Skip to content

Compressed pod log files default to 644 permissions #129787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ksmith4616 opened this issue Jan 23, 2025 · 7 comments · Fixed by #129893
Closed

Compressed pod log files default to 644 permissions #129787

ksmith4616 opened this issue Jan 23, 2025 · 7 comments · Fixed by #129893
Assignees
@simonfogliato
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/node Categorizes an issue or PR as relevant to SIG Node. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@ksmith4616
Copy link

What happened?

When the pod logs rotate and get compressed, the gzipped file defaults to the permissions of 644. With the directories set to 755 this allows the logs to be world readable at that point.

This appears to be where this issue is happening at - https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/logs/container_log_manager.go#L422

What did you expect to happen?

For the compressed logs to either inherit the original log file permissions (600) or for this file permission to be configurable in the kubelet configuration

How can we reproduce it (as minimally and precisely as possible)?

Generate logs & wait until they compress - https://kubernetes.io/docs/concepts/cluster-administration/logging/#basic-logging-in-kubernetes

Anything else we need to know?

No response

Kubernetes version

$ kubectl version
Client Version: v1.30.9
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.30.2

Cloud provider

OS version

# On Linux:
$ cat /etc/os-release
Rocky Linux 9.5
Version = 9.20250121.0.5 (Blue Onyx)
$ uname -a
5.14.0-503.21.1.el9_5.x86_64

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)
@ksmith4616 ksmith4616 added the kind/bug Categorizes issue or PR as related to a bug. label Jan 23, 2025
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 23, 2025
@kannon92
Copy link
Contributor

/sig node

@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 23, 2025
@niranjandarshann
Copy link
Contributor

In environments containers, where logs may need to be accessed by multiple users or processes (such as for debugging or operational monitoring), 0644 ensures the file is readable by any user on the same machine, while still ensuring that only the owner can modify the file. Other users that are part of the same group or have general access to the system can read the logs without modifying them.

The above reason, i think 0600 is not given as permission because only owner will have rw permission even read permission is not given to group.
WDYT about 0600 permission why it should be ?

@AnishShah
Copy link
Contributor

sig-node CI meeting notes:

  • Is this permission the same as uncompressed logs?

@simonfogliato
Copy link
Contributor

/assign

@ksmith4616
Copy link
Author

Sorry for the delay in response. For my system I see the uncompressed logs as 0600, but once they go through compression they get assigned with 0644 -

-rw-------. 1 root root 9446029 Jan 25 06:59 0.log
-rw-r--r--. 1 root root 842586 Jan 24 11:57 0.log.20250123-145214.gz
-rw-------. 1 root root 10488863 Jan 24 11:57 0.log.20250124-115712
-rw-------. 1 root root 24136 Jan 25 07:22 1.log

@simonfogliato simonfogliato mentioned this issue Jan 29, 2025
Merged
@haircommander haircommander moved this from Triage to Triaged in SIG Node Bugs Feb 5, 2025
@ffromani
Copy link
Contributor

ffromani commented Feb 5, 2025

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Feb 5, 2025
@SergeyKanzhelev
Copy link
Member

/priority backlog

@k8s-ci-robot k8s-ci-robot added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Mar 19, 2025
@github-project-automation github-project-automation bot moved this from Triaged to Done in SIG Node Bugs Mar 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simonfogliato simonfogliato

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/node Categorizes an issue or PR as relevant to SIG Node. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Node Bugs
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use uncompressed kubelet log file permissions when compressed. simonfogliato/kubernetes
8 participants
@AnishShah @kannon92 @SergeyKanzhelev @simonfogliato @k8s-ci-robot @ffromani @ksmith4616 @niranjandarshann