Loading...

XML

Word

Printable

Type: Bug
Resolution: Obsolete
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.12.z
Component/s: kube-apiserver
Labels:
None

Severity:
Moderate
Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.12.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

All files under path /var/log/kube-apiserver/ should have 600 permission. File /var/log/kube-apiserver/termination.log for kube-apiserver on some nodes have 644 permission.
$ for node in `oc get node -l node-role.kubernetes.io/control-plane= --no-headers|awk '{print $1}'`;do oc debug node/$node -- chroot /host ls -l /var/log/kube-apiserver/;done
Starting pod/ci-op-scgfhdhd-8bc00-hx58v-master-0copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
total 679876
-rw-------. 1 root root 104856620 Jul  4 10:22 audit-2023-07-04T10-22-14.884.log
-rw-------. 1 root root 104857188 Jul  4 10:46 audit-2023-07-04T10-46-14.103.log
-rw-------. 1 root root 104856732 Jul  4 11:12 audit-2023-07-04T11-12-58.298.log
-rw-------. 1 root root 104856936 Jul  4 11:40 audit-2023-07-04T11-40-47.757.log
-rw-------. 1 root root 104856474 Jul  4 12:09 audit-2023-07-04T12-09-23.952.log
-rw-------. 1 root root 104856985 Jul  4 12:37 audit-2023-07-04T12-37-24.128.log
-rw-------. 1 root root  66682844 Jul  4 12:54 audit.log
-rw-r--r--. 1 root root         4 Jul  4 09:54 termination.log
 
Removing debug pod ...
Starting pod/ci-op-scgfhdhd-8bc00-hx58v-master-1copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
total 271468
-rw-------. 1 root root 104857317 Jul  4 09:51 audit-2023-07-04T09-51-20.177.log
-rw-------. 1 root root 104857001 Jul  4 11:18 audit-2023-07-04T11-18-55.018.log
-rw-------. 1 root root  63478136 Jul  4 12:55 audit.log
-rw-------. 1 root root   1223621 Jul  4 09:56 termination.log
 
Removing debug pod ...
Starting pod/ci-op-scgfhdhd-8bc00-hx58v-master-2copenshift-qeinternal-debug ...
To use host binaries, run `chroot /host`
total 643012
-rw-------. 1 root root 104856722 Jul  4 10:27 audit-2023-07-04T10-27-06.564.log
-rw-------. 1 root root 104856459 Jul  4 10:49 audit-2023-07-04T10-49-34.441.log
-rw-------. 1 root root 104856718 Jul  4 11:21 audit-2023-07-04T11-21-38.335.log
-rw-------. 1 root root 104856557 Jul  4 11:54 audit-2023-07-04T11-54-08.838.log
-rw-------. 1 root root 104856452 Jul  4 12:27 audit-2023-07-04T12-27-56.914.log
-rw-------. 1 root root  88373352 Jul  4 12:55 audit.log
-rw-r--r--. 1 root root         4 Jul  4 09:52 termination.log
 
Removing debug pod ...

Version-Release number of selected component (if applicable):

4.12.0-0.nightly-2023-06-29-055454

How reproducible:

Always

Steps to Reproduce:

1.$ for node in `oc get node -l node-role.kubernetes.io/control-plane= --no-headers|awk '{print $1}'`;do oc debug node/$node -- chroot /host ls -l /var/log/kube-apiserver/;done 2.
3.

Actual results:

File /var/log/kube-apiserver/termination.log for kube-apiserver on some nodes has 644 permission.

Expected results:

All files under path /var/log/kube-apiserver/ should have 600 permission.

Additional info:

is cloned by

OCPBUGS-16080 File /var/log/kube-apiserver/termination.log for kube-apiserver has too permissive mode

Closed

Assignee:: Unassigned

Reporter:: Xiaojie Yuan

QA Contact:: Ke Wang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2023/07/04 2:48 PM

Updated:: 2023/08/08 3:13 PM

Resolved:: 2023/08/08 3:13 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates