kubelet: set terminationMessagePath perms to 0660

Currently, kubelet creates a world-readable and world-writeable empty files in `/var/lib/kubelet/pods/{podUID}/containers/busysleep/{containerId}`. These are meant to be written by the process in containers when container is terminated. Originally, this file was created with `0644`, then despite security concerns, it was changed to `0666` in kubernetes#31839. This was completed to allow containers running as non-root to write termination messages. Later on, in 2019 this has been highlighted as a security vulnerability in Kubernetes Security Audir Report in kubernetes#81116. This commit changes termination log file mode to `0660` which is best of both worlds - it removes world-writeable file, yet still allows the container's user to write the termination message.
skrobul · Jan 18, 2022 · d0eeced · d0eeced
1 parent 5c9c181
commit d0eeced
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container.go b/pkg/kubelet/kuberuntime/kuberuntime_container.go
@@ -411,7 +411,7 @@ func (m *kubeGenericRuntimeManager) makeMounts(opts *kubecontainer.RunContainerO
  // open(2) to create the file, so the final mode used is "mode &
  // ~umask". But we want to make sure the specified mode is used
  // in the file no matter what the umask is.
- if err := m.osInterface.Chmod(containerLogPath, 0666); err != nil {
+ if err := m.osInterface.Chmod(containerLogPath, 0660); err != nil {
  utilruntime.HandleError(fmt.Errorf("unable to set termination-log file permissions %q: %v", containerLogPath, err))
  }