Kubernetes pods/exec
· 8 min read
Kubernetes pods/exec #
pods/exec is a convenient way to execute commands inside a container for debugging and administration. But
here's a challenge right off the bat: how safe do you think the following Kubernetes role is — one that could be granted
to any user, assuming the absurd scenario that the Secret resource is not used in the cluster?
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-role
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["get"]
If you answered "safe," you're not alone — and you would have granted pods/exec access to any
user in the cluster, provided you also created a ClusterRoleBinding on top of it.