Challenge, Medium,  on  KubernetesSecurity

Schedule Pods Using Taints, Tolerations, and NodeSelector with Host Namespaces

Scenario

node-02 needs to be labeled and tainted for maintenance.

A dedicated Pod must run on it using nodeSelector and a matching toleration, with access to the host network, PID, and IPC namespaces.

Task

1. Label node-02 with role=maintenance.

2. Taint node-02 with key maintenance, value true, effect NoExecute.

3. Create a Pod named node-access in the maintenance namespace with:

  • image: busybox:stable
  • hostNetwork: true
  • hostPID: true
  • hostIPC: true
  • nodeSelector targeting role=maintenance
  • toleration matching the taint on node-02 with operator: Equal, tolerationSeconds: 3600

4. Verify the Pod is running on node-02, its IP matches the node IP(hostNetwork), and that node-level processes(hostPID) and shared memory segments(hostIPC) are visible from inside the Pod.

Hint

Label the node first: kubectl label node node-02 role=maintenance.

Then taint it: kubectl taint nodes node-02 maintenance=true:NoExecute.

Use nodeSelector with role: maintenance and add a matching tolerations entry with tolerationSeconds: 3600 in the Pod spec.

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge schedule-pod-on-tainted-node-using-tolerations-host-namespaces-b3e750bb

This will create a local copy of the challenge content in a directory named schedule-pod-on-tainted-node-using-tolerations-host-namespaces-b3e750bb. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge schedule-pod-on-tainted-node-using-tolerations-host-namespaces-b3e750bb

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge