In the dynamic world of containerized workloads orchestrated by Kubernetes, tracing issues back to their source can sometimes be tricky. Traditional system insights, often rooted in OS or cloud layers, don’t always speak the language of Kubernetes. This short blog is the story of how we trace a seemingly opaque clue like a Linux partition ID back to the Kubernetes workload residing within it.
Imagine this scenario: a Cloud Native Application Protection Platform (CNAPP) scans your EBS volumes/snapshots for security vulnerabilities. It reports the location of these vulnerabilities — files nested within specific filesystem paths. In a typical Linux VM, you go to the location & fix the issue but if this VM is a node of a Kubernetes cluster, these files might belong to a pod in your cluster.
The file path alone might not be enough to pinpoint the pod requiring remediation. While traditional VMs typically hold entries for all mounted volumes in /etc/fstab, Kubernetes nodes won’t always do this, since the EBS volumes “travel” from node to node as pods migrate. So the CNAPP resorts to using the partition ID as part of the vulnerable file path.
Partition to Pod
One approach (among many) of tracing back the partition ID to the K8s workload is as follows:
Open up a terminal in your K8s node & use lsblk to find the partition:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 200G 0 disk
├─nvme0n1p1 259:1 0 200G 0 part /
└─nvme0n1p128 259:2 0 1M 0 part
nvme1n1 259:3 0 20G 0 disk /var/lib/kubelet/pods/60058b56-ee0f-4c5b-ad66-d6588516aed2/volumes/kubernetes...
nvme2n1 259:4 0 70G 0 disk /var/lib/kubelet/pods/9cb1e483-54a8-46ca-8636-b9713c20ea4b/volumes/kubernetes...
nvme3n1 259:5 0 20G 0 disk /var/lib/kubelet/pods/cad5df0f-c1ea-4730-bbfb-fe6b0a04e225/volumes/kubernetes...
To strip down everything unwanted & just see the partition ID & PV ID:
$ lsblk -o UUID,MOUNTPOINT | grep kubernetes | \
sed 's/\/mount//g' | sed 's/-.* / /g' | \
Now, a simple kubectl get pv in your cluster is enough to map the above PVs to their respective workloads & the target of your remediation efforts.
There are a few scenarios where the ability to trace Linux disk partition IDs back to their Kubernetes pods might be useful:
Vulnerability Response: This is the use case we covered above. Identify the pod harboring the vulnerability detected by the CNAPP & fix it.
Performance Bottlenecks: If system monitoring tools identify slow I/O operations traced back to a specific partition, leverage this technique to identify the impacted pod & address the resource constraints hindering its performance.
Forensic Analysis: In case of an incident, tracing suspicious file modifications back to the responsible pod through partition IDs can be a crucial step in forensic analysis, helping to isolate the affected workload & expedite remediation efforts.
Scale & Maintain the Solution
If workloads in your cluster are fairly static, it’s a one-time effort to collect all partition IDs from all your nodes & map them all to their PVCs & pods in the cluster. Since dynamically-provisioned PVs won’t be recreated unless you delete their PVCs, the underlying EBS volumes also stay unchanged. And since a partition ID is inherent to the EBS volume, it doesn’t change when the volume moves to other nodes as its pod moves.
While Kubernetes offers a powerful abstraction layer for managing containerized workloads, it can sometimes obscure the underlying infrastructure. This article highlights one such case where tooling outside of Kubernetes can be made to work with K8s when needed.
About the Author ✍🏻
Harish KM is a Principal DevOps Engineer at QloudX & a top-ranked AWS Ambassador since 2020. 👨🏻💻
With over a decade of industry experience as everything from a full-stack engineer to a cloud architect, Harish has built many world-class solutions for clients around the world! 👷🏻♂️
With over 20 certifications in cloud (AWS, Azure, GCP), containers (Kubernetes, Docker) & DevOps (Terraform, Ansible, Jenkins), Harish is an expert in a multitude of technologies. 📚
These days, his focus is on the fascinating world of DevOps & how it can transform the way we do things! 🚀
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.