kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add /logs API to security checklist 

It's best to disable this API, which is deprecated at the time of
writing.

Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
This commit is contained in:
Tim Bannister 2023-01-10 17:40:35 +00:00
parent 1d514a5b3c
commit 52bb8f9282
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
content/en/docs/concepts/security/security-checklist.md
View File

@ -206,6 +206,25 @@ SELinux is only available on Linux nodes, and enabled in
[some Linux distributions](https://en.wikipedia.org/wiki/Security-Enhanced_Linux#Implementations).
{{< /note >}}
## Logs and auditing
- [ ] Audit logs, if enabled, are protected from general access.
- [ ] The `/logs` API is disabled (you are running kube-apiserver with
`--enable-logs-handler=false`).
Kubernetes includes a `/logs` API endpoint, enabled by default,
that lets users request the contents of the API server's `/var/log` directory over HTTP. Accessing
that endpoint requires authentication.
Allowing broad access to Kubernetes logs can make security information
available to a potential attacker.
As a good practice, set up a separate means to collect and aggregate
control plane logs, and do not use the `/logs` API endpoint.
Alternatively, if you run your control plane with the `/logs` API endpoint
and limit the content of `/var/log` (within the host or container where the API server is running) to
Kubernetes API server logs only.
## Pod placement
- [ ] Pod placement is done in accordance with the tiers of sensitivity of the