Permissions on /var/log + /var/log/containers doesn't allow non-root Daemonset to gather logs

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.

https://www.talos.dev

Mozilla Public License 2.0

6.91k stars 556 forks source link

Permissions on /var/log + /var/log/containers doesn't allow non-root Daemonset to gather logs #9630

Closed zviratko closed 3 weeks ago

zviratko commented 3 weeks ago

Bug Report

Permissions (700) on /var/log and /var/log/containers don't allow non-root Daemonset to tail logs

I believe relaxing permissions to rwx--x--x is better than running logging containers as root... ... unless there's a completely different and better way to do this?

Description

See https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/33083#issuecomment-2454525827

Environment

Talos version: 1.8.2
Kubernetes version: 1.31.2
Platform: amd64

frezbo commented 3 weeks ago

I believe adding this fixes it:

    capabilities:
      add:
        - DAC_READ_SEARCH

zviratko commented 3 weeks ago

That didn't work for me (nor for the original issue creator)

smira commented 3 weeks ago

I think the whole concept of running a DaemonSet which mounts something from the host is a bad design decision (in Kubernetes/CRI), but there is no better way today.

So the API becomes the host filesystem, and permissions on the log files and directories become the API of the operating system towards log collection daemons.

I think given all of that, the only option is to make permissions match some sane defaults.

frezbo commented 3 weeks ago

That didn't work for me (nor for the original issue creator)

ahh okay, at least it allowed to read files owned as nobody