kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #42355 from deepak4566/Deepak-1 

Remove API server --enable-logs-handler argument from docs
pull/44690/head
Kubernetes Prow Robot 2024-01-09 16:52:58 +01:00 committed by GitHub
parent e4d387682b fd6648f165
commit a64b2324c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 0 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
content/en/docs/concepts/security/security-checklist.md
View File

@ -207,21 +207,7 @@ SELinux is only available on Linux nodes, and enabled in
## Logs and auditing
- [ ] Audit logs, if enabled, are protected from general access.
- [ ] The `/logs` API is disabled (you are running kube-apiserver with
`--enable-logs-handler=false`).
Kubernetes includes a `/logs` API endpoint, enabled by default,
that lets users request the contents of the API server's `/var/log` directory over HTTP. Accessing
that endpoint requires authentication.
Allowing broad access to Kubernetes logs can make security information
available to a potential attacker.
As a good practice, set up a separate means to collect and aggregate
control plane logs, and do not use the `/logs` API endpoint.
Alternatively, if you run your control plane with the `/logs` API endpoint
and limit the content of `/var/log` (within the host or container where the API server is running) to
Kubernetes API server logs only.
## Pod placement