MCPcopy
hub / github.com/microsoft/retina / execInPod

Function execInPod

shell/trace.go:158–204  ·  view source on GitHub ↗

execInPod executes a command inside a pod container without using a shell. SECURITY: The command is passed as an array directly to the container runtime, preventing shell injection attacks. No shell interpolation occurs. Parameters: - ctx: Context for cancellation (e.g., Ctrl-C) - restConfig: Kuber

(
	ctx context.Context,
	restConfig *rest.Config,
	clientset *kubernetes.Clientset,
	namespace, podName, containerName string,
	command []string,
	stdout, stderr io.Writer,
)

Source from the content-addressed store, hash-verified

156// - stdout: Writer for stdout (typically os.Stdout)
157// - stderr: Writer for stderr (typically os.Stderr)
158func execInPod(
159 ctx context.Context,
160 restConfig *rest.Config,
161 clientset *kubernetes.Clientset,
162 namespace, podName, containerName string,
163 command []string,
164 stdout, stderr io.Writer,
165) error {
166 // Build the exec request using the REST API directly
167 // SECURITY: Command is passed as array in PodExecOptions, NOT through a shell
168 req := clientset.CoreV1().RESTClient().
169 Post().
170 Resource("pods").
171 Name(podName).
172 Namespace(namespace).
173 SubResource("exec").
174 VersionedParams(&v1.PodExecOptions{
175 Container: containerName,
176 Command: command, // Direct command array - no shell!
177 Stdin: false,
178 Stdout: true,
179 Stderr: true,
180 TTY: false,
181 }, scheme.ParameterCodec)
182
183 // Create the SPDY executor
184 exec, err := remotecommand.NewSPDYExecutor(restConfig, "POST", req.URL())
185 if err != nil {
186 return fmt.Errorf("error creating executor: %w", err)
187 }
188
189 // Stream the output
190 // The Stream function blocks until the command completes or context is cancelled
191 err = exec.StreamWithContext(ctx, remotecommand.StreamOptions{
192 Stdout: stdout,
193 Stderr: stderr,
194 })
195 if err != nil {
196 // Check if it was a context cancellation (user pressed Ctrl-C)
197 if ctx.Err() != nil {
198 return fmt.Errorf("context error: %w", ctx.Err())
199 }
200 return fmt.Errorf("error streaming command output: %w", err)
201 }
202
203 return nil
204}
205
206// hostNetworkPodForTrace creates a pod manifest for network tracing.
207// The pod runs with host network and required capabilities for bpftrace.

Callers 1

RunTraceFunction · 0.85

Calls 4

NamespaceMethod · 0.80
RESTClientMethod · 0.80
NameMethod · 0.65
ErrMethod · 0.65

Tested by

no test coverage detected