Tags: mongo, security


TABLE OF CONTENTS


Overview


Kublr uses MongoDB internally to store cluster metadata.

In some situations it may be necessary to access MongoDB directly to recover from mismanagement and other issues.

It is possible to do using Mongo Shell running in the Mongo pod.


Working with Mongo Shell


Get Mongo DB username and password


MONGO_USERNAME="$(kubectl get secret -n kublr kcp-mongodb-auth \
  -o jsonpath="{.data.username}" | base64 -d)"
MONGO_PASSWORD="$(kubectl get secret -n kublr kcp-mongodb-auth \
  -o jsonpath="{.data.password}" | base64 -d)"


Run Mongo Shell in interactive mode



kubectl exec -it -n kublr kcp-mongodb-0 -- \
  sh -c 'HOME=/tmp mongo "$@"' -- \
  --username "${MONGO_USERNAME}" \
  --password "${MONGO_PASSWORD}" \
  "mongodb://127.0.0.1:27017/kublr-db?authSource=admin"


Run Mongo Shell command(s)/script non-interactively


kubectl exec -it -n kublr kcp-mongodb-0 -- \
  sh -c 'HOME=/tmp mongo "$@"' -- \
  --username "${MONGO_USERNAME}" \
  --password "${MONGO_PASSWORD}" \
  "mongodb://127.0.0.1:27017/kublr-db?authSource=admin" \
  --eval 'db.globalRoles.find()'


Useful Mongo Shell commands


Show records


# show all records in a collection (global roles in this example)
db.globalRoles.find()

# show a specific record in a collection
db.globalRoles.find({"metadata.name":"KublrFullAdmin"})


Insert records


db.globalRoles.insertOne({...})

db.globalRoles.insertOne({
  "metadata":{
    "name": "test",
    "createdtimestamp": ISODate(),
    "updatedtimestamp": ISODate(),
    "labels": {},
    "resourceVersion": 1
  },
  "typemeta": {
    "kind": "GlobalRole",
    "apiversion": ""
  },
  "rules": [
    { "resources" : [ "*" ], "verbs" : [ "*" ] },
    { "resources" : [ ], "verbs" : [ "*" ], "nonResourceURLs" : [ "*" ] }
  ]
})


Delete records


db.globalRoles.deleteOne({...});

db.globalRoles.deleteOne({"metadata.name":"test"});


Examples


Recover accidentally removed KublrFullAdmin(s) role and binding


kubectl exec -it -n kublr kcp-mongodb-0 -- \
  sh -c 'HOME=/tmp mongo "$@"' -- \
  --username "${MONGO_USERNAME}" \
  --password "${MONGO_PASSWORD}" \
  "mongodb://127.0.0.1:27017/kublr-db?authSource=admin" \
  --eval '
db.globalRoles.insertOne({
  "metadata":{
    "name": "KublrFullAdmin",
    "createdtimestamp": ISODate(),
    "updatedtimestamp": ISODate(),
    "labels": {},
    "resourceVersion": 1
  },
  "typemeta": {
    "kind": "GlobalRole",
    "apiversion": ""
  },
  "rules": [
    { "resources" : [ "*" ], "verbs" : [ "*" ] },
    { "resources" : [ ], "verbs" : [ "*" ], "nonResourceURLs" : [ "*" ] }
  ]
});

db.globalRoles.insertOne(
{
  "metadata": {
    "name": "KublrFullAdmins",
    "createdtimestamp": ISODate(),
    "updatedtimestamp": ISODate(),
    "labels": {},
    "resourceVersion": 1
  },
  "typemeta": {
    "kind": "GlobalRoleBinding",
    "apiversion": ""
  },
  "roleref": {"kind": "GlobalRole", "name": "KublrFullAdmin"},
  "subjects": [
    {"kind": "Group", "name": "KublrFullAdmins"}
  ]
});'