aws-containers/kubectl-detector-for-docker-socket aws-containers/kubectl-detector-for-docker-socket

  • Stars
    star
    175
  • Rank 218,059 (Top 5 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
aws-containers/kubectl-detector-for-docker-socket
github

aws-containers

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Kubectl plugin that can detect if any of your workloads or manifest files are mounting the docker.sock volume

Detector for Docker Socket (DDS)

A kubectl plugin to detect if active Kubernetes workloads are mounting the docker socket (docker.sock) volume.

a short video showing the plugin being used

Install

Install the plugin with

kubectl krew install dds

You can install the krew plugin manager from their installation documentation

How it works

dds looks for every pod in your Kubernetes cluster. If pods are part of a workload (eg Deployment, StatefulSet) it inspects the workload type instead of pods directly.

It then inspects all of the volumes in the containers and looks for any volume with the path *docker.sock

Supported workload types:

  • Pods
  • ReplicaSets
  • Deployments
  • StatefulSets
  • DaemonSets
  • Jobs
  • CronJobs

Why do you need this?

If you're still not sure why you might need this plugin click on the image below to see a short video explaination.

You can read the full FAQ about dockershim deprecation at https://k8s.io/dockershim

Run

You can run the plugin with no arguments and it will inspect all pods in all namespaces that the current Kubernetes user has access to.

kubectl dds

example output

NAMESPACE       TYPE            NAME                    STATUS
default         deployment      deploy-docker-volume    mounted
default         daemonset       ds-docker-volume        mounted
default         statefulset     ss-docker-volume        mounted
default         job             job-docker-volume       mounted
default         cron            cron-docker-volume      mounted
kube-system     pod             pod-docker-volume       mounted
test1           deployment      deploy-docker-volume    mounted

You can specify a namespace to limit the scope of what will be scanned.

kubectl dds --namespace kube-system

example output

NAMESPACE       TYPE    NAME                    STATUS
kube-system     pod     pod-docker-volume       mounted

You can run dds against a single manifest file or folder of manifest files (recursive). The repo includes a tests/manifests directory.

kubectl dds --filename tests

example output

FILE                                                    LINE    STATUS
tests/manifests/docker-volume.cronjob.yaml               22      mounted
tests/manifests/docker-volume.daemonset.yaml             24      mounted
tests/manifests/docker-volume.deploy.test1.yaml          32      mounted
tests/manifests/docker-volume.deploy.yaml                25      mounted
tests/manifests/docker-volume.job.yaml                   17      mounted
tests/manifests/docker-volume.pod.kube-system.yaml       14      mounted
tests/manifests/docker-volume.replicaset.yaml            25      mounted
tests/manifests/docker-volume.statefulset.yaml           26      mounted

Use the --verbose with a log level (1-10) to get more output

kubectl dds --verbose=4

example output

NAMESPACE       TYPE            NAME                    STATUS
default         deployment      deploy-docker-volume    mounted
default         daemonset       ds-docker-volume        mounted
default         statefulset     ss-docker-volume        mounted
default         job             job-docker-volume       mounted
default         cron            cron-docker-volume      mounted
kube-system     pod             pod-docker-volume       mounted
kube-system     daemonset       aws-node                not-mounted
kube-system     daemonset       ebs-csi-node            not-mounted
kube-system     daemonset       kube-proxy              not-mounted
test1           deployment      deploy-docker-volume    mounted

You can use dds as part of your CI pipeline to catch manifest files before they are deployed.

kubectl dds --exit-with-error -f YOUR_FILES

If the docker.sock volume is found in any files the cli exit code with be 1.

Build

To build the binary you can use go build -o kubectl-dds main.go or make dds to use goreleaser.

Install the kubectl-dds binary somewhere in your path to use it with kubectl or use it by itself without kubectl. The same kubectl authentication works with or without kubectl (e.g. $HOME/.kube/config or KUBECONFIG).

Testing

There are different test workloads in the /tests folder. You can deploy these workloads to verify the plugin is working as intended.

kubectl apply -f tests/
daemonset.apps/ds-docker-volume created
namespace/test1 created
deployment.apps/deploy-docker-volume created
deployment.apps/deploy-docker-volume created
job.batch/job-docker-volume created
pod/pod-docker-volume created
statefulset.apps/ss-docker-volume created
pod/empty-volume created
deployment.apps/no-volume created

and then run

kubectl dds
NAMESPACE       TYPE            NAME                    STATUS
default         deployment      deploy-docker-volume    mounted
default         daemonset       ds-docker-volume        mounted
default         statefulset     ss-docker-volume        mounted
default         job             job-docker-volume       mounted
default         cron            cron-docker-volume      mounted
kube-system     pod             pod-docker-volume       mounted
test1           deployment      deploy-docker-volume    mounted

More Repositories

1

amazon-ecs-exec-checker

🚀 Pre-flight checks for ECS Exec
Shell
864
star
2

retail-store-sample-app

Sample application for demonstrating container platforms and related technology
Java
231
star
3

hello-app-runner

Example application for AWS App Runner
HTML
108
star
4

eks-app-mesh-polyglot-demo

End to end deployment and observability of polyglot microservices in Amazon EKS using AWS App Mesh, AWS Fargate, Amazon Cloudwatch Container Insights, and AWS X-Ray
Python
66
star
5

ecs-anywhere-tutorial

Shell
62
star
6

Airflow-on-Fargate

TypeScript
59
star
7

proton-codebuild-provisioning-examples

This repository contains sample IaC templates to demonstrate how to leverage Codebuild provisioning with AWS Proton.
HCL
26
star
8

ecsdemo-platform

Python
24
star
9

ecs-workshop-blue-green-deployments

TypeScript
22
star
10

ecsdemo-nodejs

Python
21
star
11

ecs-task-protection-examples

JavaScript
17
star
12

ecsdemo-crystal

Python
16
star
13

demo-app-for-docker-compose

Python
16
star
14

hello-app-runner-nodejs

Example Next.js application for App Runner with DynamoDB using Copilot CLI
JavaScript
13
star
15

votingapp

Python
12
star
16

appmeshworkshop

CSS
10
star
17

amazon-ecr-public-creds-helper-script-for-k8s

Amazon ECR "Public" credentials helper script for Kubernetes
Shell
9
star
18

aws-lambda-for-the-containers-developer-blog

Shell
9
star
19

apprunnerworkshop

CSS
8
star
20

codepipeline-codebuild-buildpacks-example

5
star
21

ecsdemo-migration-to-ecs

Python
5
star
22

ecsworkshop-efsdemo

Python
3
star
23

hello-eks-anywhere

Example application to deploy to your first EKS Anywhere cluster
Shell
3
star
24

eks-microservice-demo

Canary Deployment using Flagger with App Mesh
JavaScript
3
star
25

stateful-counter

An example stateful application that counts
HTML
3
star
26

ecsworkshop-secrets-demo

JavaScript
2
star
27

impression-counter-api-app-runner-sample

AWS App Runner sample for an API Impression counter with VPC access using VPC Connector, can be deployed with terraform plan
HCL
2
star
28

aws-containers-a2z

Onboard on a long journey into modern application development with AWS Containers Services and more...
JavaScript
1
star
29

ecsdemo-capacityproviders

Python
1
star