A random 0 byte file is created when we deploy a deployment or daemon-set:
ls -lart /var/lib/kubelet/pods
0666 *container id*/containers/*container name*/*random file name*
Might you be able to provide more information on this file? How may we direct kubernetes to create this file with 0644 or 0640? is there a flag we may pass to kubelet for this?
It is showing up in our security scans as less secure.
This is in version 1.12
I haven't tried anything yet - I just had a security scan on my nodes and am looking for more information and how to prevent this from showing up.
ls -lart /var/lib/kubelet/pods
0666 *container id*/containers/*container name*/*random file name*
All I want is to get around this vulnerability by either fixing it with custom code or an update or by explaining why it has to remain 0666.
Before container is started on a node, the kubelet creates a directory for that Pod on the host system /var/lib/kubelet/pods/
I cannot say exactly what is the necessity of those files, because lsof
doesn't show anything, but my assumptions is that it is used as a mounted volumes in a pause container
The only place where permissions are set for this directory is here
--volume=/var/lib/kubelet/:/var/lib/kubelet:rw \
Hope this will help