I want to set k8s kube-proxy
config file permission for hardening purposes.
I’m wordering how the kube-proxy
process can be running with the --config
flag set to a path (var/lib/kube-proxy/config.conf
) that can’t be found…
In fact checking kube-proxy
process gives this :
[centos@cpu-node0 ~]$ ps -ef | grep kube-proxy
root 20890 20872 0 Oct20 ? 00:19:23 /usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=cpu-node0
centos 55623 51112 0 14:44 pts/0 00:00:00 grep --color=auto kube-proxy
But the file /var/lib/kube-proxy/config.conf
does not exist :
[centos@cpu-node0 ~]$ ll /var/lib/kube-proxy/config.conf
ls: cannot access /var/lib/kube-proxy/config.conf: No such file or directory
Why?
2
Answers
Absolutely @confused genius, the
kube-proxy
process and its config files reside inside thekube-proxy
pod.Now list containers and get
kube-proxy
container short id :Check
kube-proxy
config file permissions :I am also facing issue on my setup ( 1.19)
One more interesting thing is "kube-proxy" is also not found :
Above made me realize that kube-proxy binary is running inside kubeproxy container of that node
In short , It seems like kube-proxy binary & config files are inside kube-proxy pod of that node and they are running inside that pod . One reason why it might show up ps -ef output of host can be due to that pod is using Pid Name space of the host . also we can see that parent pid of kube-proxy process is nothing but containerd of that respective container .