Execute command on each node

Question

Background: Have approx 50 nodes "behind" a namespace. Meaning that a given Pod in this namespace can land on any of those 50 nodes.

The task is to test if an outbound firewall rule (in a FW outside the cluster) has been implemented correctly. Therefore I would like to test a command on each potential node in the namespace which will tell me if I can reach my target from the given node. (using curl for such test but that is besides the point for my question)

I can create a small containerized app which will exit 0 on success. Then next step would be execute this on each potential node and harvest the result. How to do that?

(I don't have access to the nodes directly, only indirectly via Kubernetes/OpenShift. I only have access to the namespace-level, not the cluster-level.)

Answer 1

The underlying node firewall settings is NOT control by K8s network policies. To test network connectivity in a namespace you only need to run 1 pod in that namespace. To test firewall settings of the node you typically ssh into the node and execute command to test - while this is possible with K8s but that would require the pod to run with root privileged; which not applicable to you as you only has access to a single namespace.

Answer 2

Then next step would be execute this on each potential node and harvest the result. How to do that?

As gohm'c answer you can not run Command on Nodes unless you have access to Worker nodes. You need to have SSH access to check the firewall on Nodes.

If you are planning to just run container app on specific types of nodes, or on all the Nodes you can follow below answer

You can create the deployment or you can use the Deamon set if want to run on each node.

Deployment could be useful if you are planning to run on specific nodes, you have to use in that case Node selector or Affinity.

Daemon set will deploy and run containers on all existing Nodes. So you can choose accordingly.