Join Log in
Score:0
guettli avatar Server

How to exec into a **node** (not container) via kubectl

cn flag
guettli

How to exec into a K8s node?

Up to now I only found ways to exec into containers running on a node.

I would like to avoid ssh.

260
0 + 0
Score:3
samson4649 avatar Server
vn flag
samson4649

The layer above a pod (and their containers) is the operating system (excluding logical layers of k8s).

There isn't any tools (that im aware of) specifically part of kubernetes management tooling that do this - that's what SSH is for.

0 + 0
Score:3
guettli avatar Server
cn flag
guettli

You can use kubectl-node-shell

kubectl-node-shell: Start a root shell in the node's host OS running.

Usage:

# Get standard bash shell
kubectl node-shell <node>

You need to be able to start privileged containers for that.

+ 1
Anytoe avatar
in flag
Anytoe
perfect, thank you!
0
Reply
Score:2
avatar Server
cn flag
Johnson

Depending on what you want to achieve, you can start a pod with more privileges. You could e.g. do a hostpath mount on /. With some linux knowledge this should be enough.

apiVersion: v1 kind: Pod metadata: name: evil-pod spec: containers:

  • image: busybox name: evil command: ["/bin/sh"] args: "-c" ,"sleep infinity"] volumeMounts:
    • mountPath: /host name: host-root volumes:
  • hostPath: path: / type: "" name: host-root

Be aware, that this is of course a security issue and in a secure cluster should not be possible. If you have to maintain the node, use ssh as suggested by samson

0 + 0
Score:0
johnnyb avatar Server
gm flag
johnnyb

If you need access to the underlying Nodes for your Kubernetes cluster (and you don't have direct access - usually if you are hosting Kubernetes elsewhere), you can use the following deployment to create Pods where you can login with kubectl exec, and you have access to the Node's IPC and complete filesystem under /node-fs. To get a node console that is just like you have SSHd in, after logging in, perform chroot /node-fs. It is inadvisable to keep this running, but if you need access to the node, this will help. Because it is a DaemonSet, it starts one of these Pods on each Node.

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: privpod
spec:
  selector:
    matchLabels:
      mydaemon: privpod
  template:
    metadata:
      labels:
        mydaemon: privpod
    spec:
      hostNetwork: true
      hostPID: true
      hostIPC: true
      containers:
        - name: privcontainer
          image: johnnyb61820/network-toolkit
          securityContext:
            privileged: true
          command:
            - tail
            - "-f"
            - /dev/null
          volumeMounts:
            - name: nodefs
              mountPath: /node-fs
            - name: devfs
              mountPath: /dev
      volumes:
        - name: nodefs
          hostPath:
            path: / 
        - name: devfs
          hostPath:
            path: /dev

This is from Appendix C.13 of Cloud Native Applications with Docker and Kubernetes. I've found this useful especially if I need to deal with physical drives or something similar. It's not something you should leave running, but helps when you are in a pinch.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.