K
Q

Is there any way to run super-privileged containers using Kubernetes?

3/21/2018

I want the all processes within the pod see the same network and process table, as well as share any IPCs with the host processes. I know it possible when we use docker by leveraging the following command.

docker run -it --privileged --ipc=host --net=host --pid=host   \
           -v /:/host -v /run:/run -v /etc/localtime:/etc/localtime   \
           --name privcontainer centos7 /bin/bash

On the other hand, is there any way to run super-privileged containers using Kubernetes? If possible, I would like to know the way to write pod yaml file.

-- Kohhei
kubernetes

Similar Questions

Deployment using Kubernetes - feasibility of Master And Nodes in same machine
Running a hybrid/heterogeneous Kubernetes cluster with nodes running in different networks using a VPN
How to setup kubernetes dashboard with an ingess controller
Rest API for Spark2.3 submit on kubernetes(version 1.8.*) cluster

2 Answers

10/24/2019

To disable the namespacing of a container PIDs, and thus allowing this container to view all processes on a host, you need to specify hostPID: true in the pod specs.

You might find this manifest useful if you want to inspect a Kubernetes host from within a pod:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: debug
spec:
  selector:
    matchLabels:
      app: debug
  template:
    metadata:
      labels:
        app: debug
      name: debug
    spec:
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      hostNetwork: true
      hostPID: true
      containers:
      - name: linux
        image: alpine
        args:
        - sleep
        - "3600"
        securityContext:
          privileged: true
          runAsGroup: 0
          runAsUser: 0
        volumeMounts:
        - mountPath: /mnt/host
          name: host
      volumes:
      - hostPath:
          path: /
          type: ""
        name: host

This will instantiate a "debug" pod on each node on your cluster (including control-plane node if they are visible to you). This pod will have access to all PIDs from the host, will see all its networks, and the node filesystem will be browseable at /mnt/host.

-- Mickaƫl Le Baillif
Source: StackOverflow
3/21/2018

There is a privileged flag on the SecurityContext of the container spec.

Check out documentation for more details.

I could only find an example from the v1.4 docs:

apiVersion: v1
kind: Pod
metadata:
  name: hello-world
spec:
  containers:
    - name: hello-world-container
      # The container definition
      # ...
      securityContext:
        privileged: true   ###Here is what you are looking for
        seLinuxOptions:
          level: "s0:c123,c456"

Even more infos here

I'm sure you're aware, but as a general word of caution, the privileged will remove all container security settings and open up the cluster to potential security vulnerabilities.

-- Ben Hall
Source: StackOverflow