Skip to main content

How do I suppress logs in a kubernetes container? [Resolved]

I have set up a freeradius container in a kubernetes cluster. By default freeradius doesn't log authentication attempts or log passwords in plain text, however, if the service is started with the "-X" arg (debugging mode), it overrides the default configuration and logs EVERYTHING to STDOUT. I have tried not specifying that arg in the deploy file, but then the container crashes upon startup.

Is there a way to either run freeradius in the container so that it doesn't create those logs in the first place, or to configure the deployment so that those logs cannot be accessed?

Question Credit: John Calder
Question Reference
Asked March 13, 2019
Posted Under: Network
2 Answers

Ok, so it turns out there was a completely different way of achieving my goal than what I expected. I was able to get the freeradius container to start without debugging mode by creating EmptyDir volume mounts for /var/run/freeradius and /var/log/freeradius so that those directories would be writable (not sure why /var/run/freeradius doesn't need to be writable in debugging mode but oh well), then for command, have the following line:

command: ["/bin/bash","-c","freeradius && tail -F /var/log/freeradius/radius.log"]

Basically what this does is it starts up freeradius, then reads the log to STDOUT in realtime, updating as new lines are written to the log file.

credit: John Calder
Answered March 13, 2019

If you are referring to logs as a pod's sub-resource you can manage it with RBAC role.

To represent this in an RBAC role, use a slash to delimit the resource and subresource. To allow a subject to read both pods and pod logs, you would write:

kind: Role
  namespace: default
  name: pod-logs-reader
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]

Hence, to restrict access to pod's logs you just need NOT to include "pods/log" into resource list

Also, bear in mind, that rules are purely additive in kubernetes RBAC, so you will need to list all accessible resources, otherwise you won't be able to access them as well.

When the role is created, you'll need to link it to your user or service account within a RoleBinding

kind: RoleBinding
  name: pod-logs-reader-binding
  kind: Role
  name: pod-logs-reader
- kind: User
  name: ""

credit: A_Suh
Answered March 13, 2019
Your Answer