How to execute shell script from POD A to another POD B

0
votes

I have got two pods which runs inside a kubernetes cluster. The pods are as follows

  1. mongodb pod which is of kind: StatefulSet
  2. script pod which is of kind: Job

From the script pod I am running a bash script to be executed on the mongodb pod.

The bash script contains the following code which execs to the mongodb pod and executes the below command.

kubectl exec mongo-0 -c mongo -- mongo --eval 'rs.initiate({_id: "rs0", version: 1, members: [ {_id: 0, host: "mongo-0.mongo.default.svc.cluster.local:27017"}, {_id: 1, host: "mongo-1.mongo.default.svc.cluster.local:27017"}, {_id: 2, host: "mongo-2.mongo.default.svc.cluster.local:27017"} ]});'

But when I run script pod, I get the below error

Error from server (Forbidden): pods "mongo-0" is forbidden: User "system:serviceaccount:default:default" cannot create resource "pods/exec" in API group "" in the namespace "default"

What should I do to provide permissions for the script pod to run the above command in mongodb pod ?

So like you said I created a another pod which is of kind:job and included the script.sh.

In the script.sh file, I run "kubectl exec" to the main pod to run few commands

The script gets executed, but I get the error "cannot create resource "pods/exec in API group"

So I created a clusterrole with resources: ["pods/exec"] and bind it to the default service account using ClusterRoleBinding

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]

--- 

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: service-account-role-binding
  namespace: default
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default
roleRef:
  kind: ClusterRole
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: default


In the pod which is of kind:job, I include the service account like shown below

restartPolicy: Never
serviceAccountName: default

but I still get the same error. What am I doing wrong here ?


Error from server (Forbidden): pods "mongo-0" is forbidden: User "system:serviceaccount:default:default" cannot create resource "pods/exec" in API group "" in the namespace "default"
1
kuberneteskubernetes-podkubernetes-rbac
Does this answer your question? how to control access for pods/exec only in kubernetes rbac without pods create binded?Emile Pels
added cluster role and bindings as you have said. I have edited the question above but I get the same error.jeril
You shouldn't use kubectl exec or similar commands to connect to a database or other routine tasks; reserve those for humans to debug. Use a normal MongoDB client library (which may require a more powerful language than a shell script, or installing the mongo client in the Job's image).David Maze
this post helped me stackoverflow.com/questions/54196533/… @DavidMaze - OK Will try reconsidering my approach..jeril

1 Answers

1
votes

If this is something that needs to be regularly run for maintenance look into Kubernetes daemon set object.