0 0 Share PDF

Scanner showing 666 permissions for /var/lib/kubelet/pods/*/containers/*/*

Article ID: KB000959

Issue

When scanning EE cluster running Kubernetes, a security scanner may pick up 666 permissions on /var/lib/kubelet/pods/*/containers/*/*.

Resolution

Docker is currently working with Calico security vendor on a pull request to narrow permissions on the above path. The investigation is being tracked under Docker-internal issue ID FIELD-299. For the time being this should not be a great concern as the ownership is root root for both user and group. This means other users with rw permissions for this path will not be able to access this directory per linux security unless part of the group root or sudo privileges. Please see example below:

Root user

root@ip-172-31-14-34:~# ls -lah /var/lib/kubelet/pods/a934737d-4f12-11e9-a4de-0242ac11000b/containers/calico-kube-controllers/cbc727e2
-rw-rw-rw- 1 root root 0 Mar 25 15:28 /var/lib/kubelet/pods/a934737d-4f12-11e9-a4de-0242ac11000b/containers/calico-kube-controllers/cbc727e2

Nonroot user

ubuntu@ip-172-31-14-34:~$ ls -lah /var/lib/kubelet/pods/a934737d-4f12-11e9-a4de-0242ac11000b/containers/calico-kube-controllers/cbc727e2
ls: cannot access '/var/lib/kubelet/pods/a934737d-4f12-11e9-a4de-0242ac11000b/containers/calico-kube-controllers/cbc727e2': Permission denied