Technologist Creative

Host device administration on a Kubernetes node with no SSH access

Rob Rakaric — Wed, 08 May 2024 20:36:46 GMT

Ive recently been building a Kubernetes lab environment to learn some AI and machine learning concepts on. The OS I chose was Talos Linux. Talos is an immutable OS that has no SSH access. When it came time to configure storage, I was in a bit of a pickle. After some research, I was really pleased to find that disk operations can be done through a K8s pod fairly easily. There are a few considerations, though.

environment

Talos Linux 1.7.0
Kubernetes 1.29.4
kubectl installed locally

make sure you can run privileged pods

Since were going to be working with the host system, youll want to be able to run privileged pods.

storage with Piraeus

I wanted to use an existing nvme disk in my labs single worker node for Piraeus storage, since it seems like a really simple way to run storage in an on-premise Kubernetes environment. I followed the Talos Linux documentation for configuring a storage pool, but there was an issue. I already had a partition on the nvme device that I wanted to use.

kubectl linstor physical-storage create-device-pool --pool-name nvme_lvm_pool LVM talos-6o3-rkz /dev/nvme0n1 --storage-pool nvme_poolERROR:Description:    (Node: 'talos-6o3-rkz') Failed to pvcreate on device: /dev/nvme0n1Details:    Command 'pvcreate --config 'devices { filter=['"'"'a|/dev/nvme0n1|'"'"','"'"'r|.*|'"'"'] }' /dev/nvme0n1' returned with exitcode 5.     Standard out:     Error message:       Cannot use /dev/nvme0n1: device is partitioned

My options are limited with no SSH access to the box, and no evident way to do destructive operations on a disk with talosctl, Talos Linuxs CLI. I could flash a gparted live USB, boot my worker node with that, and easily erase the partition. However, I wanted to accomplish this through Kubernetes instead. Heres what I did:

introduce a namespace with privileged annotations

The following creates a namespace resource called disk-utilities in your cluster where pods can run privileged.

cat <<EOF | kubectl apply --filename -apiVersion: v1kind: Namespacemetadata:  name: disk-utilities  labels:    pod-security.kubernetes.io/enforce: privileged    pod-security.kubernetes.io/audit: privileged    pod-security.kubernetes.io/warn: privilegedEOF

spin up a pod using an ubuntu container

Really, you can do this with any image that contains a number of disk utilities, but I found wipefs really easy to use for this usecase.

cat <<EOF | kubectl apply --filename -apiVersion: v1kind: Podmetadata:  name: disk-partitioner  namespace: disk-utilitiesspec:  containers:  - name: ubuntu    image: ubuntu:latest    securityContext:      privileged: true    command: ["sleep", "infinity"]    volumeMounts:    - name: dev      mountPath: /dev  volumes:  - name: dev    hostPath:      path: /dev  nodeSelector:    kubernetes.io/hostname: {{your_hostname_goes_here}}EOF

Two important things to note here:

mounting /dev directory from the host into the container, using a volume and volumeMount. Thats how we associate the container to the hosts devices!
make sure you select the correct host using nodeSelector.

I ended up using the node label kubernetes.io/hostname to ensure my pod spins up on the correct host. To list out your node labels, simply:

kubectl get nodes --show-labels

You dont have to use kubernetes.io/hostname, but make sure whichever label you use is unique to the host!

exec into the container

Next, youll exec into the container and launch a shell /bin/bash.

kubectl exec --namespace disk-utilities -it disk-partitioner -- /bin/bash

list block storage devices

Use lsblk to find the device you want to erase

root@disk-partitioner:/# lsblkOutputs list of devices

erase disk signatures

wipefs --all /dev/{your_device_name_from_lsblk}

exit container

exit

Now I can go back and provision my device pool!

kubectl linstor physical-storage create-device-pool --pool-name nvme_lvm_pool LVM talos-6o3-rkz /dev/nvme0n1 --storage-pool nvme_poolSUCCESS:    (talos-6o3-rkz) PV for device '/dev/nvme0n1' created.SUCCESS:    (talos-6o3-rkz) VG for devices [/dev/nvme0n1] with name 'nvme_lvm_pool' created.SUCCESS:    Successfully set property key(s): StorDriver/StorPoolNameSUCCESS:Description:    New storage pool 'nvme_pool' on node 'talos-6o3-rkz' registered.Details:    Storage pool 'nvme_pool' on node 'talos-6o3-rkz' UUID is: 7cde04eb-b266-4a59-8711-6731162b9f76SUCCESS:    (talos-6o3-rkz) Changes applied to storage pool 'nvme_pool'

Linstor (the underlying storage engine used by Piraeus) is happy, since it can use the newly de-partitioned device.

cleaning up

To clean up, simply delete the namespace that was created. This will delete the pod that was created in the namespace, preventing the namespace from being hijacked for privileged operations by a would-be attacker.

kubectl delete namespaces disk-utilities

]]>

Using pi-hole as your external-dns provider in Kubernetes

Rob Rakaric — Wed, 01 May 2024 20:30:09 GMT

environment assumptions

A locally-running Kubernetes cluster
Pi-Hole on the network configured as the primary DNS

what is external-dns?

When you build an ingress (which is essentially a layer-7 host and path-based load-balancer) in Kubernetes to bring web traffic to a cluster, you specify a host name. This creates a load-balancer entry in whatever load balancer you're using. If you're in public cloud, Kubernetes will call cloud load balancer APIs. In my home lab setup, I'm using metallb for this purpose. The ingress below listens for requests to openweb-ui.lan and sends them to the http service (a web UI) called openweb-ui.

apiVersion: networking.k8s.io/v1kind: Ingressmetadata:  name: open-webui  namespace: openweb-uispec:  ingressClassName: nginx  rules:  - host: openweb-ui.lan    http:      paths:      - backend:          service:            name: open-webui            port:              name: http        path: /        pathType: Prefixyaml

It reaches out to metallb to assign an IP address from a reserved pool. The address below, 192.168.126.50 was handed out by metallb.

Now that that's in place, devices on my network need to know that this hostname resolves to the ingress ip. That's where external-dns comes in. Typically, external-dns is leveraged to write DNS records to providers like Cloudflare, Route53, etc. However, it also supports writing DNS records to your locally-installed Pi-Hole!

what is pi-hole?

It's no secret that tech workers are amongst the biggest users of ad-blocking software, and one of the major players in this space is the venerable Pi-Hole.

If you don't know what Pi-Hole is, it's a piece of software originally designed to run on a Raspberry Pi (although it runs anywhere now, even Docker and Kubernetes) that blocks ads at the DNS level. You configure the Pi-Hole to be your DNS provider. When an app or website calls out to a domain associated with the configured block list(s), Pi-Hole simply responds that the advertising domain is unresolvable, and content from the advertising domain is not shown. All the while, the useful, good, content you were looking for is displayed!

Notice in the above image that analytics.js from google-analytics.com isn't loading, thanks to Pi-Hole!

However, the feature of Pi-Hole I'll be discussing in this article is Local DNS. We'll be using it to map a DNS record to the ingress IP on a homelab Kubernetes cluster.

installing external-dns

The Helm chart is the best way to install external-dns.

required information

Collect the following:

The IP address of your Pi-Hole instance (referenced as piholeipaddress)
The admin credentials for your Pi-Hole instance (referenced as piholeadminpassword)

add and update repo

helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/helm update/

create a secret for pi-hole

In this step, we'll create a Kubernetes Secret for authenticating to the Pi-Hole.

kubectl create secret generic pihole-password \--namespace external-dns \--from-literal EXTERNAL_DNS_PIHOLE_PASSWORD={{piholeadminpassword}}

create values.yaml

Next, create a values.yaml to pass configuration values to the Helm chart.

# https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/README.md#valuesprovider:  name: pihole# https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/pihole.md#argumentsenv: # configured your pi-hole password and ip address  - name: EXTERNAL_DNS_PIHOLE_PASSWORD    valueFrom:      secretKeyRef:        name: pihole-password        key: EXTERNAL_DNS_PIHOLE_PASSWORD  - name: EXTERNAL_DNS_PIHOLE_SERVER    # make sure NOT to put a trailing slash, as external-dns adds its own    value: http://{{piholeipaddress}}

install

helm upgrade --install external-dns external-dns/external-dns \--namespace external-dns \--create-namespace \--values values.yaml

make sure it's working

If you check the deployment logs for external-dns , you'll see that external-dns has been hard at work creating a DNS record for your ingress.

kubectl logs --namespace external-dns deployments/external-dns external-dns

time="2024-05-01T20:14:10Z" level=info msg="add openweb-ui.lan IN A -> 192.168.126.50"time="2024-05-01T20:14:10Z" level=warning msg="Skipping unsupported endpoint openweb-ui.lan TXT \"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingress/openweb-ui/open-webui\""time="2024-05-01T20:14:10Z" level=warning msg="Skipping unsupported endpoint a-openweb-ui.lan TXT \"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingress/openweb-ui/open-webui\""time="2024-05-01T20:15:10Z" level=info msg="All records are already up to date"

That's it!

If you have trouble, again make sure you take out any trailing slashes on the EXTERNAL_DNS_PIHOLE_SERVER environment variable. And also make sure the IP is correct! Don't ask me how I spent like 20 minutes wondering why external-dns wouldn't connect.

]]>