docs: explain how to disable logs access

edgelesssys · Jan 30, 2025 · 0f1562e · 0f1562e
1 parent 4e020fb
commit 0f1562e
Showing 1 changed file with 21 additions and 7 deletions.
diff --git a/docs/docs/architecture/security-considerations.md b/docs/docs/architecture/security-considerations.md
@@ -57,10 +57,24 @@ Ideally, a volume is mounted as a raw block device and authenticated encryption
 
 ### Logs
 
-By default, container logs are visible to the host.
-Sensitive information shouldn't be logged.
-
-As of right now, hiding logs isn't natively supported.
-If `ReadStreamRequest` is denied in the policy, the Kata Agent stops reading the logs.
-This causes the pipes used for standard out and standard error to fill up and potentially deadlock the container.
-If absolutely required, standard out and standard error should be manually redirected to `/dev/null` inside the container.
+By default, container logs are visible to the host to enable normal Kubernetes operations, for example debugging using `kubectl logs`.
+The application needs to ensure that sensitive information isn't logged.
+
+If logs access is not required, it can be denied by setting the `ReadStreamRequest` default to `false` in the `settings.json` file.
+
+```diff
+diff --git a/settings.json b/settings-no-logs.json
+index fd998a4..6760000 100644
+--- a/settings.json
++++ b/settings-no-logs.json
+@@ -330,7 +330,7 @@
+             "regex": []
+         },
+         "CloseStdinRequest": false,
+-        "ReadStreamRequest": true,
++        "ReadStreamRequest": false,
+         "UpdateEphemeralMountsRequest": false,
+         "WriteStreamRequest": false
+     }
+
+```