我找不到等效的 k8s cli 命令来执行类似的操作,也找不到任何存储为 k8s 秘密的 ssh 密钥。它似乎也是以一种与云无关的方式做到这一点的。
仅仅是使用具有特殊权限的 k8s pod 还是什么?
编辑:哎呀,它是开源的。我会相应地调查并更新这个问题
Daw*_*ruk 12
发布此社区 wiki 答案,以便更清楚地了解在解决此问题的 github 问题上所做的评论:
Lens将创建
nsenterpod到选定的节点Run Code Online (Sandbox Code Playgroud)protected async createNodeShellPod(podId: string, nodeName: string) { const kc = this.getKubeConfig(); const k8sApi = kc.makeApiClient(k8s.CoreV1Api); const pod = { metadata: { name: podId, namespace: "kube-system" }, spec: { restartPolicy: "Never", terminationGracePeriodSeconds: 0, hostPID: true, hostIPC: true, hostNetwork: true, tolerations: [{ operator: "Exists" }], containers: [{ name: "shell", image: "docker.io/alpine:3.9", securityContext: { privileged: true, }, command: ["nsenter"], args: ["-t", "1", "-m", "-u", "-i", "-n", "sleep", "14000"] }], nodeSelector: { "kubernetes.io/hostname": nodeName } } } as k8s.V1Pod;并执行到镜头终端的容器中。
-- Github.com:Lensapp:问题:Lens 如何在 ROOT 下无需用户和 SSH 密钥的情况下访问 AKS/EKS 中的节点?
我已经检查过这一点,并且可以在下面看到Podwithnsenter是在kube-system(检查GKE)中创建的:
$ kubectl get pods -n kube-system(输出已编辑)protected async createNodeShellPod(podId: string, nodeName: string) {
const kc = this.getKubeConfig();
const k8sApi = kc.makeApiClient(k8s.CoreV1Api);
const pod = {
metadata: {
name: podId,
namespace: "kube-system"
},
spec: {
restartPolicy: "Never",
terminationGracePeriodSeconds: 0,
hostPID: true,
hostIPC: true,
hostNetwork: true,
tolerations: [{
operator: "Exists"
}],
containers: [{
name: "shell",
image: "docker.io/alpine:3.9",
securityContext: {
privileged: true,
},
command: ["nsenter"],
args: ["-t", "1", "-m", "-u", "-i", "-n", "sleep", "14000"]
}],
nodeSelector: {
"kubernetes.io/hostname": nodeName
}
}
} as k8s.V1Pod;
其他资源:
| 归档时间: |
|
| 查看次数: |
8297 次 |
| 最近记录: |