Merge pull request #59 from mpepping/manifests

Adds requests packages, deployment examples + updated README
mpepping · Aug 9, 2024 · 7ae5296 · 7ae5296
2 parents f1a0ce6 + a6831e7
commit 7ae5296
Show file tree

Hide file tree

Showing 4 changed files with 146 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -8,19 +8,25 @@ LABEL org.opencontainers.image.title="podshell"
 LABEL org.opencontainers.image.url="ghcr.io/mpepping/podshell/shell:latest"
 
 RUN apk add --no-cache \
+      atop \
       bash \
       bash-completion \
       bind-tools \
       curl \
+      htop \
       iproute2 \
       jq \
+      man-db \
+      man-pages \
       openssh-client \
       openssl \
       procps \
       shadow \
       skopeo \
       socat \
+      strace \
       sudo \
+      tcpdump \
       tmux \
       vim \
       wget

diff --git a/README.md b/README.md
@@ -8,22 +8,22 @@ By default, the container starts as a regular user, to play nice with potential
 
 ## Usage
 
-Imperative and removed on exit:
+**Imperative** and removed on exit:
 
 ```bash
 kubectl run -it --rm --restart=Never --image=ghcr.io/mpepping/podshell:latest shell
 ```
 
-Declarative:
+**Declarative**:
 
 ```yaml
 kubectl apply -f - <<EOF
 apiVersion: v1
 kind: Pod
 metadata:
   labels:
-    run: shell
-  name: shell
+    name: podshell
+  name: podshell
 spec:
   containers:
   - image: ghcr.io/mpepping/podshell:latest
@@ -34,13 +34,46 @@ spec:
 EOF
 ```
 
-As a Deployment:
+As an imperative **Deployment**:
 
 ```bash
 kubectl create deployment shell --image=ghcr.io/mpepping/podshell:latest -- sleep infinit
 ```
 
-Or in docker or podman:
+As a **privileged daemonset** to add some host level super powers:
+
+```bash
+kubectl apply -f k8s/daemonset.yaml
+```
+
+This DaemonSet manifest will:
+
+ 1. Ensure a pod with our Docker image is running indefinitely on every node.
+ 2. Use `hostPID`, `hostIPC`, and `hostNetwork`.
+ 3. Mount the entire host filesystem to `/host` in the containers.
+
+In order to make use of these workloads, you can exec into a pod of choice by name:
+
+```bash
+kubectl -n kube-system get pods -l name=podshell -o name
+kubectl -n kube-system exec -it PODNAME bash
+```
+
+If you know the specific node name that you're interested in, you can exec into the debug pod on that node with:
+
+```bash
+NODE_NAME="talos-dev-worker-1"
+POD_NAME=$(kubectl -n kube-system get pods -l name=podshell --field-selector spec.nodeName=${NODE_NAME} -ojsonpath='{.items[0].metadata.name}')
+kubectl -n kube-system exec -it ${POD_NAME} bash
+```
+
+As a **privileged deployment**, instead of a daemonset example:
+
+```bash
+kubectl apply -f k8s/deployment.yaml
+```
+
+Or in **docker** or **podman**:
 
 ```bash
 docker run -ti --rm ghcr.io/mpepping/podshell:latest ||\

diff --git a/k8s/daemonset.yaml b/k8s/daemonset.yaml
@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: podshell
+  namespace: kube-system
+  labels:
+    app: podshell
+spec:
+  selector:
+    matchLabels:
+      name: podshell
+  template:
+    metadata:
+      labels:
+        name: podshell
+      annotations:
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+    spec:
+      dnsPolicy: ClusterFirstWithHostNet
+      hostPID: true
+      hostIPC: true
+      hostNetwork: true
+      tolerations:
+      - operator: Exists
+      containers:
+      - name: podshell
+        securityContext:
+          privileged: true
+        image: ghcr.io/mpepping/podshell:latest
+        command: [ "sleep", "infinity" ]
+        resources:
+          requests:
+            memory: "0"
+            cpu: "0"
+          limits:
+            memory: "500Mi"
+            cpu: "500m"
+        volumeMounts:
+          - name: host
+            mountPath: /host
+      terminationGracePeriodSeconds: 0
+      volumes:
+        - name: host
+          hostPath:
+            path: /
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 100%
+    type: RollingUpdate
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: podshell
+  namespace: kube-system
+  labels:
+    app: podshell
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: podshell
+  template:
+    metadata:
+      labels:
+        name: podshell
+      annotations:
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
+    spec:
+      dnsPolicy: ClusterFirstWithHostNet
+      hostPID: true
+      hostIPC: true
+      hostNetwork: true
+      tolerations:
+      - operator: Exists
+      containers:
+      - name: podshell
+        securityContext:
+          privileged: true
+        image: ghcr.io/mpepping/podshell:latest
+        command: [ "sleep", "infinity" ]
+        resources:
+          requests:
+            memory: "0"
+            cpu: "0"
+          limits:
+            memory: "500Mi"
+            cpu: "500m"
+        volumeMounts:
+          - name: host
+            mountPath: /host
+      terminationGracePeriodSeconds: 0
+      volumes:
+        - name: host
+          hostPath:
+            path: /
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 100%
+    type: RollingUpdate