-
Notifications
You must be signed in to change notification settings - Fork 173
Expand file tree
/
Copy pathsuperPod.yaml
More file actions
60 lines (60 loc) · 1.87 KB
/
superPod.yaml
File metadata and controls
60 lines (60 loc) · 1.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
###########################################################
## This file has the configuration for
## - A pod with elevated privileges that has access to the host filesystem and processes (using "spec.hostPID=true").
##
## Deploy: kubectl apply -f superPod.yaml
## Terminal access: kubectl exec -it super-pod -- bash
## Remove: kubectl delete -f superPod.yaml
##
## WARNING: This pod has elevated privileges and can access the host filesystem and processes!
## This pod is not secure and should not be used in production environments.
##
## You can restart the kubelet and access the host /var/lib/kubelet and /var/log filesystems.
## Restarting kubelet: nsenter -t 1 -m -p -- systemctl restart kubelet
###########################################################
apiVersion: v1
kind: Pod
metadata:
name: super-pod
spec:
automountServiceAccountToken: true
containers:
- command:
- /bin/bash
- -c
- sleep 30d
image: eldada.jfrog.io/docker/alpine-with-tools:3.21.0
imagePullPolicy: IfNotPresent
name: super-container
resources:
limits:
cpu: 50m
memory: 100Mi
requests:
cpu: 5m
memory: 10Mi
securityContext:
allowPrivilegeEscalation: true
privileged: true
readOnlyRootFilesystem: false
runAsNonRoot: false
volumeMounts:
- mountPath: /var/lib/kubelet
mountPropagation: None
name: kubelet
- mountPath: /var/log
mountPropagation: None
name: varlog
hostPID: true
volumes:
- name: kubelet
hostPath:
path: /var/lib/kubelet
type: Directory
- name: varlog
hostPath:
path: /var/log
type: Directory
## Optional nodeSelector to run the pod on a specific node
# nodeSelector:
# kubernetes.io/hostname: ip-10-100-100-10.us-east-1.compute.internal