security - 为什么Kubernetes允许在kubelet目录中进行全局读/写?

标签 security kubernetes

我使用kubeadm,docker 17.12.1-ce和法兰绒网络安装了Kubernetes 1.13.1集群

但是,我发现Kubernetes主服务器上有许多空文件,权限为666,该文件允许任何用户均可通过命令进行读取/写入操作:

$ find /var/lib -perm 666

以下结果显示Kubernetes组件kube-controller-managerkube-scheduleretcdkube-apiserverkube-proxycorednsinstall-cnikube-flannel创建了那些不安全的文件。
/var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/67675b22
/var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/2472b441
/var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/4bd17709
/var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/ed3b53cd
/var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/db4af185
/var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/043af2e4
/var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/c53c15c7
/var/lib/kubelet/pods/d4ff37ee76fe761a28f11175fd1c384e/containers/kube-controller-manager/a16fefca
/var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/1d5bf9d8
/var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/c94fa723
/var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/4bd7ff3b
/var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/16991a34
/var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/cc39443a
/var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/e6e4aace
/var/lib/kubelet/pods/44b569a35761491825f4e7253fbf0543/containers/kube-scheduler/81a73a2d
/var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/aa52c49d
/var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/4ab06094
/var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/48d77ff1
/var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/8a69b2a8
/var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/2d3110c6
/var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/1050c0c2
/var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/3c9b35d2
/var/lib/kubelet/pods/4f58ccda5ae6e0c130245af30581f553/containers/etcd/585456e6
/var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/8be88549
/var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/cfb428fd
/var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/013626b1
/var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/7e786acf
/var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/9421eba8
/var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/7ed5b175
/var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/6fc2a524
/var/lib/kubelet/pods/431d2fd1385de8d92297e09b707498e8/containers/kube-apiserver/dca6882b
/var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/914ac6c3
/var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/3c44eff3
/var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/a85f6e51
/var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/c4463b68
/var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/34e5f60f
/var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/e0376b53
/var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/b3826292
/var/lib/kubelet/pods/205f8dce-31b6-11e9-a4aa-000c295ecaec/containers/kube-proxy/aecca296
/var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/117caf5a
/var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/438a9268
/var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/335b2b55
/var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/6cfbeba3
/var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/b8af2455
/var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/cc246570
/var/lib/kubelet/pods/2076242e-31b6-11e9-a4aa-000c295ecaec/containers/coredns/036e6102
/var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/59e51c33
/var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/fc15d13f
/var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/68e17599
/var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/ee907d2f
/var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/96253eba
/var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/38268733
/var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/57319601
/var/lib/kubelet/pods/2076f7b0-31b6-11e9-a4aa-000c295ecaec/containers/coredns/9d2cc8d4
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/b480c6a8
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/13b9e8b2
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/caf80049
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/e1956197
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/6f7cf72c
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/ae3a7534
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/cfde7073
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/4c5f4031
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/install-cni/843e7a92
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/a3934024
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/e4aa6627
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/3316e4ef
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/b3c0c65b
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/5520d34e
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/fc02f300
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/2b3ea969
/var/lib/kubelet/pods/478813b4-31b8-11e9-a4aa-000c295ecaec/containers/kube-flannel/c445f6e1

最佳答案

我认为这并不构成任何安全问题。请注意,除非路径中的父目录设置了e x ecute位许可权(请参阅Linux Wiki),否则无法访问列表中的文件(具有666权限)。

关于security - 为什么Kubernetes允许在kubelet目录中进行全局读/写?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54743171/

上一篇:kubernetes - 监视持久卷性能

下一篇:networking - GKE 是否使用覆盖网络?

相关文章:

security - 从文档库打开时,SharePoint 2010 强制我保存 PDF

security - npm 审计如何工作?

android - 适用于所有 Android 版本的安全随机数生成

java - 如何防止Java中的路径遍历

kubernetes - 不同 kubernetes 命名空间中的多个 Traefik 实例

kubernetes - storageClassName “standard”的GKE PersistentVolumeClaim永远处于待命状态

apache - Apache Web 服务器日志文件中的可疑请求

apache-spark - 如何设置 pod 以使用所有可用的 CPU 内核

kubernetes - 在Kubernetes中正确配置Fabric Peers

postgresql - 如何在 Kubernetes 上实现 Postgres 备份?

©2024 IT工具网  联系我们