Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
This issue was reported in the Kubernetes Security Audit Report
Figure 25.1: Stacktrace of a kubelet crash resulting from a bad file descriptor.
Figure 25.2: Only the error is logged, execution flow is not affected by the error.
Figure 25.3: stdout is indexed, even if it is empty.
Additionally, if the command produces no output for any reason, the command will also fail due to an empty string being indexed.
Long term, improve unit testing to cover failures of dependent tooling.
Anything else we need to know?:
See #81146 for current status of all issues created from these findings.
The vendor gave this issue an ID of TOB-K8S-023 and it was finding 27 of the report.
The vendor considers this issue Low Severity.
To view the original finding, begin on page 70 of the Kubernetes Security Review Report
This is no longer relevant since we now walk the filesystem directly: https://github.com/google/cadvisor/blob/master/fs/fs.go#L552
We should make sure this same problem doesn't exist with the kubelet's empty-dir monitoring code, which still uses du: https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/util/fs/fs.go#L59