K8S node-shell
尉迟韬
1 背景
对于云上K8S node我们一般会禁止ssh登录,但有时又不得不登录到node节点查看和debug,这时就可以通过node-shell的方式获得对应node的root shell。
2 安装
我们直接使用kubectl krew命令,
kubectl krew index add kvaps https://github.com/kvaps/krew-index
kubectl krew install kvaps/node-shell
3 使用
查询集群node,然后直接使用node名称,就可以创建一个root shell,
[root@master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
master Ready control-plane,master 179d v1.21.2
node1 Ready <none> 179d v1.21.2
node2 Ready <none> 179d v1.21.2
[root@master ~]# kubectl node-shell node1
spawning "nsenter-br9ly1" on "node1"
If you don't see a command prompt, try pressing enter.
[root@node1 /]# whoami
root
[root@node1 /]# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
[root@node1 /]# exit
logout
^Cpod "nsenter-br9ly1" deleted
4 原理
通过查看node-shell的源码,https://github.com/kvaps/kubectl-node-shell/blob/master/kubectl-node_shell,其实就是一个bash脚本,所做的就是起一个特权容器,然后使用nsenter进入到宿主机,从而获取到root shell,关于nsenter命令,可以参考——《K8S调试工具之–nsenter》
kubectl --context=kubernetes-admin@kubernetes --namespace= run --image docker.io/library/alpine --restart=Never '--overrides={
"spec": {
"nodeName": "node1",
"hostPID": true,
"hostNetwork": true,
"containers": [
{
"securityContext": {
"privileged": true
},
"image": "docker.io/library/alpine",
"name": "nsenter",
"stdin": true,
"stdinOnce": true,
"tty": true,
"command": [ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "bash", "-l" ],
"resources": {
"limits": {
"cpu": "100m",
"memory": "256Mi"
},
"requests": {
"cpu": "100m",
"memory": "256Mi"
}
}
}
],
"tolerations": [
{
"key": "CriticalAddonsOnly",
"operator": "Exists"
},
{
"effect": "NoExecute",
"operator": "Exists"
}
]
}
}' --labels= -t -i nsenter-h3m5fy
参考文档:
- https://github.com/kvaps/kubectl-node-shell/
类似资料: