-2

I am using multi node Kubernetes cluster. I am using following YAML to connect and manage host machine.

apiVersion: v1
kind: Pod
metadata:
  name: my-nsenter-test
spec:
  hostPID: true
  hostNetwork: true
  hostIPC: true
  containers:
    - name: my-nsenter-test
      image: ubuntu:18.04
      command: ["tail"]
      args: ["-f", "/dev/null"]
      securityContext:
        privileged: true

But I would like to connect and manage multi node cluster (any other node in the cluster) using single POD.

Ashok Kumar
  • 105
  • 2
  • 8
  • Please provide more information about your current setup - which Kubernetes version are you using, which solution did you use to setup a cluster (kubeadm or some cloud provider solution etc.). What do you mean by "manage multi node cluster" - do you want to communicate with Kubernetes API? – Mikolaj S. Nov 17 '21 at 15:44
  • @MikolajS. I am using 3 node cluster. I am using microk8s for kubernetes cluster. Manage Multi node cluster means, I need to connect all 3 nodes from the POD and run the commands. – Ashok Kumar Nov 19 '21 at 03:06
  • Thanks for the all information. Please provide information which version of the Kubernetes are you using. What do you mean by "I need to connect all 3 nodes from the POD and run the commands" - could you please clarify? You want to connect to the Kubernetes API and run `kubectl` commands from the pod, or just for example SSH to the all nodes from the single pod? – Mikolaj S. Nov 22 '21 at 14:52
  • I am using microk8s version v1.19.15-34+c064bb32deff78. "I need to connect all 3 nodes from the POD and run the commands" means I need to connect any of the node and run commands like upgrading security patches, modify host machine files, install packages etc. in the host machine. – Ashok Kumar Nov 23 '21 at 05:19
  • Thanks for the information about the version. It's still not clear what do you want to achieve - let me explain how I understand it now - you want to connect to the pod shell using `kubectl exec` command and connect to the node(s) shell from the pod - for example using `ssh {user-on-the-node}@{node-ip-address}` command? What it the point of the nsenter utility that you mentioned in the question title? – Mikolaj S. Nov 23 '21 at 12:32
  • I don't want to connect nodes using SSH. I want connect host machines using nsenter. nsenter allows you to join the Linux namespaces of a targeted process id (PID). So using nsenter we can manage the host machines. – Ashok Kumar Nov 24 '21 at 12:17

1 Answers1

2

Short answer: You can connect from the pod using nsenter utility to the only one node - the node that pod is hosted on, but better don't do that because deploying pods with wide permissions is against best security practices.

You can't connect to the other nodes, as pod is hosted on only one node. Setting host... fields means that they are only sharing resources with the host - one host node and simply it's not possible to achieve it using nsenter utility.

This diagram is good representation of the Kuberentes architecture related to pods and nodes:

For connecting to the host node just run following command:

kubectl exec -it my-nsenter-test -- nsenter --target 1 --mount --uts --ipc --net /bin/bash

Avoid using privileged policies and hosting common resources with the host

Generally this approach for managing hosts is against best security practices.

Giving pod wide permissions is strongly not recommended, this leads to many security concerns, usually it's granting broader permissions that intended:

The way PSPs are applied to Pods has proven confusing to nearly everyone that has attempted to use them. It is easy to accidentally grant broader permissions than intended, and difficult to inspect which PSP(s) apply in a given situation.

Also check this article - Securing a Cluster.

Mikolaj S.
  • 2,850
  • 1
  • 5
  • 17