Shell webhooks on Kubernetes

Irek Romaniuk
Nov 3 · 2 min read

Sometimes there is a need to run simple shell commands in the containers on Kubernetes or even setup mesh of services that will run shell commands triggered by webhooks (for example from monitoring frameworks like Solarwinds). For this purpose I am using shell2http, but I know also webhook can be used, both written in Go.

I am using Dockerfile below to build shell2http images for Kubernetes. This one will run ‘curl’ triggered by ‘/device_state’ webhook with basic authentication. Webhook is parametrized with names ‘files’ , ‘ip’ and ‘key’. This particular shell command will export Palo Alto Firewall (of given ip i.e. 10.34.1.21 and api key) device state to a file.

FROM msoap/shell2http
RUN apk add --update \
python3 \
curl
WORKDIR /app
COPY ["requirements.txt","/app/"]
RUN pip3 install --no-cache-dir -r requirements.txt
ENV PYTHONUNBUFFERED=0
CMD ["-basic-auth=user:pass","-form","/device_state", "curl -kv -o $v_file \"https://$v_ip/api/?type=export&category=device-state&key=$v_key\""]

The webhook itself could look like this when image is running running on localhost:

curl -v -X GET 'http://localhost:8080/device_state?file=/pan/pan1new7.tgz&ip=10.34.1.21&key=XXX' -u user:pass

or in powershell (i.e. Solarwinds monitoring)

$Url = "http://localhost:8080/shields"
$user="user"
$pass="pass"
$base64AuthInfo= [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$pass)))
$pass = ConvertTo-SecureString $pass -AsPlainText -Force
$cred = New-Object Management.Automation.PSCredential ($user, $pass)
$response = Invoke-RestMethod -Method Get -Uri $url -ContentType 'application/json' -cred $cred -Headers @{Authorization = "Basic $base64AuthInfo" } -AllowUnencryptedAuthentication

or with Jenkins HTTP Request plugin (host address 10.4.1.100 instead of localhost)

Jenkins HTTP Request plugin

The yaml file to schedule pod with the image above on Kubernetes is mounting also Azure file share (in my case mounted as ‘/pan’). Ignore api_key below which can be optionally taken from Kubernetes secret instead of query parameters. But the other secret has to be created to keep Azure storage account name and key for the file share.

Scheduling shell2http on Kubernetes

Optionally mounting ‘/scripts ‘from config map if I want webhook i.e. ‘/scripts’ to run ‘/scripts/script.sh’. There are options for https certificates, webhook by adnanh has support also for rules matching i.e. header.

Irek Romaniuk

Written by

Here are my ‘nanonotes’, excuse the brevity and typos. I’m based in RI, working as security and automation engineer for a fin-tech company in Boston.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade