--- tags: Kubernetes,HostPath description: Kubernetes HostPath Issue robots: index, follow --- # 1. misconfig - hostPath **docker可以掛載該節點的指定路徑，表示可以針對檔案進行操作** **all in one與master node當worker用會遇到上述的狀況** ## 1.1. 節點資訊 * 主機資訊 * proxy server(HAProxy + kubectl): 192.168.122.60 * master1: 192.168.122.61 * master2: 192.168.122.62 * master3: 192.168.122.63 * worker1: 192.168.122.64 * worker2: 192.168.122.65 * 環境資訊 * Kubernetes 1.20.4 * storage: NFS、iSCSI * ingress controller: traefik ## 1.2. 結果確認 ### 1.2.1. 先來個yaml ```yaml= apiVersion: v1 kind: Pod metadata: name: test-pd spec: containers: - image: nginx name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: # directory location on host path: /etc # this field is optional type: Directory ``` ### 1.2.2. 重點資訊： * 建立於default namespace * 使用nginx image * 建立一個hostPath, 使用本機的/etc資料夾 * test-container掛載hostPath(test-volume)於/test-pd **注意到了嗎？hostPath是/etc** ### 1.2.3. 建立test-pd ``` inwin@proxy:~$ kubectl create -f hostpath.yaml pod/test-pd created inwin@proxy:~$ kubectl get po test-pd -o yaml |grep host f:hostPath: f:hostIP: {} - hostPath: hostIP: 192.168.122.64 ``` * 192.168.122.64 為worker1 ### 1.2.4. 執行這個pod，確認路徑中有哪些東西 ``` inwin@proxy:~$ kubectl exec -it test-pd -- sh # ls test-pd NetworkManager fstab lvm rcS.d ...192.168.122.64本機的/etc資料夾都在這... fonts ltrace.conf rc6.d zsh_command_not_found ``` ### 1.2.5. 塞個檔案 ``` # echo "i am here." > hostpathfile.txt # cat hostpathfile.txt i am here. ``` ### 1.2.6. 由192.168.122.64確認是否有檔案 ``` root@worker1:~# cat /etc/hostpathfile.txt i am here. root@worker1:~# ifconfig |grep 192.168.122 inet 192.168.122.64 netmask 255.255.255.0 broadcast 192.168.122.255 ``` ### 1.2.7. 重要警告！ :::danger 1. pod如果改成掛載host存放`authorized_keys`的路徑，能夠植入任何想要放的public key 2. 改成掛載/var/lib/kubelet的話，裡面有些資訊或許能夠存取master node ::: ## 1.3. 如何避免 * 慎用hostPath，盡量避免。