Tags: mongo, security
TABLE OF CONTENTS
Overview
Kublr uses MongoDB internally to store cluster metadata.
In some situations it may be necessary to access MongoDB directly to recover from mismanagement and other issues.
It is possible to do using Mongo Shell running in the Mongo pod.
Working with Mongo Shell
Get Mongo DB username and password
MONGO_USERNAME="$(kubectl get secret -n kublr kcp-mongodb-auth \
-o jsonpath="{.data.username}" | base64 -d)"
MONGO_PASSWORD="$(kubectl get secret -n kublr kcp-mongodb-auth \
-o jsonpath="{.data.mongodb-root-password}" | base64 -d)"Note that for Kublr 1.21 and earlier versions the MongoDB password is stored in a different field, so the following command should be used to access it:
MONGO_PASSWORD="$(kubectl get secret -n kublr kcp-mongodb-auth \
-o jsonpath="{.data.password}" | base64 -d)"Run Mongo Shell in interactive mode
kubectl exec -it -n kublr kcp-mongodb-0 -- \
sh -c 'HOME=/tmp mongo "$@"' -- \
--username "${MONGO_USERNAME}" \
--password "${MONGO_PASSWORD}" \
"mongodb://127.0.0.1:27017/kublr-db?authSource=admin&replicaSet=rs0"If mongodb is running in HA mode with more than 1 replica, other replicas' pods may be provided, such as kcp-mongodb-1, kcp-mongodb-2 etc.
Run Mongo Shell command(s)/script non-interactively
kubectl exec -it -n kublr kcp-mongodb-0 -- \
sh -c 'HOME=/tmp mongo "$@"' -- \
--username "${MONGO_USERNAME}" \
--password "${MONGO_PASSWORD}" \
"mongodb://127.0.0.1:27017/kublr-db?authSource=admin&replicaSet=rs0" \
--eval 'db.globalRoles.find()'Useful Mongo Shell commands
Show records
# show all records in a collection (global roles in this example)
db.globalRoles.find()
# show a specific record in a collection
db.globalRoles.find({"metadata.name":"KublrFullAdmin"})Insert records
db.globalRoles.insertOne({...})
db.globalRoles.insertOne({
"metadata":{
"name": "test",
"createdtimestamp": ISODate(),
"updatedtimestamp": ISODate(),
"labels": {},
"resourceVersion": 1
},
"typemeta": {
"kind": "GlobalRole",
"apiversion": ""
},
"rules": [
{ "resources" : [ "*" ], "verbs" : [ "*" ] },
{ "resources" : [ ], "verbs" : [ "*" ], "nonResourceURLs" : [ "*" ] }
]
})Delete records
db.globalRoles.deleteOne({...});
db.globalRoles.deleteOne({"metadata.name":"test"});Examples
Recover accidentally removed KublrFullAdmin(s) role and binding
kubectl exec -it -n kublr kcp-mongodb-0 -- \
sh -c 'HOME=/tmp mongo "$@"' -- \
--username "${MONGO_USERNAME}" \
--password "${MONGO_PASSWORD}" \
"mongodb://127.0.0.1:27017/kublr-db?authSource=admin" \
--eval '
db.globalRoles.insertOne({
"metadata":{
"name": "KublrFullAdmin",
"createdtimestamp": ISODate(),
"updatedtimestamp": ISODate(),
"labels": {},
"resourceVersion": 1
},
"typemeta": {
"kind": "GlobalRole",
"apiversion": ""
},
"rules": [
{ "resources" : [ "*" ], "verbs" : [ "*" ] },
{ "resources" : [ ], "verbs" : [ "*" ], "nonResourceURLs" : [ "*" ] }
]
});
db.globalRoles.insertOne(
{
"metadata": {
"name": "KublrFullAdmins",
"createdtimestamp": ISODate(),
"updatedtimestamp": ISODate(),
"labels": {},
"resourceVersion": 1
},
"typemeta": {
"kind": "GlobalRoleBinding",
"apiversion": ""
},
"roleref": {"kind": "GlobalRole", "name": "KublrFullAdmin"},
"subjects": [
{"kind": "Group", "name": "KublrFullAdmins"}
]
});'