Open RichardoC opened 1 year ago
@RichardoC: This issue is currently awaiting triage.
If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
/sig docs
For anyone seeing this in a panic, it is behind auth (thankfully) A k3s maintainer found the code and details are in https://github.com/k3s-io/k3s/issues/6709#issuecomment-1376460915
FYI, for CLI docs I usually check this page, not the api docs.
This has been deprecated since 1.15 as per https://github.com/kubernetes/kubernetes/pull/77611 - I wonder if that's why it's omitted from the docs? It's still there, and still on by default though.
/cc @dims @liggitt @cheftako
Funny enough the original report that triggered that PR was also against k3s:
FYI, for CLI docs I usually check this page, not the api docs.
This has been deprecated since 1.15 as per kubernetes/kubernetes#77611 - I wonder if that's why it's omitted from the docs? It's still there, and still on by default though.
While it's a CLI option, the fact it's accessible via the rest API means I'd expect it to be documented there. If it was on another port I'd agree with you
I'm not sure how https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/ is generated, but the logs endpoint is included in the openapi reference when enabled:
"/logs/": {
"get": {
"operationId": "logFileListHandler",
"responses": {
"401": {
"description": "Unauthorized"
}
},
"schemes": [
"https"
],
"tags": [
"logs"
]
}
},
"/logs/{logpath}": {
"get": {
"operationId": "logFileHandler",
"responses": {
"401": {
"description": "Unauthorized"
}
},
"schemes": [
"https"
],
"tags": [
"logs"
]
},
"parameters": [
{
"description": "path to the log",
"in": "path",
"name": "logpath",
"required": true,
"type": "string",
"uniqueItems": true
}
]
},
/transfer website
/kind feature
/language en
/retitle Document hidden /logs
API for API server
/sig security
/sig api-machinery
Actually
/retitle Document /logs
API for API server
It's not hidden, just nobody documented it yet. It's nice to document features for posterity before we remove them: the removal might be the first point at which some users look for the docs.
/remove-sig security
I don't think this is sig-security... more an issue with the openapi → doc generator, right?
While we're on the topic, how I can request that we move ahead with removing this API? If that'll happen soon enough we don't need to fix the docs?
While we're on the topic, how I can request that we move ahead with removing this API? If that'll happen soon enough we don't need to fix the docs?
Let's keep that discussion separate. That API can be turned off if desired, and there's a PR open to default it off (https://github.com/kubernetes/kubernetes/pull/110738)
SIG Security Docs make sure that things readers need to know to secure their cluster are properly documented. Isn't this one of those details?
In case it's of interest, the parameter doesn't show with kube-apiserver --help
either. Definitely seeing it documented even if it's removed would be good, as cluster operators will be on affected versions for a while.
Also I can add this to the CIS benchmark for Kubernetes, but ideally for that it's good to have a documentation reference pointing to the flags existence :)
In case it's of interest, the parameter doesn't show with
kube-apiserver --help
either.
that definitely needs fixing ... looks like a retread of https://github.com/kubernetes/kubernetes/pull/62621
Also I can add this to the CIS benchmark for Kubernetes
make sure to distinguish between a kube-apiserver instance running on the host and granting access to /var/log and an instance running in a container and only granting access to its own logs in that directory (which is more reasonable)
FWIW, there's a KEP in progress to expand access to host logs on the kubelet side, which doesn't seem coherent with the goal of reducing access to host logs via the apiserver... commented at https://github.com/kubernetes/kubernetes/pull/96120#pullrequestreview-1262371094 and cross-linked here.
/triage accepted
/sig security That's a SIG who could help document this detail.
This issue has not been updated in over 1 year, and should be re-triaged.
You can:
/triage accepted
(org members only)/close
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/
/remove-triage accepted
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
What happened?
While experimenting with the following command, I spotted an API that's not documented in the API one pager, which doesn't conform to the schema I would expect (it's HTML, not JSON)
This should be documented, and preferably be json to conform to the other APIs exposed.
What did you expect to happen?
This API would be documented, especially since it's serving up all files from a specific file path and the API should present some sort of json list rather than a webpage.
How can we reproduce it (as minimally and precisely as possible)?
Anything else we need to know?
This is the root cause of https://github.com/rancher-sandbox/docs.rancherdesktop.io/issues/136 and https://github.com/k3s-io/k3s/issues/6709 as I didn't expect an undocumented file server API from kubernetes.
Kubernetes version
Cloud provider
OS version
Install tools
No response
Container runtime (CRI) and version (if applicable)
No response
Related plugins (CNI, CSI, ...) and versions (if applicable)
No response