From 2c8318255f6d61e7602c4fcac49100e426808004 Mon Sep 17 00:00:00 2001
From: Tom Dohrmann <erbse.13@gmx.de>
Date: Wed, 9 Oct 2024 11:41:11 +0200
Subject: [PATCH] docs: add some advice regarding logs

---
 docs/docs/architecture/security-considerations.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/docs/architecture/security-considerations.md b/docs/docs/architecture/security-considerations.md
index a07ef3a64..85f8da9f4 100644
--- a/docs/docs/architecture/security-considerations.md
+++ b/docs/docs/architecture/security-considerations.md
@@ -54,3 +54,13 @@ Ideally, a volume is mounted as a raw block device and authenticated encryption
 
 [`docker pull` documentation]: https://docs.docker.com/reference/cli/docker/image/pull/#pull-an-image-by-digest-immutable-identifier
 [downward API]: https://kubernetes.io/docs/concepts/workloads/pods/downward-api/
+
+### Logs
+
+By default, container logs are visible to the host.
+Sensitive information shouldn't be logged.
+
+As of right now, hiding logs isn't natively supported.
+If `ReadStreamRequest` is denied in the policy, the Kata Agent stops reading the logs.
+This causes the pipes used for standard out and standard error to fill up and potentially deadlock the container.
+If absolutely required, standard out and standard error should be manually redirected to `/dev/null` inside the container.