一种进入Pod容器网络的方法

背景

1、k8s+docker环境中，pod容器正常启动，但是因容器镜像中没有sh/bash等工具无法通过kubectl exec登录容器(如coredns镜像)，或者能通过kubectl exec登录容器，但是容器内没有ping、telnet、curl、tcpdump等工具。
2、有登录容器宿主机的权限，且该宿主机上有相关工具。

[root@VM-0-12-centos ~]# hostname -I
10.72.0.12 169.254.32.1 172.16.0.1 
[root@VM-0-12-centos ~]# kubectl get node
NAME         STATUS   ROLES    AGE   VERSION
10.72.0.12   Ready    <none>   9m    v1.20.6-tke.12
[root@VM-0-12-centos ~]# kubectl get pod -A -owide | grep coredns
kube-system   coredns-78964c5667-6ht4c              1/1     Running   1          11m     172.16.0.6   10.72.0.12   <none>           <none>
[root@VM-0-12-centos ~]# kubectl -n kube-system exec -ti coredns-78964c5667-6ht4c -- sh
OCI runtime exec failed: exec failed: container_linux.go:380: starting container process caused: exec: "sh": executable file not found in $PATH: unknown
command terminated with exit code 126
[root@VM-0-12-centos ~]# kubectl -n kube-system exec -ti coredns-78964c5667-6ht4c -- bash
OCI runtime exec failed: exec failed: container_linux.go:380: starting container process caused: exec: "bash": executable file not found in $PATH: unknown
command terminated with exit code 126
[root@VM-0-12-centos ~]#

解决方案

1. 找到容器id

kubectl -n {namespace} get pod {podName} -oyaml | grep containerID -A 1

使用kubectl命令从pod的yaml中找到容器id，注意：一个pod可能包含多个容器，这里需要根据对应的镜像名称确定选择哪个容器，如下示例所示，coredns镜像对应的容器为id6008ed69fd26d235d7d674966705815c1dccee9dde72e526507fd0f026ab819b。

[root@VM-0-12-centos ~]# kubectl -n kube-system get pod coredns-78964c5667-6ht4c -oyaml | grep containerID -A 1
  - containerID: docker://6008ed69fd26d235d7d674966705815c1dccee9dde72e526507fd0f026ab819b
    image: ccr.ccs.tencentyun.com/library/coredns:1.6.2

2. 根据容器id找到容器进程号

docker inspect {containerID} | grep \"Pid\"

对docker容器而言，容器的本质就是宿主机上的一个特殊进程，因此可以登录到pod所在的宿主机上使用docker inspect命令从容器信息里找到进程id。

[root@VM-0-12-centos ~]# docker inspect 6008ed69fd26d235d7d674966705815c1dccee9dde72e526507fd0f026ab819b | grep \"Pid\"
            "Pid": 3425,

3. 根据容器进程号进入容器网络命名空间

nsenter -t {pid} -n

使用nsenter命令进入容器网络命名空间，-t参数是指定目标进程号，-n参数是进入目标进程的网络命名空间。

[root@VM-0-12-centos ~]# nsenter -t 3425 -n
[root@VM-0-12-centos ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.0.6  netmask 255.255.255.192  broadcast 172.16.0.63
        ether ce:0c:d5:6f:69:8a  txqueuelen 0  (Ethernet)
        RX packets 1263  bytes 141931 (138.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1197  bytes 206822 (201.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 17910  bytes 1429218 (1.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17910  bytes 1429218 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@VM-0-12-centos ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.0.1      0.0.0.0         UG    0      0        0 eth0
172.16.0.0      0.0.0.0         255.255.255.192 U     0      0        0 eth0
[root@VM-0-12-centos ~]# curl
curl: try 'curl --help' or 'curl --manual' for more information
[root@VM-0-12-centos ~]# exit
logout
[root@VM-0-12-centos ~]#

微信公众号卡巴斯同步发布，欢迎大家关注。