0

I have set up a freeradius container in a kubernetes cluster. By default freeradius doesn't log authentication attempts or log passwords in plain text, however, if the service is started with the "-X" arg (debugging mode), it overrides the default configuration and logs EVERYTHING to STDOUT. I have tried not specifying that arg in the deploy file, but then the container crashes upon startup.

Is there a way to either run freeradius in the container so that it doesn't create those logs in the first place, or to configure the deployment so that those logs cannot be accessed?

John Calder
  • 101
  • 2
  • To prohibit log read access, you need to use RBAC to lock down `pods/log` resource's `get` verb. However, I'm not clear on what you mean by "not specifying the arg in the deploy file". Can you post your pod manifest (specifically container spec) before and after your change? – Belmin Fernandez Mar 08 '19 at 17:16

2 Answers2

0

If you are referring to logs as a pod's sub-resource you can manage it with RBAC role.

To represent this in an RBAC role, use a slash to delimit the resource and subresource. To allow a subject to read both pods and pod logs, you would write:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-logs-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]

Hence, to restrict access to pod's logs you just need NOT to include "pods/log" into resource list

Also, bear in mind, that rules are purely additive in kubernetes RBAC, so you will need to list all accessible resources, otherwise you won't be able to access them as well.

When the role is created, you'll need to link it to your user or service account within a RoleBinding

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-logs-reader-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-logs-reader
subjects:
- kind: User
  name: "john_calder@dude.com"
  apiGroup: rbac.authorization.k8s.io
A_Suh
  • 324
  • 1
  • 7
  • Ok, so resources should just be ["pods"], verbs should just be ["get","list"], and in the Role Binding the name of the user could just be "root@hostname"? Is there a way to apply it to everyone? Just within that namespace. – John Calder Mar 11 '19 at 08:03
  • If you want only get/list pods with this role, than - yes. To apply this role to a multiple users, I'd recommend to group all users in a group and bind the role to that group, i.e. `subjects: - kind: Group name: apiGroup: rbac.authorization.k8s.io` Here is a good https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/ – A_Suh Mar 11 '19 at 10:12
0

Ok, so it turns out there was a completely different way of achieving my goal than what I expected. I was able to get the freeradius container to start without debugging mode by creating EmptyDir volume mounts for /var/run/freeradius and /var/log/freeradius so that those directories would be writable (not sure why /var/run/freeradius doesn't need to be writable in debugging mode but oh well), then for command, have the following line:

command: ["/bin/bash","-c","freeradius && tail -F /var/log/freeradius/radius.log"]

Basically what this does is it starts up freeradius, then reads the log to STDOUT in realtime, updating as new lines are written to the log file.

John Calder
  • 101
  • 2