-2

When I define multiple containers in a pod/pod template like one container running agent and another php-fpm, how can they access each other? I need the agent container to connect to php-fpm by shell and need to execute few steps interactively through agent container.

Based on my understanding, we can package kubectl into the agent container and use kubectl exec -it <container id> sh to connect to the container. But I don't want Agent container to have more privilege than to connect to the target container with is php-fpm.

Is there a better way for agent container to connect to php-fpm by a shell and execute commands interactively?

Also, I wasn't successful in running kubectl from a container when using minikube due to following errors

docker run -it -v ~/.kube:/root/.kube lachlanevenson/k8s-kubectl get nodes
Error in configuration:
* unable to read client-cert /Users/user/.minikube/apiserver.crt for minikube due to open /Users/user/.minikube/apiserver.crt: no such file or directory
* unable to read client-key /Users/user/.minikube/apiserver.key for minikube due to open /Users/user/.minikube/apiserver.key: no such file or directory
* unable to read certificate-authority /Users/user/.minikube/ca.crt for minikube due to open /Users/user/.minikube/ca.crt: no such file or directory
jfunez
  • 397
  • 6
  • 23
user1595858
  • 3,700
  • 15
  • 66
  • 109
  • _Is there a better way for agent container to connect to php-fpm by a shell and execute commands interactively?_ it is very hard to answer that question without knowing what you are _attempting_ to do; what are you attempting to do with these shell commands? – mdaniel Sep 11 '17 at 06:31
  • _But I don't want Agent container to have more privilege than to connect to the target container with is php-fpm_ then you should give up on your `kubectl exec` approach, because without doing some very, very serious work with RBAC, the Pod will be able to do anything that it wishes from inside the cluster – mdaniel Sep 11 '17 at 06:32

1 Answers1

0

docker run -it -v ~/.kube:/root/.kube lachlanevenson/k8s-kubectl get nodes

  1. First off, every Pod within a k8s cluster has its own k8s credentials provided by /var/run/secrets/kubernetes.io/serviceaccount/token, and thus there is absolutely no need to attempt to volume mount your home directory into a docker container
  2. The reason you are getting the error about client-cert is because the contents of ~/.kube are merely strings that point to the externally defined ssl key, ssl certificate, and ssl CA certificate defined inside ~/.kube/config -- but I won't speak to fixing that problem further since there is no good reason to be using that approach
mdaniel
  • 31,240
  • 5
  • 55
  • 58