-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
Quality / Stability / Reliability
-
False
-
-
False
-
-
-
Moderate
Description of problem:
It was observed on 4.12/4.14 clusters, the file /var/log/kube-apiserver/termination.log for kube-apiserver had too permissive mode. As a result, rule ocp4-file-permissions-var-log-kube-audit may bring extra reboot if users upgrade a cluster from an older version to 4.12/4.14.
Version-Release number of selected component (if applicable):
How reproducible:
Sometimes
Steps to Reproduce:
1.$ for node in `oc get node -l node-role.kubernetes.io/master= --no-headers|awk '{print $1}'`;do oc debug node/$node -- chroot /host ls -l /var/log/kube-apiserver/;done
2.
3.
Actual results:
It was observed on 4.12/4.14 clusters, the file /var/log/kube-apiserver/termination.log for kube-apiserver had too permissive mode. As a result, rule ocp4-file-permissions-var-log-kube-audit may bring extra reboot if users upgrade a cluster from an older version to 4.12/4.14. $ for node in `oc get node -l node-role.kubernetes.io/master= --no-headers|awk '{print $1}'`;do oc debug node/$node -- chroot /host ls -l /var/log/kube-apiserver/;done Starting pod/xiyuan-09-b414-j5rmm-master-0copenshift-qeinternal-debug ... To use host binaries, run `chroot /host` total 264444 -rw-------. 1 root root 209714190 Aug 9 07:27 audit-2023-08-09T07-27-23.650.log -rw-------. 1 root root 58437878 Aug 9 10:05 audit.log -rw-------. 1 root root 124619 Aug 9 04:41 termination.log Removing debug pod ... Starting pod/xiyuan-09-b414-j5rmm-master-1copenshift-qeinternal-debug ... To use host binaries, run `chroot /host` total 1286200 -rw-------. 1 root root 209715179 Aug 9 05:33 audit-2023-08-09T05-33-00.280.log -rw-------. 1 root root 209714271 Aug 9 06:30 audit-2023-08-09T06-30-11.764.log -rw-------. 1 root root 209714985 Aug 9 07:27 audit-2023-08-09T07-27-00.396.log -rw-------. 1 root root 209714142 Aug 9 08:24 audit-2023-08-09T08-24-41.554.log -rw-------. 1 root root 209713899 Aug 9 09:22 audit-2023-08-09T09-22-00.335.log -rw-------. 1 root root 161977723 Aug 9 10:06 audit.log -rw-------. 1 root root 121043 Aug 9 04:37 termination.log Removing debug pod ... Starting pod/xiyuan-09-b414-j5rmm-master-2copenshift-qeinternal-debug ... To use host binaries, run `chroot /host` total 1081284 -rw-------. 1 root root 209714158 Aug 9 05:43 audit-2023-08-09T05-43-23.333.log -rw-------. 1 root root 209714476 Aug 9 06:50 audit-2023-08-09T06-50-53.224.log -rw-------. 1 root root 209714233 Aug 9 08:00 audit-2023-08-09T08-00-39.493.log -rw-------. 1 root root 209714934 Aug 9 09:09 audit-2023-08-09T09-09-39.439.log -rw-------. 1 root root 174585111 Aug 9 10:06 audit.log -rw-r--r--. 1 root root 4 Aug 9 04:38 termination.log Removing debug pod ...
Expected results:
Disable rule ocp4-file-permissions-var-log-kube-audit temporarily to avoid extra reboot.
Additional info:
This issue only exists for some of the matrix ocp supports.
