From 52bb8f9282bd5a1775262991ab20dc416e8b43b0 Mon Sep 17 00:00:00 2001 From: Tim Bannister Date: Tue, 10 Jan 2023 17:40:35 +0000 Subject: [PATCH] Add /logs API to security checklist It's best to disable this API, which is deprecated at the time of writing. Co-authored-by: Jordan Liggitt --- .../concepts/security/security-checklist.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/content/en/docs/concepts/security/security-checklist.md b/content/en/docs/concepts/security/security-checklist.md index e2d352fa6b1..e479f6d78ce 100644 --- a/content/en/docs/concepts/security/security-checklist.md +++ b/content/en/docs/concepts/security/security-checklist.md @@ -206,6 +206,25 @@ SELinux is only available on Linux nodes, and enabled in [some Linux distributions](https://en.wikipedia.org/wiki/Security-Enhanced_Linux#Implementations). {{< /note >}} +## Logs and auditing + +- [ ] Audit logs, if enabled, are protected from general access. +- [ ] The `/logs` API is disabled (you are running kube-apiserver with + `--enable-logs-handler=false`). + + Kubernetes includes a `/logs` API endpoint, enabled by default, + that lets users request the contents of the API server's `/var/log` directory over HTTP. Accessing + that endpoint requires authentication. + +Allowing broad access to Kubernetes logs can make security information +available to a potential attacker. + +As a good practice, set up a separate means to collect and aggregate +control plane logs, and do not use the `/logs` API endpoint. +Alternatively, if you run your control plane with the `/logs` API endpoint +and limit the content of `/var/log` (within the host or container where the API server is running) to +Kubernetes API server logs only. + ## Pod placement - [ ] Pod placement is done in accordance with the tiers of sensitivity of the