Skip to main content

Table of Contents

  1. Kubernetes System Directories
  2. Container Runtime Directories
  3. Apinizer Application Directories
  4. Log Directories
  5. Data Directories (Persistent Volumes)
  6. Container Image Directories
  7. Network Files
  8. Process and System Files
  9. Apinizer Component Ports (Network Exclusion)
  10. Process Exclusions
  11. Summary Exclusion List
  12. Important Notes

1. Kubernetes System Directories

Directories required for Kubernetes operation: 
/var/lib/kubelet/**
/var/lib/etcd/**
/var/lib/containerd/**
/var/lib/docker/**
/var/lib/cni/**
/var/run/containerd/**
/var/run/docker/**
/var/run/kubelet/**
/var/run/secrets/kubernetes.io/serviceaccount/**
/etc/kubernetes/**
/etc/cni/**
/opt/cni/**
Important: Apinizer accesses Kubernetes service account files:
  • /var/run/secrets/kubernetes.io/serviceaccount/namespace
  • /var/run/secrets/kubernetes.io/serviceaccount/token

2. Container Runtime Directories

/var/lib/containerd/**
/var/lib/docker/**
/var/lib/crio/**
/var/lib/podman/**
/var/run/containerd/**
/var/run/docker/**
/var/run/crio/**
/var/run/podman/**

3. Apinizer Application Directories

In-container working directories: 
/home/ubuntu/**
/tmp/**
/var/tmp/**
Note: Apinizer uses java.io.tmpdir (typically /tmp or /var/tmp).

4. Log Directories

Log files for Apinizer components: 
/var/log/apinizer/**
/var/log/kubernetes/**
/var/log/containers/**
/var/log/pods/**

5. Data Directories (Persistent Volumes)

For MongoDB, Elasticsearch, and Hazelcast: 
# MongoDB data directories
/var/lib/mongodb/**
/data/mongodb/**
/mongodb-data/**

# Elasticsearch data directories
/var/lib/elasticsearch/**
/data/elasticsearch/**
/elasticsearch-data/**

# Hazelcast cache directories
/var/lib/hazelcast/**
/data/hazelcast/**
/hazelcast-data/**

# General persistent volume directories
/var/lib/kubelet/pods/**

6. Container Image Directories

/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/**
/var/lib/docker/image/**
/var/lib/docker/overlay2/**

7. Network Files

Kubernetes network plugin files: 
/var/lib/cni/**
/opt/cni/bin/**
/etc/cni/net.d/**
/var/run/flannel/**

8. Process and System Files

/proc/**
/sys/**
/dev/**

9. Apinizer Component Ports (Network Exclusion)

To prevent antivirus from scanning network traffic: 
# Worker NodePorts
32080/tcp  # API Management Console
30180/tcp  # API Portal
30080/tcp  # API Gateway
30090/tcp  # API Gateway alternative

# Kubernetes ports
6443/tcp   # Kubernetes API server
10248/tcp  # Kubelet API
10250/tcp  # Kubelet API
10257/tcp  # Kube-controller-manager
10259/tcp  # Kube-scheduler
2379-2380/tcp  # etcd
8285/udp   # Flannel
8472/udp   # Flannel
179/tcp    # Calico
9091/tcp   # Calico
9099/tcp   # Calico

# Apinizer component ports
8080/tcp   # Manager API
5701/tcp   # Hazelcast Cache
9200/tcp   # Elasticsearch HTTP
9300/tcp   # Elasticsearch Transport
25080/tcp  # MongoDB

10. Process Exclusions

The following processes should be exempt from scanning: 
# Kubernetes components
kubelet
kube-proxy
kube-apiserver
kube-controller-manager
kube-scheduler
etcd
containerd
dockerd
crio

# Apinizer components
java (for Apinizer Worker, Manager, Cache)
mongod
elasticsearch

Summary Exclusion List

The following format can be used with most antivirus solutions: 
# Kubernetes Core
/var/lib/kubelet/**
/var/lib/etcd/**
/var/lib/containerd/**
/var/lib/docker/**
/var/run/containerd/**
/var/run/secrets/kubernetes.io/serviceaccount/**
/etc/kubernetes/**

# Container Runtime
/var/lib/cni/**
/opt/cni/**

# Apinizer Application
/home/ubuntu/**
/tmp/**
/var/tmp/**

# Logs
/var/log/apinizer/**
/var/log/kubernetes/**
/var/log/containers/**
/var/log/pods/**

# Data Volumes
/var/lib/mongodb/**
/var/lib/elasticsearch/**
/var/lib/hazelcast/**
/var/lib/kubelet/pods/**

# System
/proc/**
/sys/**
/dev/**

Important Notes

  1. Performance: Excluding these directories reduces the performance impact of antivirus and ensures Apinizer runs normally.
  2. Security: Limit exclusions to necessary directories only. Unnecessary exclusions can create security risks.
  3. Monitoring: Perform security monitoring on excluded directories. Even if antivirus does not scan them, log monitoring and behavioral analysis should continue.
  4. Documentation: When DMZ and LAN separation is applied as described on the Network Topology and Port Requirements page, separate exclusion policies per zone can be considered.

Apinizer Deployment Topology

Apinizer is deployed on Kubernetes as follows:

DMZ Zone (Demilitarized Zone)

Worker Nodes:
  • Local Cache
  • Token Provider API
  • Proxy Handler
Port Requirements:
  • 32080 (NodePort) - Manager access
  • 30080/30090 (NodePort) - Apinizer API Gateway
  • 443/80 (HTTPS/HTTP) - Client access

LAN Zone (Local Area Network)

Manager Module:
  • Scheduled Jobs
  • Monitoring & Alerting
  • Analytics Engine
  • Web Manager
Port Requirements:
  • 8080 (Management API) - Access from Workers
  • 8080 (HTTP) - Web Manager
MongoDB:
  • Port 25080 (Apinizer DB Port)
  • Port 27017 (MongoDB)
Elasticsearch:
  • Port 9200 (HTTP) - Log submission
  • Port 9300 (Transport) - Cluster communication
Cache Cluster (Hazelcast):
  • Port 5701 - Cluster communication

Configuration by Antivirus Solution

  • Symantec Endpoint Protection: File and Folder Exclusions
  • McAfee: Real-Time Scan Exclusions
  • Trend Micro: Scan Exclusions
  • Windows Defender: Exclusion paths
  • ClamAV: ExcludePath directive

Resources

Last Updated: 2026-02-04