From 0f1562eedba9583e77d0090a4d166a293b2c6add Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Thu, 30 Jan 2025 09:54:05 +0100 Subject: [PATCH] docs: explain how to disable logs access --- .../architecture/security-considerations.md | 28 ++++++++++++++----- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/docs/docs/architecture/security-considerations.md b/docs/docs/architecture/security-considerations.md index 85f8da9f48..df92a235fa 100644 --- a/docs/docs/architecture/security-considerations.md +++ b/docs/docs/architecture/security-considerations.md @@ -57,10 +57,24 @@ Ideally, a volume is mounted as a raw block device and authenticated encryption ### Logs -By default, container logs are visible to the host. -Sensitive information shouldn't be logged. - -As of right now, hiding logs isn't natively supported. -If `ReadStreamRequest` is denied in the policy, the Kata Agent stops reading the logs. -This causes the pipes used for standard out and standard error to fill up and potentially deadlock the container. -If absolutely required, standard out and standard error should be manually redirected to `/dev/null` inside the container. +By default, container logs are visible to the host to enable normal Kubernetes operations, for example debugging using `kubectl logs`. +The application needs to ensure that sensitive information isn't logged. + +If logs access is not required, it can be denied by setting the `ReadStreamRequest` default to `false` in the `settings.json` file. + +```diff +diff --git a/settings.json b/settings-no-logs.json +index fd998a4..6760000 100644 +--- a/settings.json ++++ b/settings-no-logs.json +@@ -330,7 +330,7 @@ + "regex": [] + }, + "CloseStdinRequest": false, +- "ReadStreamRequest": true, ++ "ReadStreamRequest": false, + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } + +```