logs -f pod/kube-bench-<xyz>
kube-hunter
Outside the cluster
This will give you a limited view from the outside of the cluster.
docker run --rm aquasec/kube-hunter --remote <IP of the node>
For a more detailed analysis, run the container inside the cluster.
Inside the cluster
Run the pod:
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-hunter/main/job.yaml
Wait a moment and then check the logs:
kubectl logs -f kube-hunter-<xyz>
Enter container namespace from cluster node
You can enter the namespace of your running containers from the cluster node which is running the container, thus, you first have to login/ssh into the cluster node.
One use case for doing this might be capturing traffic (e.g. with tcpdump
) of the given container.
Depending on the container runtime of your cluster, you might need the Docker
or the containerd
approach.
While the runtime specific sections show you an alternative approch of listing the container id, you can also get this value with good old kubectl
:
kubectl describe pod/<pod name> | grep "Container ID"
Using Docker
Get the container ID (alternative):
docker ps | grep <container name>
Get the pid:
docker inspect <container id> | grep Pid
Enter the namespace:
Adjust nsenter
with the namespaces you need. For example, when you want to capture the network traffic, use --net
:
sudo nsenter --net --target <pid>
Using containerd CLI (ctr)
Please be aware that ctr
does not guarantee backward compatibility and you might need to adjust the given commands listed in this section.
Get the container ID (alternative):
sudo ctr containers list | grep <image name>
Get the pid:
sudo ctr containers info <container id> | grep "path"
This will give you a list similar to the one below where 3833 represents the pid.
"path": "rootfs"
"path": "/proc/3833/ns/ipc"
"path": "/proc/3833/ns/uts"
"path": "/proc/3833/ns/net"
Enter the namespace (again, adjust the namespaces as required):
sudo nsenter --net --target <pid>
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK