Menu

Dipesh Majumdar

Blog and Paintings

Sitting on a Jumpbox and testing with network policy

You want to sit on a jumpbox so you can wget to some clusterip:port for testing only....

well if you create a busybox pod - its going to get completed as the entrypoint of the image of its container is only 'sh'

so you have to make it with say 'sleep 3600' 

but you dont what to do that so you can just do this - 

[dipesh.majumdar@demo ~]$ k run busybox --restart=Never --image=busybox -it
If you don't see a command prompt, try pressing enter.
/ # pwd
/
/ #

/ # wget -O- 10.112.11.76:7777
Connecting to 10.112.11.76:7777 (10.112.11.76:7777)
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
-                    100% |*********************************************************************************************************************************************|   612  0:00:00 ETA
/ #

open another terminal and check the busybox pod and see how it's running and not completed.

[dipesh.majumdar@demo ~]$ k get po
NAME                    READY   STATUS    RESTARTS   AGE
busybox                 1/1     Running   0          30s
nginx-966857787-2h9fb   1/1     Running   0          5m
nginx-966857787-vwtwt   1/1     Running   0          5m
[dipesh.majumdar@demo ~]$

the moment you come out of the busybox the pod status will be completed

NAME                    READY   STATUS      RESTARTS   AGE
busybox                 0/1     Completed   0          8m
nginx-966857787-2h9fb   1/1     Running     0          13m
nginx-966857787-vwtwt   1/1     Running     0          13m

But what if you want to delete it the moment you come out of the busybox pod - this can be done in 2 ways (either way is good):

[dipesh.majumdar@demo ~]$ k run busybox --restart=Never --image=busybox -it --rm
If you don't see a command prompt, try pressing enter.
/ # exit
pod "busybox" deleted
[dipesh.majumdar@demo ~]$ k run busybox --restart=Never --image=busybox -it --rm -- sh
If you don't see a command prompt, try pressing enter.
/ #

Use cases of jump box shown below - 

Create a dummy api server

kubectl run apiserver --restart=Never --image=nginx --labels app=web,role=api --expose --port 80

Create a network policy to bind the api server so access is only possible from pods with label: devops-team

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: devops-np
spec:
  podSelector:
    matchLabels:
      app: web
  ingress:
    - from:
        - podSelector:           # chooses pods with tag devops-team
           matchLabels:
             tag: devops-team

 

k run busybox$RANDOM --restart=Never --image=busybox -it --rm -- sh

[dipesh.majumdar@demo ~]$ k run busybox$RANDOM --restart=Never --image=busybox -it --rm -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://apiserver
wget: download timed out

[dipesh.majumdar@demo ~]$ k run busybox$RANDOM --restart=Never --image=busybox --labels 'tag=devops-team' -it --rm -- sh
If you don't see a command prompt, try pressing enter.
/ # wget -qO- --timeout=2 http://apiserver
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
/ #

One more time this time very fast - 

quick creation of dummy apiserver was seen (this created pod and service)

lets do a dummy web... this time this creates pod, matching deployment and matching service. 

k -n temp run web --image nginx:1.7.9 --expose --labels 'app=web' --port 80

now a simple jumpbox...

k -n temp run jumpbox --restart Never --image busybox --labels 'app=jumpbox' --rm -it

###this is same as 

k -n temp run jumpbox --restart Never --image busybox --labels 'app=jumpbox' --rm -it sh

/ # wget --timeout 2 -O- web:80
Connecting to web:80 (10.112.12.179:80)
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>

want to run some command without getting into the pod.. instead of sh run the command in this case - whoami

[dipesh.majumdar@demo ~]$ k -n temp run jumpbox --restart Never --image busybox --labels 'app=jumpbox' --rm -it whoami
root
pod "jumpbox" deleted

 

 

 

Little more magic...

ready for it?

do this...

[dipesh.majumdar@demo ~]$ k -n temp run jumpbox --image alpine --restart Never --labels 'app=jumpbox' --rm -it
If you don't see a command prompt, try pressing enter.
/ # apk add --no-cache curl openssl
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/6) Installing ca-certificates (20190108-r0)
(2/6) Installing nghttp2-libs (1.35.1-r0)
(3/6) Installing libssh2 (1.8.2-r0)
(4/6) Installing libcurl (7.64.0-r1)
(5/6) Installing curl (7.64.0-r1)
(6/6) Installing openssl (1.1.1b-r1)
Executing busybox-1.29.3-r10.trigger
Executing ca-certificates-20190108-r0.trigger
OK: 8 MiB in 20 packages
/ # curl -v -I -o /dev/null http://web:80
* Expire in 0 ms for 6 (transfer 0x560fa43a77a0)
* Expire in 1 ms for 1 (transfer 0x560fa43a77a0)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Expire in 0 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 2 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 0 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 0 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 2 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 0 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 0 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 2 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 1 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 1 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 2 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 1 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 1 ms for 1 (transfer 0x560fa43a77a0)
* Expire in 1 ms for 1 (transfer 0x560fa43a77a0)
*   Trying 10.112.14.49...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x560fa43a77a0)
* Connected to web (10.112.14.49) port 80 (#0)
> HEAD / HTTP/1.1
> Host: web
> User-Agent: curl/7.64.0
> Accept: */*

The docker equivalent of  k8s alpine jumpbox  is - 

[dipesh.majumdar@demo ~]$ docker run --rm -it alpine
/ # apk add --no-cahe curl openssl
apk: unrecognized option: no-cahe
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/6) Installing ca-certificates (20190108-r0)
(2/6) Installing nghttp2-libs (1.35.1-r0)
(3/6) Installing libssh2 (1.8.2-r0)
(4/6) Installing libcurl (7.64.0-r1)
(5/6) Installing curl (7.64.0-r1)
(6/6) Installing openssl (1.1.1b-r1)
Executing busybox-1.29.3-r10.trigger
Executing ca-certificates-20190108-r0.trigger
OK: 8 MiB in 20 packages
/ # curl -v -I -o /dev/null http://web:80
* Expire in 0 ms for 6 (transfer 0x55e43644d7a0)
* Expire in 1 ms for 1 (transfer 0x55e43644d7a0)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Expire in 0 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 1 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 0 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 0 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 1 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 0 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 0 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 1 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 0 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 0 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 1 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 2 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 2 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 2 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 2 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 2 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 2 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 3 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 3 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 4 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 3 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 3 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 4 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 4 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 4 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 8 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 6 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 6 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 8 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 8 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 8 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 16 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 11 ms for 1 (transfer 0x55e43644d7a0)
* Expire in 11 ms for 1 (transfer 0x55e43644d7a0)
* Could not resolve host: web
* Expire in 14 ms for 1 (transfer 0x55e43644d7a0)
* Closing connection 0
curl: (6) Could not resolve host: web   

#####OBVIOUSLY IT CAN'T RESOLVE HOST BCOZ THIS IS DOCKER AND THE HOST IS IN K8S CLUSTER AS SERVICE

THE ALPINE CONTAINER DISAPPEARS AS SOON AS WE COME OUT OF THE EXECUTABLE SHELL !!!!

login as: dipesh.majumdar
Authenticating with public key "imported-openssh-key"
Passphrase for key "imported-openssh-key":
Last login: Sun Apr 14 11:36:43 2019 from dhcp-077-249-177-085.chello.nl
[dipesh.majumdar@demo ~]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                  PORTS               NAMES
de27d1c58963        alpine              "/bin/sh"                21 seconds ago      Up 20 seconds                               nostalgic_lamport
8d7696365904        mysql               "docker-entrypoint..."   7 days ago          Exited (1) 7 days ago                       distracted_shockley
c667d456911e        busybox             "sh"                     7 days ago          Exited (0) 7 days ago                       nostalgic_shaw
[dipesh.majumdar@demo ~]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                  PORTS               NAMES
8d7696365904        mysql               "docker-entrypoint..."   7 days ago          Exited (1) 7 days ago                       distracted_shockley
c667d456911e        busybox             "sh"                     7 days ago          Exited (0) 7 days ago                       nostalgic_shaw
[dipesh.majumdar@demo ~]$

However if you want that the docker container should not disappear - run it like this

[dipesh.majumdar@demo ~]$ docker run --rm -dit alpine
6a3c0f71d34fea50f2d6a66b7370986625d6983b6c991f7db7a25f87632c4223

and then enter the shell like this... 

[dipesh.majumdar@demo ~]$ docker exec -it 6a3c0f71d34f sh
/ # whoami
root
/ # exit

[dipesh.majumdar@demo ~]$

even after you exit the container will be up and running

want to execute a command without entering the docker - do it this way

[dipesh.majumdar@demo ~]$ docker exec -it 6a3c0f71d34f whoami
root
[dipesh.majumdar@demo ~]$ docker exec -it 6a3c0f71d34f pwd
/

 

 

 

Go Back

Comment