This is a proof-of-concept (PoC) attempt to communicate directly with Kubernetes/OpenShift Websocket, proxy the requests and expose it using xterm.js terminal emulator.
- NodeJS
- K8s environment (Minishift/Minikube)
# Temporary alias if using K8s instead of OCP
[ -z "$(which oc)" ] && alias oc="kubectl"
# Define namespace/project name
KUBERNETES_NAMESPACE=xtermjs
# Create namespace
oc create ns $KUBERNETES_NAMESPACE
# Creates service account and assigns needs permissions
oc apply -n $KUBERNETES_NAMESPACE -f k8s/service-account.yml
# Create test Alpine deployment
oc apply -n $KUBERNETES_NAMESPACE -f k8s/alpine-deployment.yml
TOKEN_NAME=$(oc get secrets -n $KUBERNETES_NAMESPACE | grep terminal-account-token | head -n 1 | cut -d " " -f1)
KUBERNETES_SERVICE_ACCOUNT_TOKEN=$(oc describe secret $TOKEN_NAME -n $KUBERNETES_NAMESPACE | grep -o -E "ey.+")
# Get list of pods
oc get pods -n $KUBERNETES_NAMESPACE
# Create .env file and update API host
cp sample.env .env
# Append required config
cat <<EOF >> .env
KUBERNETES_NAMESPACE=$KUBERNETES_NAMESPACE
KUBERNETES_SERVICE_ACCOUNT_TOKEN=$KUBERNETES_SERVICE_ACCOUNT_TOKEN
EOF# Install required dependencies
npm install
# Start PoC server
npm run serve
# Development mode where both frontend and backend code is being monitored and rebuilt on change
npm run dev- xterm.js
- kubernetes-client/javascript
- Kubernetes Container Terminal
- Developing Start Kubernetes with React, TypeScript, and Skaffold
- Executing commands in Pods using K8s API
- Use a WebSocket client to exec commands in a Kubernetes pod
- Token-based Header Authentication for WebSockets behind Node.js
- ws: a Node.js WebSocket library
- How does 'kubectl exec' work?
- Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1
- Configure Service Accounts for Pods
- Writing WebSocket servers
- How It Works — kubectl exec