Kubernetes: copying files into and out of containers without ‘kubectl cp’

The ‘kubectl cp‘ command is a convenient way to get files into and out of remote containers, however it requires that the ‘tar’ utility be installed inside the container.

There are many images that have removed this utility because of the identified security vulnerability, while others have removed it due to the adoption of the distroless philosophy to minimize overhead and reduce attack surfaces as a principle.

Luckily ‘kubectl exec’ is still an option for moving both text and binary files into and out of containers.  For example, here is how you would take the local binary file named “local.png” and copy it to a pod, and then copy it back to the local file system.

ns=default
pod_name=mypod-xxx

# copy local file to pod
cat local.png | kubectl exec -i $pod_name -n $ns -- tee /tmp/pod.png >/dev/null

# copy file back from pod to local filesystem
kubectl exec -i $pod_name -n $ns -- cat /tmp/pod.png > frompod.png

# should be no differences
cmp -l local.png frompod.png

Along the same lines, here is how you would take a local binary file named “local.png” and copy it to a deployment container, and then copy it back to the local file system.

deployment_name=mydeployment
container_name=mycontainer

# copy local file to deployment container
cat local.png | kubectl exec -i deployment/$deployment_name -n $ns -c $container_name -- tee /tmp/deployment.png >/dev/null

# copy file back from deployment container to local filesystem
kubectl exec -i deployment/$deployment_name -n $ns -c $container_name -- cat /tmp/deployment.png > fromdeployment.png

# should be no differences
cmp -l local.png fromdeployment.png

 

REFERENCES

kubectl cp – command reference

CVE-2019-1002101 Symlink attack in kubectl cp

Kubernetes issue asking for kubectl cp functionality without tar

NOTES

Example of error from ‘kubectl cp’ when pod does not have tar utility

error: Internal error occurred: error executing command in container: failed to exec in container: failed to start exec "1fd899ca136ded633904f2bd8238e4a73ff6891c81b55bb2a451a1fc3b8934d3": OCI runtime exec failed: exec failed: unable to start container process: exec: "tar": executable file not found in $PATH: unknown