Why do kubernetes components generate files with 666 permission?

lotusirous · February 18, 2019, 11:20am

I installed a Kubernetes 1.13.1 cluster contains 3 nodes by kubeadm, docker 17.12.1-ce and flannel networking. However, I found that Kubernetes created many empty files with permission 666 which allows any user can read/write in /var/lib/kubelet directory by command find /var/lib -perm 666. The results as follows:

-rw-rw-rw-  1 root root 0  2월 16 21:21 /var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/34e5f60f
-rw-rw-rw-  1 root root 0  2월 16 08:27 /var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/3c44eff3
-rw-rw-rw-. 1 root root 0  2월 16 01:43 /var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/914ac6c3
-rw-rw-rw-  1 root root 0  2월 18 03:58 /var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/9da5f793
-rw-rw-rw-  1 root root 0  2월 16 09:09 /var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/a85f6e51
-rw-rw-rw-  1 root root 0  2월 18 00:50 /var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/aecca296
-rw-rw-rw-  1 root root 0  2월 17 00:36 /var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/b3826292
-rw-rw-rw-  1 root root 0  2월 16 09:15 /var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/c4463b68
-rw-rw-rw-  1 root root 0  2월 16 21:55 /var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/e0376b53
-rw-rw-rw-  1 root root 0  2월 18 00:50 /var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/036e6102
-rw-rw-rw-. 1 root root 0  2월 16 01:44 /var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/117caf5a
-rw-rw-rw-  1 root root 0  2월 18 03:58 /var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/28f8fde3
-rw-rw-rw-  1 root root 0  2월 16 09:15 /var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/335b2b55
-rw-rw-rw-  1 root root 0  2월 16 08:27 /var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/438a9268
-rw-rw-rw-  1 root root 0  2월 16 21:22 /var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/6cfbeba3
-rw-rw-rw-  1 root root 0  2월 16 21:55 /var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/b8af2455
-rw-rw-rw-  1 root root 0  2월 17 00:36 /var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/cc246570
-rw-rw-rw-  1 root root 0  2월 18 03:58 /var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/2755882a
-rw-rw-rw-  1 root root 0  2월 16 21:55 /var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/38268733
-rw-rw-rw-  1 root root 0  2월 17 00:36 /var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/57319601
-rw-rw-rw-. 1 root root 0  2월 16 01:44 /var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/59e51c33
-rw-rw-rw-  1 root root 0  2월 16 09:09 /var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/68e17599
-rw-rw-rw-  1 root root 0  2월 16 21:22 /var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/96253eba
-rw-rw-rw-  1 root root 0  2월 18 00:50 /var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/9d2cc8d4
-rw-rw-rw-  1 root root 0  2월 16 09:15 /var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/ee907d2f
-rw-rw-rw-  1 root root 0  2월 16 08:27 /var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/fc15d13f
-rw-rw-rw-  1 root root 0  2월 16 09:09 /var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/013626b1
-rw-rw-rw-  1 root root 0  2월 18 03:57 /var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/0d9fe526
-rw-rw-rw-  1 root root 0  2월 17 00:36 /var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/6fc2a524
-rw-rw-rw-  1 root root 0  2월 16 09:15 /var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/7e786acf
-rw-rw-rw-  1 root root 0  2월 16 21:55 /var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/7ed5b175
-rw-rw-rw-. 1 root root 0  2월 16 01:42 /var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/8be88549
-rw-rw-rw-  1 root root 0  2월 16 21:21 /var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/9421eba8
-rw-rw-rw-  1 root root 0  2월 16 08:27 /var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/cfb428fd
-rw-rw-rw-  1 root root 0  2월 18 00:50 /var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/dca6882b
-rw-rw-rw-  1 root root 0  2월 18 03:57 /var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/0d06fccd
-rw-rw-rw-  1 root root 0  2월 16 21:21 /var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/16991a34
-rw-rw-rw-. 1 root root 0  2월 16 01:42 /var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/1d5bf9d8
-rw-rw-rw-  1 root root 0  2월 16 09:15 /var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/4bd7ff3b
-rw-rw-rw-  1 root root 0  2월 18 00:50 /var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/81a73a2d
-rw-rw-rw-  1 root root 0  2월 16 08:27 /var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/c94fa723
-rw-rw-rw-  1 root root 0  2월 16 21:55 /var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/cc39443a
-rw-rw-rw-  1 root root 0  2월 17 00:36 /var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/e6e4aace
-rw-rw-rw-  1 root root 0  2월 16 08:27 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/13b9e8b2
-rw-rw-rw-  1 root root 0  2월 18 03:58 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/4371dead
-rw-rw-rw-  1 root root 0  2월 17 00:36 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/4c5f4031
-rw-rw-rw-  1 root root 0  2월 16 21:21 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/6f7cf72c
-rw-rw-rw-  1 root root 0  2월 18 00:50 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/843e7a92
-rw-rw-rw-  1 root root 0  2월 16 21:29 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/ae3a7534
-rw-rw-rw-. 1 root root 0  2월 16 01:58 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/b480c6a8
-rw-rw-rw-  1 root root 0  2월 16 09:15 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/caf80049
-rw-rw-rw-  1 root root 0  2월 16 21:55 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/cfde7073
-rw-rw-rw-  1 root root 0  2월 16 10:16 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/e1956197
-rw-rw-rw-  1 root root 0  2월 17 00:36 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/2b3ea969
-rw-rw-rw-  1 root root 0  2월 16 09:15 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/3316e4ef
-rw-rw-rw-  1 root root 0  2월 18 03:58 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/41426e21
-rw-rw-rw-  1 root root 0  2월 16 21:22 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/5520d34e
-rw-rw-rw-. 1 root root 0  2월 16 01:58 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/a3934024
-rw-rw-rw-  1 root root 0  2월 16 21:21 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/b3c0c65b
-rw-rw-rw-  1 root root 0  2월 18 00:50 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/c445f6e1
-rw-rw-rw-  1 root root 0  2월 16 08:27 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/e4aa6627
-rw-rw-rw-  1 root root 0  2월 16 21:55 /var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/fc02f300
-rw-rw-rw-  1 root root 0  2월 16 21:55 /var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/1050c0c2
-rw-rw-rw-  1 root root 0  2월 16 21:21 /var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/2d3110c6
-rw-rw-rw-  1 root root 0  2월 17 00:36 /var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/3c9b35d2
-rw-rw-rw-  1 root root 0  2월 16 09:09 /var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/48d77ff1
-rw-rw-rw-  1 root root 0  2월 16 08:27 /var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/4ab06094
-rw-rw-rw-  1 root root 0  2월 18 03:57 /var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/57564f13
-rw-rw-rw-  1 root root 0  2월 18 00:50 /var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/585456e6
-rw-rw-rw-  1 root root 0  2월 16 09:15 /var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/8a69b2a8
-rw-rw-rw-. 1 root root 0  2월 16 01:42 /var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/aa52c49d
-rw-rw-rw-  1 root root 0  2월 16 21:55 /var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/043af2e4
-rw-rw-rw-  1 root root 0  2월 18 03:57 /var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/0c45435b
-rw-rw-rw-  1 root root 0  2월 16 08:27 /var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/2472b441
-rw-rw-rw-  1 root root 0  2월 16 09:09 /var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/4bd17709
-rw-rw-rw-. 1 root root 0  2월 16 01:42 /var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/67675b22
-rw-rw-rw-  1 root root 0  2월 18 00:50 /var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/a16fefca
-rw-rw-rw-  1 root root 0  2월 17 00:36 /var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/c53c15c7
-rw-rw-rw-  1 root root 0  2월 16 21:21 /var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/db4af185
-rw-rw-rw-  1 root root 0  2월 16 09:15 /var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/ed3b53cd

The results shows that Kubernetes components kube-controller-manager , kube-scheduler , etcd , kube-apiserver , kube-proxy , coredns , install-cni and kube-flannel is not only create insecure and empty files.

I’m wondering this use case because I could not find any document mention this case.

Why does Kubernetes create those files?
Can I change the files permission?
Will Kubernetes components generate new files which have the same permission in the future ?

Thank you

Topic		Replies	Views
[Security Advisory] CVE-2020-8557: Node disk DOS by writing to container /etc/hosts Announcements	0	1868	July 15, 2020
File permission issue on pods General Discussions	0	767	March 19, 2020
User permission problem General Discussions	0	850	December 19, 2018
Kubernetes cp gives permission denied error General Discussions	2	11098	May 28, 2021
World writable files were found on the system of Kubernetes installation General Discussions	0	86	March 7, 2024

Why do kubernetes components generate files with 666 permission?

Related Topics