One day ,

Some fish say they want to eat ,

therefore ......

Li Guobao : Edge of computing k8s colony SuperEdge First experience


According to the last article , My edge computing cluster has a bunch of nodes .

Each node is in a different network environment .

What they have in common is access to the intranet ,

Part of it is a cloud student host ,

Part of it is the virtual machine running in the home network environment ,

There are even some raspberry pie machines in the hypothesis .

So another thing they have in common is , There is basically no public network IP.

thus , I want to achieve remote login to some nodes when doing things ,

Only Intranet can penetrate this way .

Use frp Perform intranet penetration - The minority


There's nothing wrong with intranet penetration , I've been using this product for two years and it's stable .

It's just ...

It's just ...

It's just ...

One machine configuration at a time , To maintain a stable public network server as a bridge .

Namely ... A little bit of trouble .

Then I thought about .

Current kube superedge The edge computing cluster itself implements 4 Layer and the 7 The inner net penetration of layer ,

Theoretically, the ability to use it directly can also achieve remote login .

So I started to study how to realize it in only kubectl On the machine of the environment ,

Direct login k8s Container cluster's node node .

After a wave of searching, the first thing I found was this project .

A kubectl plugin to SSH into Kubernetes nodes using a SSH jump host Pod

Look at the description and the requirements , It's exactly what I want .

$ kubectl krew install ssh-jump

Follow the tutorial to configure the plug-in , After setting up the environment, I put it into practice .


everything goes well , It just can't connect .

The egg hurts ...

And then there was another wave , Found a Redhat Brother's blog .

A consistent, provider-agnostic way to SSH into any Kubernetes node

perfect .

That's what I want .

Look at the plug-in code .luksa/kubectl-plugins Look at the plug-in code .

#!/usr/bin/env bash
set -e
ssh_node() {
if [ "$node" = "" ]; then
node=$(kubectl get node -o name | sed 's/node\///' | tr '\n' ' ')
node=${node::-1} if [[ "$node" =~ " " ]]; then
echo "Node name must be specified. Choose one of: [$node]"
exit 1
echo "Single-node cluster detected. Defaulting to node $node"
fi pod=$(
kubectl create -o name -f - <<EOF
apiVersion: v1
kind: Pod
generateName: ssh-node-
plugin: ssh-node
nodeName: $node
- name: ssh-node
image: busybox
imagePullPolicy: IfNotPresent
command: ["chroot", "/host"]
tty: true
stdin: true
stdinOnce: true
privileged: true
- name: host
mountPath: /host
- name: host
path: /
hostNetwork: true
hostIPC: true
hostPID: true
restartPolicy: Never
) deletePod() {
kubectl delete $pod --wait=false
trap deletePod EXIT echo "Created $pod"
echo "Waiting for container to start..."
kubectl wait --for=condition=Ready $pod >/dev/null
kubectl attach -it $pod -c ssh-node } ssh_pod() {
# TODO: improve this
if [ "$1" == "" ]; then
echo "Pod name must be specified."
exit 1
kubectl exec -it "$@" bash || (
echo "Running bash in pod failed; trying with sh"
kubectl exec -it "$@" sh
} print_usage() {
echo "Provider-agnostic way of opening a remote shell to a Kubernetes node."
echo "Enables you to access a node even when it doesn't run an SSH server or"
echo "when you don't have the required credentials. Also, the way you log in"
echo "is always the same, regardless of what provides the Kubernetes cluster"
echo "(e.g. Minikube, Kind, Docker Desktop, GKE, AKS, EKS, ...)"
echo "You must have cluster-admin rights to use this plugin."
echo "The primary focus of this plugin is to provide access to nodes, but it"
echo "also provides a quick way of running a shell inside a pod."
echo "Examples: "
echo " # Open a shell to node of a single-node cluster (e.g. Docker Desktop)"
echo " kubectl ssh node"
echo " # Open a shell to node of a multi-node cluster (e.g. GKE)"
echo " kubectl ssh node my-worker-node-1"
echo " # Open a shell to a pod"
echo " kubectl ssh pod my-pod"
echo "Usage:"
echo " kubectl ssh node [nodeName]"
echo " kubectl ssh pod [podName] [-n namespace] [-c container]"
exit 0
} if [ "$1" == "--help" ]; then
fi if [[ "$1" == node/* ]]; then
ssh_node ${1:5}
elif [ "$1" == "node" ]; then
ssh_node $2
elif [[ "$1" == pod/* ]]; then
ssh_pod "$@"
elif [ "$1" == "pod" ]; then
ssh_pod "$@"

Take a serious look at the script .

Call for talents .

It's really fun Linux My brother .

It's awesome .

It's awesome .

It's so interesting .

forehead .

Talking about people .

This script uses busybox The image starts the container instance ,

adopt chroot To /host + Hang all the files of the host to the container instance ,

It realizes one-to-one communication between the container instance and the host system “Copy”( Maybe the expression is not very accurate ),

Furthermore, all resources of the host can be directly operated in this container instance .

Yes , All resources .

Yes , All resources .

Yes , All resources .

Here you can see the progress of other programs directly ,

Password free direct operation of other users' data .

So-called ,

This is the container escape .

then ....

Our goal has indeed been achieved .

In this way, you can log in to any computer directly k8s node node ,

No more passwords and Authorization .

summary .

It's fun .

There's a real risk of an unknown image .

The world has never been safe .

Reference material :

docker Container escape vulnerability (CVE-2020-15257) Risk announcement

Overview of vessel escape Technology -

rambo1412: Overview of vessel escape Technology

Using container escape to achieve remote login k8s More articles on cluster nodes

  1. k8s Cluster node replacement ip perhaps k8s Add a new node to the cluster

    1. Demand scenario : Computer room network adjustment , All of a sudden, I want to recycle k8s One on the cluster node Node machine's ip, And transferred to a new ip On this machine , So there is k8s Cluster node replacement ip said : meanwhile ,k8s Cluster node replacement ip Is equivalent to k8s Add a new node to the cluster ...

  2. K8s The online rate of cluster nodes reaches 99.9% above , Capacity expansion and efficiency improvement 50%, We did this 3 A deep transformation

    Click to download < Not the same double 11 technology : Alibaba economy cloud original practice > This article is excerpted from < Not the same double 11 technology : Alibaba economy cloud original practice > A Book , Click on the picture above to download ! author | Zhang Zhen ( Guarding the sun ) ...

  3. kubectl Remote connection of client tools k8s colony

    One . summary In general , stay k8smaster Cluster management tools on nodes kubectl It's connected local http8080 Port and apiserver Communicating , Of course, it can also be https Port to communicate, the premise is to generate a certificate . So k ...

  4. Cluster practice (2):K8S The cluster node exits the join operation

    The following error reports can also be found and solved online , But it's fragmentary. I just make a summary according to my own problems in use . List of articles First, delete the node node Rejoin Reference documents First, delete the node Be careful : The following operations are in master Lower operation . One ...

  5. k8s colony Node status display notready

    In general We are in maste Network plug-in installed on the node , And then in join node node , This leads to node Nodes may not be able to load into these plug-ins Use journalctl -f -u kubelet Show the following N ...

  6. Kubernetes Practical summary - Alibaba cloud ECS build by oneself K8S colony

    One . summary Please refer to the description of Alibaba cloud for details : ...

  7. China Azure Deployment in China Kubernetes(K8S) colony

    at present China Azure Container services are not yet supported (ACS), Use the name "az acs create --orchestrator-type Kubernetes -g zymtest -n kube ...

  8. [k8s]jenkins coordination kubernetes Plug-in implementation k8s Continuous integration of cluster construction

    Another combination harbor The idea of automatically building images : namely code+baseimage An integrated solution - The programmer submits the code to the code repository gitlab - Hook trigger jenkins master Start a build - jenkin ...

  9. k8s Voyage - Fault announcement : build by oneself k8s The cluster capsized on Alibaba cloud

    I'm very sorry , The first day of the new year , In the case of abrupt climate change on Alibaba cloud today , Because of our poor sailing skills , In today's 10:15~12:00 Around the peak of the visit , We turned the boat over , Make near 2 The entire blog site is inaccessible for an hour , This brings you ...

  10. Kubernetes Utilization of prometheus monitor K8S colony

    prometheus It's an active pull database , stay K8S It's supposed to show the graphics in grafana Data instantiation should be saved , Using distributed file system plus dynamic PV, But using local disks in this test environment , Install the data collection system agent Use Da ...

Random recommendation

  1. JS_ECMA Several encapsulated small functions in basic syntax -2

    Hello everyone ! Let's continue to write about it today ECMA The rest of the small functions and practical examples : First of all, let's talk about strings . Array . Mathematical methods and json A little bit of knowledge : String method : str.length str.charAt(i ...

  2. Release Mvc project mvc.dll Version number is inconsistent appear and Solutions for

    Deploy Mvc When the project is , It's very likely that there will be a hint of : System.Web.Mvc, Version=, Culture=neutral, PublicKeyToken=31bf3856a ...

  3. Oracle Calculate the time difference function

    Two Date The type field :START_DATE,END_DATE, Calculate the time difference between the two dates ( In the sky , Hours , minute , second , millisecond ): God : ROUND(TO_NUMBER(END_DATE - START_DAT ...

  4. channelartlist Add column Links

    {dede:channelartlist} <a href='{dede:field name='typeurl'/}'></a> {/dede:channelartlist}

  5. ContentProvider Examples of use ( Reprint )

    ContentProvider Examples of use ( Reprint ) When data needs to be shared between applications , We can use it ContentProvider Define a... For data URI. Later, when other applications query or modify the data , Just from the present ...

  6. 【HTML】canvas Summary of learning

    1. Draw basic figures ----- Context ---------------------------------------------------------- canvas.getContext('2d') ...

  7. Flask Basics

    brief introduction Flask It's popular right now Web frame , It is to use Python Realized .Flask The distinguishing feature is : It's a “ tiny ” frame .” tiny ” signify Flask Designed to keep the core simple , But at the same time, it's easy to scale . By default ,Flask It doesn't contain ...

  8. ssh Connection principle introduction ( The principle of login without password connection )

    SSH(Secure  Shell) A protocol that provides secure remote login and other secure network services over an insecure network . Composed of client and server software , There are two incompatible versions of :1.x and 2.x.(SSH 2.x Our client program can't ...

  9. Java 8 New characteristics - Novice tutorial (8) -Java 8 Date time API

    Java 8 Date time API Java 8 By releasing new Date-Time API (JSR 310) To further strengthen the processing of date and time . In the old version of Java in , Date time API There are many problems , Among them is : ...

  10. GCT The mathematical formula of ( The algebra part )

    One . The algebra part : 1. The plural 2. One variable quadratic equation   3. The sequence 4. Permutation and combination