Skip to content

Ensure /var/log/openshift-apiserver Located On Separate Partition

An XCCDF Rule

Description

Openshift API server audit logs are stored in the /var/log/openshift-apiserver directory.

Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For documentation on how to add a MachineConfig manifest that specifies a separate /var/log/openshift-apiserver partition, follow: https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic

Note that the Red Hat OpenShift documentation often references a block device, such as /dev/vda. The name of the available block devices depends on the underlying infrastructure (bare metal vs cloud), and often the specific instance type. For example in AWS, some instance types have NVMe drives (/dev/nvme*), others use /dev/xvda*. You will need to look for relevant documentation for your infrastructure around this. In many cases, the simplest thing is to boot a single machine with an Ignition configuration that just gives you SSH access, and inspect the block devices via e.g. the lsblk command. For physical hardware, a good best practice is to reference devices via the /dev/disk/by-id/ or /dev/disk/by-path links.

Rationale

Placing /var/log/openshift-apiserver in its own partition enables better separation between Openshift API server audit files and other log files, and helps ensure that auditing cannot be halted due to the partition running out of space.

ID
xccdf_org.ssgproject.content_rule_partition_for_var_log_openshift_apiserver
Severity
Medium
References
Updated