MetaDefender Core on K8s: Persisting Quarantine, DLP, and CDR Output Across Pod Restarts

This article applies to MetaDefender Core All MetaDefender Core releases deployed on Linux.

Problem Summary

When MetaDefender Core runs on Kubernetes without persisting output directories, files produced by quarantine, DLP, and Content Disarm and Reconstruction (CDR) are lost after pod restarts, reschedules, or scale-in/out events. This occurs because ephemeral container filesystems do not survive lifecycle changes.

What Not to Do

Avoid manually mounting internal Core application paths such as /opt/ometascan/coredata/var/lib/ometascan/. While it may appear to work initially, it can cause instability, misconfiguration, and operational issues over time. Do not rely on the DATADIR variable; it is not supported for this purpose and will be removed in the future.

Recommended Approach

Use a dedicated, persistent storage path exposed to the pod via a PersistentVolumeClaim (PVC), and instruct MetaDefender Core to place its output there using a new environment variable STORAGE_PATH. This cleanly separates app internals from persistent data and works reliably across pod restarts.

Design Overview

Create or reference a PVC sized for your expected workload (quarantine, DLP artifacts, sanitized output, SBOMs).
Mount the PVC into the MetaDefender Core pod at a path reserved for outputs (example: /home/metascan/).
Set the environment variable STORAGE_PATH to the same path (example: /home/metascan/).
Core organizes data by pod instance under this directory, ensuring all output persists beyond pod lifecycle events.

Benefits

Prevents loss of quarantine, DLP, sanitized, and SBOM files after pod restarts.
Avoids brittle mounts into internal app paths.
Simplifies troubleshooting and auditing by keeping pod-specific subfolders.

High-Level Implementation Steps

1) Plan Capacity and Retention

Estimate daily volume of quarantined, DLP, sanitized, and SBOM artifacts.
Align PVC size and storage class performance (IOPS/throughput) to SLA and retention goals.
Plan a rotation/cleanup policy.

2) Create or Select a PersistentVolumeClaim

Provision a PVC using your Kubernetes platform’s standard process. At minimum define:

Storage class (backed by your CSI driver)
Requested capacity
Access mode compatible with your deployment pattern (e.g., ReadWriteOnce or ReadWriteMany as your storage supports)

Details vary by platform; use your provider’s documentation for PVC creation and binding.

3) Mount the PVC in the Pod and Set STORAGE_PATH

In your deployment (YAML/Helm/Operator), add:

A volume sourced from your PVC
A persistentDir and storage_name /home/metascan/ (examples) under core components
An environment variable STORAGE_PATH=/home/metascan/

Notes:

Provided sample values in the above. Use values that are valid for your current system.
Do not mount to internal app directories; use a clean path like /home/metascan/.

What You Should See After Startup

When the pod is running with this PVC attached, the STORAGE_PATH directory will include subdirectories for each pod instance name as well as shared artifacts. For example (the following are ls commands run from inside a running pod):

This reflects:

Per-pod folders for running and previously deleted pods—data persists across restarts.
Directories for DLP output, quarantine, sanitized files, and SBOM reports under each pod’s folder.

Use STORAGEPATH to direct Core’s output to a PVC-backed directory (e.g., /home/metascan/). Do not mount internal app directories or use the DATADIR variable. This approach ensures quarantine, DLP, sanitized, and SBOM files persist across pod restarts.

If Further Assistance is required, please proceed to log a support case or chatting with our support engineer

Last updated on

Was this page helpful?