Comments (2)
Just to be sure: the tar
process is spawned inside the container and lies in the same namespaces/cgroups and doesn't have any other capabilities than other processes.
I have created tar as a shell script that launches sleep 100000
via:
printf '#!/bin/bash\nsleep 100000' > /bin/tar
and then run via kubectl cp <pod>:/etc/passwd .
, this made the tar sleep so I could inspect it. The log below:
root@ub3-7b85ffcb97-ffqr9:/# ps auxf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 65 0.0 0.1 18376 2964 ? Ss 10:00 0:00 /bin/bash /bin/tar cf - /etc/passwd
root 69 0.0 0.0 4532 748 ? S 10:00 0:00 \_ sleep 100000
root 1 0.0 0.1 18508 3420 pts/0 Ss 09:57 0:00 bash
root 83 0.0 0.1 34400 2844 pts/0 R+ 10:05 0:00 ps auxf
root@ub3-7b85ffcb97-ffqr9:/# pidof bash
65 1
root@ub3-7b85ffcb97-ffqr9:/# ls -la /proc/1/ns
total 0
dr-x--x--x 2 root root 0 Apr 19 10:04 .
dr-xr-xr-x 9 root root 0 Apr 19 09:57 ..
lrwxrwxrwx 1 root root 0 Apr 19 10:04 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 ipc -> 'ipc:[4026532450]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 mnt -> 'mnt:[4026532518]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 net -> 'net:[4026532453]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 pid -> 'pid:[4026532520]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 pid_for_children -> 'pid:[4026532520]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 uts -> 'uts:[4026532519]'
root@ub3-7b85ffcb97-ffqr9:/# ls -la /proc/65/ns
total 0
dr-x--x--x 2 root root 0 Apr 19 10:00 .
dr-xr-xr-x 9 root root 0 Apr 19 10:00 ..
lrwxrwxrwx 1 root root 0 Apr 19 10:04 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 ipc -> 'ipc:[4026532450]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 mnt -> 'mnt:[4026532518]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 net -> 'net:[4026532453]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 pid -> 'pid:[4026532520]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 pid_for_children -> 'pid:[4026532520]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Apr 19 10:04 uts -> 'uts:[4026532519]'
root@ub3-7b85ffcb97-ffqr9:/# diff /proc/1/cgroup /proc/65/cgroup
root@ub3-7b85ffcb97-ffqr9:/# cat /proc/1/cgroup
12:freezer:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
11:cpuset:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
10:blkio:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
9:net_cls,net_prio:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
8:perf_event:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
7:cpu,cpuacct:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
6:hugetlb:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
5:rdma:/
4:devices:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
3:pids:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
2:memory:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
1:name=systemd:/kubepods/besteffort/pod7e3bc2f6-6289-11e9-a9f2-0800271589c8/8cfc1445a524a9cc4515e6f04b55a2d231485bcf01f5b4a15ed7b1bb2c38fa88
0::/system.slice/docker.service
root@ub3-7b85ffcb97-ffqr9:/# cat /proc/65/status | grep Cap
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
root@ub3-7b85ffcb97-ffqr9:/# cat /proc/1/status | grep Cap
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
from audit-kubernetes.
Roll into #29, and into TOA-K8S-018 (it's actually already the long term recommendation)
from audit-kubernetes.
Related Issues (20)
- Kubelet crash if a command fails to yield an stdout value
- Kubelet can be used to enumerate the host network via liveness probes
- Wrong isKernelPid check HOT 2
- Directory traversal of /var/log/ on a host running kube-apiserver HOT 1
- Potential overflows in DaemonSet status
- Potential method of preventing a Deployment from completing via ReplicationController interference
- As a Malicious Internal User… HOT 1
- As an Internal Attacker... HOT 5
- As An External Attacker… HOT 1
- Encryption recommendations not in accordance with best practices HOT 1
- Network tracking issue
- Custom tempFile code HOT 2
- Go services seed math/random from system time
- iSCSI Volume Storage Cleartext Secrets in Logs HOT 2
- Kubernetes does not facilitate certificate revocation HOT 1
- Excessive Resource Consumption - kube-apiserver HOT 1
- HTTPS not authenticated in many communication channels HOT 1
- Improper Chunked Response Handling
- Excessive Resource Consumption - CoreDNS
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-kubernetes.