Git Product home page Git Product logo

Comments (2)

disconnect3d avatar disconnect3d commented on May 25, 2024

Just to be sure: the tar process is spawned inside the container and lies in the same namespaces/cgroups and doesn't have any other capabilities than other processes.

I have created tar as a shell script that launches sleep 100000 via:

printf '#!/bin/bash\nsleep 100000' > /bin/tar

and then run via kubectl cp <pod>:/etc/passwd ., this made the tar sleep so I could inspect it. The log below:

root@ub3-7b85ffcb97-ffqr9:/# ps auxf
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root        65  0.0  0.1  18376  2964 ?        Ss   10:00   0:00 /bin/bash /bin/tar cf - /etc/passwd
root        69  0.0  0.0   4532   748 ?        S    10:00   0:00  \_ sleep 100000
root         1  0.0  0.1  18508  3420 pts/0    Ss   09:57   0:00 bash
root        83  0.0  0.1  34400  2844 pts/0    R+   10:05   0:00 ps auxf

root@ub3-7b85ffcb97-ffqr9:/# pidof bash
65 1

root@ub3-7b85ffcb97-ffqr9:/# ls -la /proc/1/ns
total 0
dr-x--x--x 2 root root 0 Apr 19 10:04 .
dr-xr-xr-x 9 root root 0 Apr 19 09:57 ..
lrwxrwxrwx 1 root root 0 Apr 19 10:04 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 ipc -> 'ipc:[4026532450]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 mnt -> 'mnt:[4026532518]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 net -> 'net:[4026532453]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 pid -> 'pid:[4026532520]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 pid_for_children -> 'pid:[4026532520]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 uts -> 'uts:[4026532519]'

root@ub3-7b85ffcb97-ffqr9:/# ls -la /proc/65/ns
total 0
dr-x--x--x 2 root root 0 Apr 19 10:00 .
dr-xr-xr-x 9 root root 0 Apr 19 10:00 ..
lrwxrwxrwx 1 root root 0 Apr 19 10:04 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 ipc -> 'ipc:[4026532450]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 mnt -> 'mnt:[4026532518]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 net -> 'net:[4026532453]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 pid -> 'pid:[4026532520]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 pid_for_children -> 'pid:[4026532520]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 uts -> 'uts:[4026532519]'

root@ub3-7b85ffcb97-ffqr9:/# diff /proc/1/cgroup /proc/65/cgroup

root@ub3-7b85ffcb97-ffqr9:/# cat /proc/1/cgroup
12:freezer:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
11:cpuset:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
10:blkio:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
9:net_cls,net_prio:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
8:perf_event:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
7:cpu,cpuacct:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
6:hugetlb:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
5:rdma:/
4:devices:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
3:pids:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
2:memory:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
1:name=systemd:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
0::/system.slice/docker.service

root@ub3-7b85ffcb97-ffqr9:/# cat /proc/65/status | grep Cap
CapInh:	00000000a80425fb
CapPrm:	00000000a80425fb
CapEff:	00000000a80425fb
CapBnd:	00000000a80425fb
CapAmb:	0000000000000000

root@ub3-7b85ffcb97-ffqr9:/# cat /proc/1/status | grep Cap
CapInh:	00000000a80425fb
CapPrm:	00000000a80425fb
CapEff:	00000000a80425fb
CapBnd:	00000000a80425fb
CapAmb:	0000000000000000

from audit-kubernetes.

lojikil avatar lojikil commented on May 25, 2024

Roll into #29, and into TOA-K8S-018 (it's actually already the long term recommendation)

from audit-kubernetes.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.