Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19431

The termination.log file for the kube-apiserver should have consistent permission

XMLWordPrintable

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required

      This is a clone of issue OCPBUGS-11856. The following is the description of the original issue:

      Description of problem:

       

      The /var/log/kube-apiserver/termination.log on nodes should all have 600 permission. Now, on one node, the permission is 644:
$ for node in `oc get node -l node-role.kubernetes.io/master= --no-headers | awk '{print $1}'`; do oc debug node/$node -- chroot /host ls -ltr /var/log/kube-apiserver/; done
Temporary namespace openshift-debug-ngrgt is created for debugging node...
Starting pod/yinzhou-417-x2gkh-master-0copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
total 131012
-rw-r--r--. 1 root root         4 Apr 17 01:32 termination.log
-rw-------. 1 root root 126479251 Apr 17 02:12 audit.log
Removing debug pod ...
Temporary namespace openshift-debug-ngrgt was removed.
Temporary namespace openshift-debug-cm822 is created for debugging node...
Starting pod/yinzhou-417-x2gkh-master-1copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
total 112900
-rw-------. 1 root root   395190 Apr 17 01:38 termination.log
-rw-------. 1 root root 61833081 Apr 17 02:12 audit.log
Removing debug pod ...
Temporary namespace openshift-debug-cm822 was removed.
Temporary namespace openshift-debug-kbwf4 is created for debugging node...
Starting pod/yinzhou-417-x2gkh-master-2copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
total 155052
-rw-------. 1 root root     41787 Apr 17 01:35 termination.log
-rw-------. 1 root root 114412212 Apr 17 02:13 audit.log
Removing debug pod ...
Temporary namespace openshift-debug-kbwf4 was removed.

       

      Version-Release number of selected component (if applicable):

      4.13.0-0.nightly-2023-04-15-102029

      How reproducible:

      Always

      Steps to Reproduce:

      1.  As description.

      Actual results:

      1.  As description.

      Expected results:

      The /var/log/kube-apiserver/termination.log on all master nodes should all have 600 permission.

      Additional info:

       

            Unassigned Unassigned
            openshift-crt-jira-prow OpenShift Prow Bot
            Ke Wang Ke Wang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: