Challenge, Medium,  on  KubernetesContainers

Send a Signal to a Kubernetes App: a Slim Container Case

Ivan Velichko
by  Ivan Velichko

Premium Challenge

Upgrade your membership to unlock this and all other premium materials.

Upgrade

In this challenge, you'll need to signal a container running in the Pod called slim. The target container has nothing but the app binary inside, so you won't be able to kubectl exec into it. Your cluster access is also limited - you can perform typical application management tasks in the default namespace, but the rest of the cluster (including SSH-ing into cluster nodes) is off limits. Ah, and of course, you're not allowed to modify or redeploy the Pod.

Good luck!

Hint 1

Since there is no shell in the container, and SSH access to cluster nodes is disabled, your options are fairly limited. Which is great!

Hint 2

Look at the challenge's tag list - it may give you some ideas.

Hint 3

With the kubectl debug command, you can spawn ephemeral containers in already running Pods without causing any disruption. And you can use whatever images you want for them!

Using "kubectl debug" to spawn ephemeral containers in a running Pod.
Hint 4

Much like kubectl exec, kubectl debug can also be used to execute commands in the target Pod, including starting interactive shells.

Hint 5

Inside the right Pod but cannot see the application process? Make sure you're targeting the right container. 😉

Using "kubectl debug" with the "--target" option to attach to a specific container in a running Pod.
Hint 6

The kubectl debug command can fail with the following error:

Error from server (Forbidden): pods "slim" is forbidden:
violates PodSecurity "baseline:latest":
non-default capabilities (container "debugger-r4d4s" must not
include "SYS_PTRACE" in securityContext.capabilities.add)

This happens because kubectl debug may want to add the SYS_PTRACE Linux capability to the ephemeral container, especially when the debug container targets another container in the same Pod.

The SYS_PTRACE capability is useful for inspecting processes, but it is not allowed by the baseline Pod Security profile enforced in this namespace. As a result, the API server rejects the ephemeral debug container before it is created.

To get past this, look for a kubectl debug --profile option that lets you choose a Pod-Security-compatible debug profile instead of the default one.

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge kubernetes-signal-slim-container

This will create a local copy of the challenge content in a directory named kubernetes-signal-slim-container. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge kubernetes-signal-slim-container

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge