kubelet set the permission of archived logs as worldwide

[yong-jie-gong]

What happened?

Periodically, kubelet will archive the logs as .gz file, but file permission is set to worldwide "644"

# ls -rlt /var/log/pods/*/*/*.gz

-rw-r--r--. 1 root root 1038836 Mar 29 06:18 /var/log/pods/kube-system_apiserver-demo1.test.com_712b37831be464ccc2fb1553ef89aa91/apiserver/66.log.20240327-233810.gz
-rw-r--r--. 1 root root 1175429 Mar 31 14:44 /var/log/pods/kube-system_coredns-cfngt_8a5bacf2-063b-4ffc-b86a-237b94a07246/coredns/18.log.20240329-044703.gz
-rw-r--r--. 1 root root  379963 Apr  6 23:58 /var/log/pods/kube-system_apiserver-demo1.test.com_712b37831be464ccc2fb1553ef89aa91/apiserver/69.log.20240406-085133.gz

What did you expect to happen?

log file should not be worldwide

How can we reproduce it (as minimally and precisely as possible)?

1. install containerd + kubenetes
2. watch folder ls -rlt /var/log/pods///*.gz

Anything else we need to know?

No response

Kubernetes version

Client Version: v1.29.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.1

Cloud provider

OS version

# On Linux:
$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"

$ uname -a
Linux gongyovm02.hpeswlab.net 5.14.0-284.11.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Apr 12 10:45:03 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)

containerd

Related plugins (CNI, CSI, ...) and versions (if applicable)

[k8s-ci-robot]

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[yong-jie-gong]

raise one PR #124229 to fix this issue

[neolit123]

/sig node security

[saschagrunert]

While I agree that stricter security is better in that case, we will end up breaking existing users when changing the current permissions.

[kannon92]

/remove-kind bug
/kind feature

[kannon92]

One option could be to keep the default and add a config option to allow for different types of permissions on logs.

[yong-jie-gong]

@kannon92 @saschagrunert That is correct. change may break existing user. but security should be more important than compatibilty. i think 644 should be mistake. besides, almost all of container runtime such as "docker,containerd, etc" dump the stdout logs to file with 640. but kubelet archives these logs with wider permission 644.
Adding configurable option seems reasonable, but another issue comes, what is default value? if set to 644, it means kubelet default setting is not secure?