All logs must be owned by root user and group and have permissions
755. By default, the path for the Kubernetes pod logs is
/var/log/pods/
.
If any of the files have incorrect permissions or ownerhship,
change the permissions and ownership of files located under "/var/log/pods" to protect from unauthorized access.
1. Execute the following to set the output of pods readable only by the owner:
for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find /var/log/pods/ -type f \( -perm /022 -o -perm /044 \) | xargs -r chmod 600' 2>/dev/null; done
2. Execute the following to set the group and group-ownership to root for files that store the output of pods:
for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find /var/log/pods/ -type f \! -user 0 | xargs -r chown root:root' 2>/dev/null; done