How do I connect and manage Kubernetes cluster from POD using nsenter utility

Question

I am using multi node Kubernetes cluster. I am using following YAML to connect and manage host machine.

apiVersion: v1
kind: Pod
metadata:
  name: my-nsenter-test
spec:
  hostPID: true
  hostNetwork: true
  hostIPC: true
  containers:
    - name: my-nsenter-test
      image: ubuntu:18.04
      command: ["tail"]
      args: ["-f", "/dev/null"]
      securityContext:
        privileged: true

But I would like to connect and manage multi node cluster (any other node in the cluster) using single POD.

Answer 1

Short answer: You can connect from the pod using nsenter utility to the only one node - the node that pod is hosted on, but better don't do that because deploying pods with wide permissions is against best security practices.

You can't connect to the other nodes, as pod is hosted on only one node. Setting host... fields means that they are only sharing resources with the host - one host node and simply it's not possible to achieve it using nsenter utility.

This diagram is good representation of the Kuberentes architecture related to pods and nodes:

---

For connecting to the host node just run following command:

kubectl exec -it my-nsenter-test -- nsenter --target 1 --mount --uts --ipc --net /bin/bash

Avoid using privileged policies and hosting common resources with the host

Generally this approach for managing hosts is against best security practices.

Giving pod wide permissions is strongly not recommended, this leads to many security concerns, usually it's granting broader permissions that intended:

The way PSPs are applied to Pods has proven confusing to nearly everyone that has attempted to use them. It is easy to accidentally grant broader permissions than intended, and difficult to inspect which PSP(s) apply in a given situation.

Also check this article - Securing a Cluster.