How to run 'connect_get_namespaced_pod_exec' as root in python k8s client

Question

from os import getenv, listdir, path
from kubernetes import client, config
from kubernetes.stream import stream
import constants, logging
from pprint import pprint

def listdir_fullpath(directory):
    return [path.join(directory, file) for file in listdir(directory)]

def active_context(kubeConfig, cluster):
    config.load_kube_config(config_file=kubeConfig, context=cluster)

def kube_exec(command, apiInstance, podName, namespace, container):
    response = None
    execCommand = [
        '/bin/bash',
        '-c',
        command]
    try:
        response = apiInstance.read_namespaced_pod(name=podName,
                                                namespace=namespace)
    except ApiException as e:
        if e.status != 404:
            print(f"Unknown error: {e}")
            exit(1)
    if not response:
        print("Pod does not exist")
        exit(1)
    try:
        response = stream(apiInstance.connect_get_namespaced_pod_exec,
                          podName,
                          namespace,
                          container=container,
                          command=execCommand,
                          stderr=True,
                          stdin=False,
                          stdout=True,
                          tty=False,
                          _preload_content=True)
    except Exception as e:
        print("error in executing cmd")
        exit(1)
    pprint(response)


if __name__ == '__main__':
    configPath     = constants.CONFIGFILE
    kubeConfigList = listdir_fullpath(configPath)
    kubeConfig = ':'.join(kubeConfigList)
    active_context(kubeConfig, "ort.us-west-2.k8s.company-foo.net")
    apiInstance = client.CoreV1Api()
    kube_exec("whoami", apiInstance, "podname-foo", "namespace-foo", "container-foo")

I run this code and the response I get from running whoami is: 'java\n' how can I run as root? also, I can't find a good doc for this client anywhere (the docs on the git repo are pretty horrible) if you can link me to any it would be awesome

EDIT: I just tried on a couple of different pods and containers, looks like some of them default to root, would still like to be able to choose my user when I run a command so question is still relevant

Answer 1

some of them default to root, would still like to be able to choose my user when I run a command so question is still relevant

You have influence over the UID (not the user directly, as far as I know) when you launch the Pod, but from that point forward, there is no equivalent to docker exec -u in kubernetes -- you can attach to the Pod, running as whatever UID it was launched as, but you cannot change the UID

I would hypothesize that's a security concern in locked down clusters, since one would not want someone with kubectl access to be able to elevate privileges

If you need to run as root in your container, then you should change the value of securityContext: runAsUser: 0 and then drop privileges for running your main process. That way new commands (spawned by your exec command) will run as root, just as your initial command: does