I have one pod running with name 'jenkins-app-2843651954-4zqdp'. I want to install few softwares temporarily on this pod. How can I do this?
I am trying this- kubectl exec -it jenkins-app-2843651954-4zqdp -- /bin/bashand then running apt-get install commands but since the user I am accessing with doesn't have sudo access I am not able to run commands
12 Answers
- Use
kubectl describe pod ...to find the node running your Pod and the container ID (docker://...) - SSH into the node
- run
docker exec -it -u root ID /bin/bash
There are some plugins for kubectl that may help you achieve this:
One of the plugins called, 'ssh', will allow you to exec as root user by running (for example) kubectl ssh -u root -p nginx-0
Building on @jordanwilson230's answer he also developed a bash-script called exec-as which uses Docker-in-Docker to accomplish this:
When installed via kubectl plugin manager krew → kubectl krew install exec-as you can simply
kubectl exec-as -u <username> <podname> -- /bin/bashThis only works in Kubernetes clusters which allow priviledged containers.
2Just in case you come across to look for an answer for minikube, the minikube ssh command can actually work with docker command together here, which makes it fairly easy:
Find the container ID:
$ minikube ssh docker container lsAdd the
-u 0option to docker command (quote is necessary for the whole docker command):$ minikube ssh "docker container exec -it -u 0 <Container ID> /bin/bash"
NOTE: this is NOT for Kubernetes in general, it works for minikube only. While I feel we need the root access quit a lot in local development environment, it's worth to mention it in this thread.
For my case, I was in need for root access (or sudo) to container to give the chown permission to a specific mount path.
I cannot SSH to machine because I designed my infrastructure to be fully automated with Terraform without any manual access.
Instead, I found that initContainers does the job:
initContainers: - name: volume-prewarming image: busybox command: ["sh", "-c", "chown -R 1000:0 {{ .Values.persistence.mountPath }}"] volumeMounts: - name: {{ .Chart.Name }} mountPath: {{ .Values.persistence.mountPath }}I've also created a whole course about Production grade running kubernetes on AWS using EKS
1In case anyone is working on AKS, follow these steps:
- Identify the pod that is running the container
- Identity the node that is running that pod (
kubectl describe pod -n <namespace> <pod_name> | grep "Node:", or look for it on Azure portal) - SSH to AKS the cluster node
Once you are inside a node, perform these commands to get into the container:
sudo su(you must get root access to usedockercommands)docker exec -it -u root ID /bin/bash(to get the container id, usedocker container ps)
To login as different i use exec-as plugin in kubernetes here are the steps you can follow
Make sure git is installed
Step : 1 Install Krew plugin
begin set -x; set temp_dir (mktemp -d); cd "$temp_dir" && set OS (uname | tr '[:upper:]' '[:lower:]') && set ARCH (uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/') && set KREW krew-$OS"_"$ARCH && curl -fsSLO "" && tar zxvf $KREW.tar.gz && ./$KREW install krew && set -e KREW; set -e temp_dir
endStep : 2 Install exec-as
kubectl krew install exec-asStep : 3 Try with root or different user
kubectl exec-as -u root frontend-deployment-977b8fd4c-tb5pzWARNING: You installed plugin "prompt" from the krew-index plugin repository. These plugins are not audited for security by the Krew maintainers. Run them at your own risk.
That's all well and good, but what about new versions of kubernetes that use containerd?
using nerdctl exec -uroot -ti 817d52766254 shthere is no full-fledged root, part of the system in this read-only mode
Working with kubernetes 1.21, none of the docker and kubectl-plugin approaches worked for me. (since k8s 1.21 uses cri-o as container runtime).
What did work for me was using runc:
- get containerID via
kubectl get pod -o jsonpath="{.status.containerStatuses[].containerID}" | sed 's/.*////'
- containerID is something like
4ed493495241b061414b94425bb03b682534241cf19776f8809aeb131fa5a515
- get node pod is running on
kubectl describe pod <podname> | grep Node: Node:
ssh into node
on node, run (might have to use sudo):
runc exec -t -u 0 containerID sh
so something like:
runc exec -t -u 0 4ed493495241b061414b94425bb03b682534241cf19776f8809aeb131fa5a515 sh
Adding to the answer from henning-jay, when using containerd as runtime.
get containerID via
kubectl get pod <podname> -o jsonpath="{.status.containerStatuses[].containerID}" | sed 's,.*//,,'
containerID will be something like 7e328fc6ac5932fef37f8d771fd80fc1a3ddf3ab8793b917fafba317faf1c697
lookup the node for pod
kubectl get pod <podname> -o wide
on node, trigger runc - since its invoked by containerd, the --root has to be changed
runc --root /run/containerd/runc/ exec -t -u 0 <containerID> sh
docker container lsto find container IDdocker exec -it -u root ID /bin/bash
We can exec into kubernetes pod through the following command.
kubectl exec --stdin --tty pod-name -n namespace-name -- /bin/bash 2