World writable files were found on the system of Kubernetes installation

jrocksk8 · March 7, 2024, 2:24am

Hi All,
As part of security scan in the machines of our Kubernetes enviroment, it reported vulnerabilities saying “World writable files were found on the system” for the paths:
/var/lib/containers/storage/overlay/*
/var/lib/kubelet/plugins/*
/var/lib/kubelet/pods/*

Is this Kubernetes creates this writable paths and its as per design?
Will this harm the system?
Is this potential issue or false positive?
How this can be resolved?

Cluster information:

Kubernetes version: v1.23.1
Cloud being used: bare-metal (VMware VMs)
Installation method: kubeadm yaml
Host OS: Red Hat Enterprise Linux release 8.1
CNI and version: Calico v3.21.2
CRI and version: CRI-O v1.23.0

M4nch0t · May 28, 2024, 10:54am

Hello,
Versions are different but I’ve found the same behavior. Any updates?
OpenScap is quite angry with those files

Topic		Replies	Views
World writable files were found on the system for /var/lib/kubelet/pods General Discussions development , security , network	1	990	December 13, 2022
[Security Advisory] CVE-2020-8557: Node disk DOS by writing to container /etc/hosts Announcements	0	1972	July 15, 2020
Microk8s is creating world writeable, no sticky bit folders microk8s	3	1126	September 30, 2021
[Security Advisory] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Announcements	0	1451	November 14, 2023
[ANNOUNCE] Security release of Kubernetes kubectl - potential directory traversal - Releases 1.11.9, 1.12.7, 1.13.5, and 1.14.0 - CVE-2019-1002101 Announcements	0	11783	March 28, 2019

World writable files were found on the system of Kubernetes installation

Cluster information:

Related topics