Details
-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
None
-
1
Description
`cbcollect_info` requires `pod/exec` permissions to run which is less than ideal for two reasons:
- RBAC configuration for the operator does not list it (it's nothing to do with the operator)
- It may not be acceptable for certain security postures (running arbitrary code on pods is not a good idea for security and performance reasons).
Fully in-memory clusters (those without any persistent volumes) will prevent access to logs via a volume currently for a log shipping sidecar to use (K8S-1080). This means these logs are inaccessible via the usual means and doubly so if `pod/exec` is not allowed either. The logs will be destroyed with the pod.
Ideally the changes to provide a log shipping sidecar are integrated into the server image directly which would mitigate both these problems. We would need to configure it to ship the logs somewhere for `cbcollect_info` to pick up (or update it to grab them by deploying a daemonset or log pipeline). A proof of concept of doing this by layering it on the server image has been demonstrated.
Attachments
Issue Links
- relates to
-
K8S-2069 STIME - rebalance fails on FTS or cbas or index
- Resolved
-
K8S-2074 Openshift 4.x, Couchbase Server and Synw Gateway installations - Missing pre requisites for the Openshift cluster
- Closed
-
K8S-2000 Transport audit logs off of pods
- Closed
-
K8S-1080 Support redirecting Couchbase Server logs on STDOUT
- Closed
- mentioned in
-
Page Loading...