├── README.md
├── exec-user
    ├── exec-user.sh
    └── plugin.yaml
└── install.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # kubectl-exec-user
 2 | 
 3 | ## Overview
 4 | 
 5 | Exec as a specified user into a Kubernetes container.
 6 | 
 7 | This works by creating a pod on the same node as the container and mounting the docker socket into this container. The container runs the docker application which has access to the hosts containers and is able to use the exec command with the user flag.
 8 | 
 9 | ## Install
10 | 
11 | Run the install script to copy the plugin to `~/.kube/plugins`.
12 | 
13 | ```
14 | ./install.sh
15 | ```
16 | 
17 | ## Usage
18 | 
19 | ```
20 | kubectl plugin exec-user $POD $COMMAND
21 | ```
22 | 
23 | If the command is not specified, falls back to the `sh` command.
24 | 
25 | **Flags**
26 | 
27 | | Name      | Shorthand | Default   | Usage                                                                     |
28 | |-----------|-----------|---------- |---------------------------------------------------------------------------|
29 | | user      | -u        | root      | Username or UID.                                                          |
30 | | container | -c        |           | Container name. If omitted, the first container in the pod will be chosen |
31 | | name      | -o        | exec-user | Name for new exec-user pod to avoid `pods "exec-user" already exists`     |                           | 
32 | 
33 | ## Examples
34 | 
35 | Exec into first container in `example` pod with `sh` as user `root`.
36 | ```
37 | kubectl plugin exec-user example
38 | ```
39 | 
40 | Exec into first container in `example` pod with `bash` as user `root`.
41 | ```
42 | kubectl plugin exec-user example bash
43 | ```
44 | 
45 | Exec into first container in `example` pod with `bash` as user `admin`.
46 | ```
47 | kubectl plugin exec-user -u admin example-pod bash
48 | ```
49 | 
50 | Exec into `second` container in `example` pod with `bash` as user `admin`.
51 | ```
52 | kubectl plugin exec-user -c second -u admin example-pod bash
53 | ```
54 | 


--------------------------------------------------------------------------------
/exec-user/exec-user.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | POD=${1}
 4 | COMMAND=${2:-sh}
 5 | NEW_POD_NAME=${KUBECTL_PLUGINS_LOCAL_FLAG_NAME:-exec-user-${POD}}
 6 | NEW_POD_NAME=${NEW_POD_NAME:0:63}  # max len allowed
 7 | 
 8 | KUBECTL=${KUBECTL_PLUGINS_CALLER}
 9 | NAMESPACE=${KUBECTL_PLUGINS_CURRENT_NAMESPACE}
10 | USER=${KUBECTL_PLUGINS_LOCAL_FLAG_USER}
11 | export CONTAINER=${KUBECTL_PLUGINS_LOCAL_FLAG_CONTAINER}
12 | 
13 | NODENAME=$( $KUBECTL --namespace ${NAMESPACE} get pod ${POD} -o go-template='{{.spec.nodeName}}' )
14 | 
15 | if [[ -n ${CONTAINER} ]]; then
16 |   DOCKER_CONTAINERID=$( eval $KUBECTL --namespace ${NAMESPACE} get pod ${POD} -o go-template="'{{ range .status.containerStatuses }}{{ if eq .name \"${CONTAINER}\" }}{{ .containerID }}{{ end }}{{ end }}'" )
17 | else
18 |   DOCKER_CONTAINERID=$( $KUBECTL --namespace ${NAMESPACE} get pod ${POD} -o go-template='{{ (index .status.containerStatuses 0).containerID }}' )
19 | fi
20 | CONTAINERID=${DOCKER_CONTAINERID#*//}
21 | 
22 | read -r -d '' OVERRIDES <<EOF
23 | {
24 |     "apiVersion": "v1",
25 |     "spec": {
26 |         "containers": [
27 |             {
28 |                 "image": "docker",
29 |                 "name": "docker",
30 |                 "stdin": true,
31 |                 "stdinOnce": true,
32 |                 "tty": true,
33 |                 "restartPolicy": "Never",
34 |                 "args": [
35 |                   "exec",
36 |                   "-it",
37 |                   "-u",
38 |                   "${USER}",
39 |                   "${CONTAINERID}",
40 |                   "${COMMAND}"
41 |                 ],
42 |                 "volumeMounts": [
43 |                     {
44 |                         "mountPath": "/var/run/docker.sock",
45 |                         "name": "docker"
46 |                     }
47 |                 ]
48 |             }
49 |         ],
50 |         "nodeSelector": {
51 |           "kubernetes.io/hostname": "${NODENAME}"
52 |         },
53 |         "volumes": [
54 |             {
55 |                 "name": "docker",
56 |                 "hostPath": {
57 |                     "path": "/var/run/docker.sock",
58 |                     "type": "File"
59 |                 }
60 |             }
61 |         ]
62 |     }
63 | }
64 | EOF
65 | 
66 | eval kubectl run --namespace=${NAMESPACE} -it --rm --restart=Never --image=docker --overrides="'${OVERRIDES}'" ${NEW_POD_NAME}
67 | 


--------------------------------------------------------------------------------
/exec-user/plugin.yaml:
--------------------------------------------------------------------------------
 1 | name: "exec-user"
 2 | shortDesc: "Exec user plugin"
 3 | longDesc: >
 4 |   Exec as a specified user into a container.
 5 | example: ""
 6 | command: "./exec-user.sh"
 7 | flags:
 8 |   - name: "user"
 9 |     shorthand: "u"
10 |     desc: "Username or UID. If omitted, will use root"
11 |     defValue: "root"
12 |   - name: "container"
13 |     shorthand: "c"
14 |     desc: "Container name. If omitted, the first container in the pod will be chosen"
15 |   - name: "name"
16 |     shorthand: "o"
17 |     desc: "Name for new exec-user pod. If omitted it will use exec-user + $POD"
18 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | 
3 | mkdir -p ~/.kube/plugins
4 | 
5 | cp -r exec-user ~/.kube/plugins/
6 | chmod +x ~/.kube/plugins/exec-user
7 | 


--------------------------------------------------------------------------------