Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16080

File /var/log/kube-apiserver/termination.log for kube-apiserver has too permissive mode

XMLWordPrintable

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

       

      All files under path /var/log/kube-apiserver/ should have 600 permission. File /var/log/kube-apiserver/termination.log for kube-apiserver on some nodes have 644 permission.
      $ for node in `oc get node -l node-role.kubernetes.io/control-plane= --no-headers|awk '{print $1}'`;do oc debug node/$node -- chroot /host ls -l /var/log/kube-apiserver/;done
      Temporary namespace openshift-debug-gj262 is created for debugging node...
      Starting pod/ip-x-us-east-2computeinternal-debug ...
      To use host binaries, run `chroot /host`
      total 221752
      -rw-------. 1 root root 209714718 Jul 12 05:47 audit-2023-07-12T05-47-16.625.log
      -rw-------. 1 root root  13233368 Jul 12 05:54 audit.log
      -rw-------. 1 root root    646569 Jul 12 04:19 termination.logRemoving debug pod ...
      Temporary namespace openshift-debug-gj262 was removed.
      Temporary namespace openshift-debug-cmdgm is created for debugging node...
      Starting pod/ip-xus-east-2computeinternal-debug ...
      To use host binaries, run `chroot /host`
      total 49640
      -rw-------. 1 root root 49826363 Jul 12 05:54 audit.log
      -rw-------. 1 root root   826226 Jul 12 04:23 termination.logRemoving debug pod ...
      Temporary namespace openshift-debug-cmdgm was removed.
      Temporary namespace openshift-debug-fdqtv is created for debugging node...
      Starting pod/ip-xus-east-2computeinternal-debug ...
      To use host binaries, run `chroot /host`
      total 270276
      -rw-------. 1 root root 209714252 Jul 12 05:34 audit-2023-07-12T05-34-34.205.log
      -rw-------. 1 root root  51250736 Jul 12 05:54 audit.log
      -rw-r--r--. 1 root root         4 Jul 12 04:15 termination.logRemoving debug pod ...
      Temporary namespace openshift-debug-fdqtv was removed.
      $ oc get clusterversion
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.14.0-0.nightly-2023-07-11-092038   True        False         91m     Cluster version is 4.14.0-0.nightly-2023-07-11-092038
       

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-07-11-092038

      How reproducible:

      Always

      Steps to Reproduce:

      1.$ for node in `oc get node -l node-role.kubernetes.io/control-plane= --no-headers|awk '{print $1}'`;do oc debug node/$node -- chroot /host ls -l /var/log/kube-apiserver/;done 2.
      3.
      

      Actual results:

      File /var/log/kube-apiserver/termination.log for kube-apiserver on some nodes has 644 permission.
      

      Expected results:

      All files under path /var/log/kube-apiserver/ should have 600 permission.

      Additional info:

       

            mfojtik@redhat.com Michal Fojtik
            xiyuan@redhat.com Xiaojie Yuan
            Rahul Gangwar Rahul Gangwar
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: