CKS Challenege 2 - startupProbe to remove shells

alessandro.affinito · April 18, 2022, 7:19pm

Hi!
I’m not sure how to resolve this step from the second contest in this challenge, inside the dev pod.

This pod can be accessed using the ‘kubectl exec’ command. We want to make sure that this does not happen. Use a startupProbe to remove all shells before the container startup. Use ‘initialDelaySeconds’ and ‘periodSeconds’ of ‘5’. Hint: For this to work you would have to run the container as root!

I don’t get the sense of using a startupProbe to remove something actually, but I’ve still tried something ugly like the following, which didn’t work.
Suggestions?

spec:
  containers:
    ...
    startupProbe:
      "remove the shells"
      initialDelaySeconds: 5
      periodSeconds: 5

Thanks

Tej_Singh_Rana · April 19, 2022, 5:21pm

It’s a challenge for rewards so I won’t share much details but there is one more shell that will provide you access to the pod’s container.

Regards,
KodeKloud Support

alessandro.affinito · April 19, 2022, 7:08pm

Thanks,
actually the answer is written in the box for the staging pod

I didn’t know about the prizes sorry, I’m removing part of the question

Tej_Singh_Rana · April 20, 2022, 6:03am

Please check out this post for more information.
Certified Kubernetes Security Specialist Challenge Series

Javier3 · May 17, 2022, 9:18am

I’m stuck in this task for the last two days… I don’t know how to move forward

Javier3 · May 17, 2022, 12:46pm

I’ve finally removed the shells and I can’t access to the pod using kubexec, but still is not ok

root@controlplane ~ ✖ k exec -it dev-webapp -n dev sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
OCI runtime exec failed: exec failed: container_linux.go:367: starting container process caused: exec: "sh": executable file not found in $PATH: unknown
command terminated with exit code 126

root@controlplane ~ ✖ k exec -it dev-webapp -n dev ash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
OCI runtime exec failed: exec failed: container_linux.go:367: starting container process caused: exec: "ash": executable file not found in $PATH: unknown
command terminated with exit code 126

root@controlplane ~ ✖

Tej-Singh-Rana · May 17, 2022, 6:12pm

Hi @Javier3 ,
Can you please share more context? what do you mean by “still is not ok”?
You are not getting a green tick mark on that given description after removing the shell and specifying the mentioned fields on the pod?

Regards,
KodeKloud Support

Javier3 · May 17, 2022, 6:25pm

Yes, that’s it. The shells are not available in the pod. I can’t access, executing kubectl exec… and still I don’t have the green check. I can share with you what I did…

Javier3 · May 18, 2022, 11:25am

I don’t know if it’s checking the file /etc/passwd or if the ash & sh are not available, both… honestly I don’t know.

Ayman · May 18, 2022, 5:50pm

@Javier3 try kubectl -n dev exec -it dev-webapp sh

Javier3 · May 18, 2022, 6:14pm

@Ayman I did it too

root@controlplane ~ k exec -it dev-webapp -n dev sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] – [COMMAND] instead.
OCI runtime exec failed: exec failed: container_linux.go:367: starting container process caused: exec: “sh”: executable file not found in $PATH: unknown
command terminated with exit code 126

Ayman · May 19, 2022, 12:52pm

Kindly check the attached gif
exec

fonguetaghuo · May 20, 2022, 6:45am

I don’t get a green klick althought i have prevent the exec to run with a startup probe:
kubectl exec --stdin --tty -n staging staging-webapp – ash
OCI runtime exec failed: exec failed: container_linux.go:367: starting container process caused: exec: “ash”: executable file not found in $PATH: unknown
command terminated with exit code 126

Javier3 · May 20, 2022, 1:13pm

Of course, it works before modifying the pod. After disabling the shells, you can not access.

Javier3 · May 20, 2022, 1:14pm

Same here, I don’t know what they are checking.

Tej-Singh-Rana · May 21, 2022, 6:24pm

Hi @fonguetaghuo ,
Can you please share the screenshot? and DM me your manifest file.

Regards,

Tej-Singh-Rana · May 21, 2022, 6:25pm

Hi @Javier3 ,
Can you please DM me your manifest file? So you are having an issue only with this question?

Regards,

Javier3 · May 23, 2022, 6:43am

Hello, @Tej-Singh-Rana I can’t send it, I don’t know how. I can’t find the message button in your avatar.

EDIT: I’ve already sent it

Thanks for your help

Anudeep-Nalla · June 18, 2022, 10:51am

Hi @Javier3 ; is the issue is solved; iam also facing the same issue

srinivasons · June 19, 2022, 8:48am

I have removed all command in /bin of the pod. No exec commands work on it after that but still the check fails