-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubelet set the permission of archived logs as worldwide #124228
Comments
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
raise one PR #124229 to fix this issue |
/sig node security |
While I agree that stricter security is better in that case, we will end up breaking existing users when changing the current permissions. |
/remove-kind bug |
One option could be to keep the default and add a config option to allow for different types of permissions on logs. |
@kannon92 @saschagrunert That is correct. change may break existing user. but security should be more important than compatibilty. i think 644 should be mistake. besides, almost all of container runtime such as "docker,containerd, etc" dump the stdout logs to file with 640. but kubelet archives these logs with wider permission 644. |
What happened?
Periodically, kubelet will archive the logs as .gz file, but file permission is set to worldwide "644"
# ls -rlt /var/log/pods/*/*/*.gz -rw-r--r--. 1 root root 1038836 Mar 29 06:18 /var/log/pods/kube-system_apiserver-demo1.test.com_712b37831be464ccc2fb1553ef89aa91/apiserver/66.log.20240327-233810.gz -rw-r--r--. 1 root root 1175429 Mar 31 14:44 /var/log/pods/kube-system_coredns-cfngt_8a5bacf2-063b-4ffc-b86a-237b94a07246/coredns/18.log.20240329-044703.gz -rw-r--r--. 1 root root 379963 Apr 6 23:58 /var/log/pods/kube-system_apiserver-demo1.test.com_712b37831be464ccc2fb1553ef89aa91/apiserver/69.log.20240406-085133.gz
What did you expect to happen?
log file should not be worldwide
How can we reproduce it (as minimally and precisely as possible)?
Anything else we need to know?
No response
Kubernetes version
Client Version: v1.29.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.1
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: