From 329f4124aec0e0c3a468b4be150706d3705bc855 Mon Sep 17 00:00:00 2001
From: Marcus Noble <github@marcusnoble.co.uk>
Date: Thu, 15 Feb 2024 12:23:54 +0000
Subject: [PATCH] Updated kube-shell to work in rerstricted clusters

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
---
 home/.bin/kube-shell | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/home/.bin/kube-shell b/home/.bin/kube-shell
index 897fb62..3d1f24a 100755
--- a/home/.bin/kube-shell
+++ b/home/.bin/kube-shell
@@ -6,8 +6,8 @@ NAMESPACE="$(kubectl config view --minify --output 'jsonpath={..namespace}' &>/d
 set -e
 NAMESPACE=${NAMESPACE:-default}
 POD="shell"
-IMAGE="bash"
-CMD="sh"
+IMAGE="digitalocean/doks-debug"
+CMD="bash"
 
 print_usage() {
   blue "kube-shell - create a new pod and exec into it's shell"
@@ -19,7 +19,7 @@ print_usage() {
   echo "-h, --help            show this help text"
   echo "-n, --namespace       the namespace the pod should launch in"
   echo "-p, --pod             the name of the pod to get logs for (default: shell)"
-  echo "-i, --image           the image to use for the shell container (default: bash)"
+  echo "-i, --image           the image to use for the shell container (default: digitalocean/doks-debug)"
   echo "-c, --command         the initial command to execute in the container (default: sh)"
 }
 
@@ -57,5 +57,16 @@ done
 
 NAMESPACE=${NAMESPACE:-default}
 
-echo kubectl run -it --namespace $NAMESPACE $POD --image $IMAGE --restart Never --rm -- $CMD
-kubectl run -it --namespace $NAMESPACE $POD --image $IMAGE --restart Never --rm -- $CMD
+OVERRIDES='{
+  "spec": {
+    "securityContext": {"runAsGroup": 1000,"runAsNonRoot": true,"runAsUser": 1000,"seccompProfile": {"type": "RuntimeDefault"}},
+    "containers": [
+      {
+        "name":"'$POD'","image":"'$IMAGE'", "command": ["'$CMD'"],
+        "stdin": true,"stdinOnce": true,"tty": true,
+        "securityContext": {"allowPrivilegeEscalation": false,"capabilities": {"drop": ["ALL"]},"privileged": false,"runAsGroup": 1000,"runAsNonRoot": true,"runAsUser": 1000,"seccompProfile": {"type": "RuntimeDefault"}}
+      }
+    ]
+  }
+}'
+kubectl run -it --namespace $NAMESPACE $POD --image $IMAGE --restart Never --overrides "${OVERRIDES}" --rm -- $CMD