2

How to exec into a K8s node?

Up to now I only found ways to exec into containers running on a node.

I would like to avoid ssh.

guettli
  • 3,591
  • 17
  • 72
  • 123

4 Answers4

4

The layer above a pod (and their containers) is the operating system (excluding logical layers of k8s).

There isn't any tools (that im aware of) specifically part of kubernetes management tooling that do this - that's what SSH is for.

samson4649
  • 83
  • 4
3

You can use kubectl-node-shell

kubectl-node-shell: Start a root shell in the node's host OS running.

Usage:

# Get standard bash shell
kubectl node-shell <node>

You need to be able to start privileged containers for that.

guettli
  • 3,591
  • 17
  • 72
  • 123
2

Depending on what you want to achieve, you can start a pod with more privileges. You could e.g. do a hostpath mount on /. With some linux knowledge this should be enough.

apiVersion: v1
kind: Pod
metadata:
  name: evil-pod
spec:
  containers:
  - image: busybox
    name: evil
    command: ["/bin/sh"]
    args: "-c" ,"sleep infinity"]
    volumeMounts:
    - mountPath: /host
      name: host-root
  volumes:
  - hostPath:
      path: /
      type: ""
    name: host-root

Be aware, that this is of course a security issue and in a secure cluster should not be possible. If you have to maintain the node, use ssh as suggested by samson

Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186
Johnson
  • 31
  • 1
0

If you need access to the underlying Nodes for your Kubernetes cluster (and you don't have direct access - usually if you are hosting Kubernetes elsewhere), you can use the following deployment to create Pods where you can login with kubectl exec, and you have access to the Node's IPC and complete filesystem under /node-fs. To get a node console that is just like you have SSHd in, after logging in, perform chroot /node-fs. It is inadvisable to keep this running, but if you need access to the node, this will help. Because it is a DaemonSet, it starts one of these Pods on each Node.

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: privpod
spec:
  selector:
    matchLabels:
      mydaemon: privpod
  template:
    metadata:
      labels:
        mydaemon: privpod
    spec:
      hostNetwork: true
      hostPID: true
      hostIPC: true
      containers:
        - name: privcontainer
          image: johnnyb61820/network-toolkit
          securityContext:
            privileged: true
          command:
            - tail
            - "-f"
            - /dev/null
          volumeMounts:
            - name: nodefs
              mountPath: /node-fs
            - name: devfs
              mountPath: /dev
      volumes:
        - name: nodefs
          hostPath:
            path: / 
        - name: devfs
          hostPath:
            path: /dev

This is from Appendix C.13 of Cloud Native Applications with Docker and Kubernetes. I've found this useful especially if I need to deal with physical drives or something similar. It's not something you should leave running, but helps when you are in a pinch.

johnnyb
  • 101
  • 1