Directory permissions under /var/lib/kubelet/pods

8/1/2019

A random 0 byte file is created when we deploy a deployment or daemon-set:

ls -lart /var/lib/kubelet/pods
0666 *container id*/containers/*container name*/*random file name*

Might you be able to provide more information on this file? How may we direct kubernetes to create this file with 0644 or 0640? is there a flag we may pass to kubelet for this?

It is showing up in our security scans as less secure.

This is in version 1.12

I haven't tried anything yet - I just had a security scan on my nodes and am looking for more information and how to prevent this from showing up.

ls -lart /var/lib/kubelet/pods
0666 *container id*/containers/*container name*/*random file name*

All I want is to get around this vulnerability by either fixing it with custom code or an update or by explaining why it has to remain 0666.

-- Jason Kyzer
kubelet
kubernetes
security

1 Answer

8/2/2019

Before container is started on a node, the kubelet creates a directory for that Pod on the host system /var/lib/kubelet/pods/

I cannot say exactly what is the necessity of those files, because lsofdoesn't show anything, but my assumptions is that it is used as a mounted volumes in a pause container

The only place where permissions are set for this directory is here

--volume=/var/lib/kubelet/:/var/lib/kubelet:rw \

Hope this will help

-- A_Suh
Source: StackOverflow