Antivirus and antimalware guidelines#
Real-time file scanning by antivirus or antimalware software can interfere with MKE 4k operations. When a scanning tool accesses files that the container runtime or Kubernetes components are actively using, the following issues can occur:
- Container image pulls hang or fail
- etcd write latency increases, triggering leader re-elections
- Kubelet volume operations stall, making nodes unschedulable
Recommended exclusions#
Add the following paths to your antivirus exclusion list before you install or operate MKE 4k.
All nodes#
Runtime data
| Path | Description |
|---|---|
/var/lib/k0s |
Default k0s data directory. Configurable via spec.k8sProviderSpecs.dataDir. |
/run/k0s |
Runtime sockets, binaries, and ephemeral configuration. |
/etc/k0s |
k0s configuration, optional containerd settings, registry CA certificates, and GPU operator data. |
/var/lib/kubelet |
Default kubelet root directory. Configurable via spec.kubelet.kubeletRootDir. |
/etc/cni |
CNI configuration. |
Note
If you changed the default value for spec.k8sProviderSpecs.dataDir or
spec.kubelet.kubeletRootDir, substitute the configured path in the table above.
Binaries
/usr/local/bin/k0s/opt/cni/*/usr/local/bin/oci-downloader
Controller nodes only#
Runtime data
| Path | Description |
|---|---|
/var/lib/etcd-maintenance |
Runtime data directory for the etcd-maintenance service, which runs persistently on controller nodes and performs etcd defragmentation and cleanup. |
Binaries
/usr/local/bin/etcd-maintenance/usr/local/bin/etcdctl
Install and upgrade operations#
During mkectl apply and mkectl upgrade, the oci-downloader tool writes the following binaries directly
to disk from the OCI registry:
| Binary | Path | Nodes |
|---|---|---|
| k0s | /usr/local/bin/k0s |
All nodes |
| CNI binaries and plugins | /opt/cni/* |
All nodes |
| etcd-maintenance | /usr/local/bin/etcd-maintenance |
Controller nodes only |
Warning
Antivirus write-time scanning can corrupt a binary on disk or cause the operation to time out. Ensure that all binary paths are excluded before you run install or upgrade operations.
AV write-time scanning can leave a corrupt binary on disk or cause the operation to time out. Ensure binary paths are excluded before running install or upgrade.
Backup, restore, and upgrade operations#
This section applies to the machine running mkectl (your workstation or jump host), not to cluster nodes.
During mkectl backup, restore, and upgrade operations, MKE 4k stages temporary files in
/tmp on the local machine. These files include etcd snapshots, cluster configuration, and
binaries. Antivirus agents that scan /tmp during these operations can cause them to fail or
produce incomplete files on disk.
Use one of the following options to prevent interference:
- Temporarily disable real-time scanning before the operation, and re-enable it immediately after.
- Redirect temporary files to a dedicated directory outside antivirus coverage:
mkdir -p /tmp/mke-ops
export TMPDIR=/tmp/mke-ops
mkectl backup ... # or restore / upgrade
Note
$TMPDIR redirects temporary files on the local machine only. Files written directly to
remote cluster nodes during restore operations use /tmp on those nodes and are not
redirected by this variable.
Security trade-off#
Excluding these paths prevents antivirus software from scanning container image layers, kubelet volumes, and etcd data.
To mitigate this risk, schedule periodic offline scans during maintenance windows:
- Cordon and drain the node before scanning.
- Stop the k0s service before you scan
/var/lib/k0s/etcd.