Code Snippet

Date: 2025-03-22
From: Exploring kubernetes privileged pods
Language: bash
Title: checkpodspecs.sh
#!/bin/bash

# Default flag values
DO_PID=false
DO_NETWORK=false
DO_IPC=false

# Parse command line arguments
while [[ $# -gt 0 ]]; do
  key="$1"
  case $key in
    --pid)
      DO_PID=true
      shift
      ;;
    --hostnetwork)
      DO_NETWORK=true
      shift
      ;;
    --ipc)
      DO_IPC=true
      shift
      ;;
    --help)
      echo "Usage: $0 [--pid] [--hostnetwork] [--ipc]"
      echo "Specify which namespace sharing options to test"
      exit 0
      ;;
    *)
      echo "Unknown option: $1"
      echo "Usage: $0 [--pid] [--hostnetwork] [--ipc]"
      exit 1
      ;;
  esac
done

# If no flags specified, show usage
if ! $DO_PID && ! $DO_NETWORK && ! $DO_IPC; then
  echo "Usage: $0 [--pid] [--hostnetwork] [--ipc]"
  echo "At least one option must be specified"
  exit 1
fi

# Start minikube if not running
minikube status &> /dev/null || minikube start
# Wait for default service account
while ! kubectl get serviceaccount default &> /dev/null; do
  sleep 2
done

# Function to check pod namespaces
check_pod() {
  NAME=$1
  echo "POD: $NAME"
  # Wait for pod to be ready
  while [ "$(kubectl get pod $NAME -o 'jsonpath={.status.phase}' 2>/dev/null)" != "Running" ]; do
    sleep 2
  done
  # Get container ID
  CONTAINER_ID=$(kubectl get pod $NAME -o 'jsonpath={.status.containerStatuses[0].containerID}' | sed 's/docker:\/\///')
  # Check namespaces
  minikube ssh "
    CONTAINER_PID=\$(sudo docker inspect --format='{{.State.Pid}}' $CONTAINER_ID)
    echo 'NAMESPACE  HOST-ID                 CONTAINER-ID               NS-STATUS'
    for NS in cgroup ipc mnt net pid user uts; do
      HOST_NS=\$(sudo readlink /proc/1/ns/\$NS)
      CONTAINER_NS=\$(sudo readlink /proc/\$CONTAINER_PID/ns/\$NS)
      HOST_ID=\$(echo \$HOST_NS | sed 's/.*\\[\\(.*\\)\\]/\\1/')
      CONTAINER_ID=\$(echo \$CONTAINER_NS | sed 's/.*\\[\\(.*\\)\\]/\\1/')
      SHARED=\$([ \"\$HOST_NS\" = \"\$CONTAINER_NS\" ] && echo 'SHARED' || echo 'ISOLATED')
      printf \"%-10s %-25s %-24s %s\\n\" \"\$NS\" \"\$HOST_ID\" \"\$CONTAINER_ID\" \"\$SHARED\"
    done
  "
  echo ""
}

# Create shared network pod if requested
if $DO_NETWORK; then
  echo "=== hostNetwork ==="
  POD1=$(cat < /dev/null
fi

# Create shared PID pod if requested
if $DO_PID; then
  echo "=== hostPID ==="
  POD2=$(cat < /dev/null
fi

# Create shared IPC pod if requested
if $DO_IPC; then
  echo "=== hostIPC ==="
  POD3=$(cat < /dev/null
fi
| View Source