Endpoint Security Exclusions for Kubernetes Nodes

overview kubernetes nodes perform continuous file system operations, process creation, and network activity endpoint security products such as trellix epo use on access scanning that can interfere with these operations if not properly scoped to prevent performance degradation, file lock issues, and unexpected pod or node instability, specific directories, files, and processes must be excluded from on access scanning this guidance applies to kubernetes clusters deployed using containerd, cni plugins, and replicated kurl based installations on rhel and similar linux distributions scope these exclusions apply to • kubernetes worker and control plane nodes • hosts running containerd • systems using flannel or similar cni plugins • systems using openebs • replicated and kurl based kubernetes installations these exclusions should be configured for on access or real time scanning only scheduled or on demand scans may still be performed during maintenance windows directory exclusions exclude the following directories from on access scanning /var/openebs /etc/cni /etc/kubernetes /etc/kurl /opt/cni /opt/containerd /opt/replicated /opt/ekco /run /run/containerd /run/flannel /sys /sys/fs/cgroup/system slice/containerd service /usr/libexec/kubernetes /var/lib/cni /var/lib/containerd /var/lib/kubelet /var/lib/kubelet/pods /var/lib/kubelet/plugins /var/lib/kubelet/plugins registry /var/lib/kurl /var/log /proc /dev /tmp rationale these paths contain • active container layers and runtime state • kubernetes manifests, sockets, and internal metadata • network plugin state and temporary files • volume mounts and persistent storage paths • virtual or ephemeral filesystems scanning these locations can lead to pod startup delays, volume mount failures, networking issues, and node instability file exclusions exclude the following binaries from on access scanning /usr/local/bin/kubectl support bundle /usr/local/bin/kubectl kots /usr/local/bin/kubectl preflight rationale these utilities are used for kubernetes diagnostics, installation, and support operations scanning them can interfere with cluster validation, upgrades, and support workflows process exclusions exclude the following processes from real time scanning where supported, process exclusions should be configured using the full binary path containerd service kubelet service kubelet containerd containerd shim containerd shim runc v2 flanneld etcd important note on etcd in many kubernetes deployments, including kurl, etcd runs as a static pod rather than a systemd service in these cases, there may be no etcd service, but the etcd process will still be present and must be excluded rationale these processes are core to kubernetes scheduling, container lifecycle management, networking, and cluster state intercepting them with real time scanning can cause • slow or failed pod creation • container runtime instability • cluster state inconsistencies • unexpected node restarts best practices • apply exclusions only to kubernetes nodes • limit exclusions to on access scanning • validate exclusions after cluster upgrades • do not disable endpoint security entirely • use process exclusions in addition to file and directory exclusions summary kubernetes workloads are highly sensitive to filesystem and process interception properly scoped endpoint security exclusions are required to ensure cluster stability, predictable performance, and reliable operation the exclusions listed in this article are aligned with kubernetes operational behavior and are recommended when running trellix epo or similar endpoint security solutions on kubernetes hosts