Last active
December 10, 2020 21:52
-
-
Save alexeldeib/c9df385a10f82b9ea645c3b033716fe8 to your computer and use it in GitHub Desktop.
Enumerate non-pod processes on Kubernetes node
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| KUBEPOD_CGROUP="kubepods" | |
| # select all pids where the executable of the pid is a link to a file (this filters out kernel processes we don't care about) | |
| non_kernel_pids="$(find -L /proc/[0-9]*/exe ! -type l | cut -d / -f3 | paste -sd " ")" | |
| # filter out pods by checking that the proc is in whatever cgroup is configured for pods. | |
| non_pods=""; for pid in $non_kernel_pids; do if [ -z "$(grep "$KUBEPOD_CGROUP" /proc/$pid/cgroup)" ]; then non_pods="$non_pods $pid"; fi; done | |
| # get the command line invocation of this pid | |
| commands=""; for pid in $non_pods; do commands="$commands\n$(cat "/proc/$pid/cmdline")"; done | |
| # annoyingly clean NUL and newlines, maybe because processes can die after the above run(?): | |
| commands="$(echo -e "$commands" | tr -d '\000' | grep . --color=none)" | |
| # check exes as well, instead of full command line invocation | |
| exes=""; for pid in $non_pods; do exes="$exes\n$(readlink -f "/proc/$pid/exe")"; done | |
| exes_with_shims="$(echo -e "$exes" | tr -d '\000' | grep . --color=none)" | |
| # there are a bunch of containerd shims for pods, I choose arbitraily to remove those | |
| # (or the equivalent if your CRI isn't containerd). | |
| exes_without_shims="$(echo -e "$exes" | tr -d '\000' | grep . --color=none | grep -v "containerd-shim")" | |
| # list those out | |
| echo "$exes_without_shims" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment