kubelet: reject empty log path in container log Clean()

[gregkh]

The Clean() method in containerLogManager constructs a glob pattern directly from the LogPath returned by the CRI runtime's ContainerStatus response. If the runtime returns an empty LogPath (the protobuf default for an unset string field, or as a result of a runtime bug or race during container creation), the resulting pattern is "*", which matches every file in the kubelet's working directory. Each match is then passed to Remove() which would not be a good idea to have happen.

Reject an empty LogPath before constructing the glob pattern. The sibling processContainer() path is naturally guarded by Stat("") returning ENOENT before reaching rotateLog().

/kind bug

NONE

[k8s-ci-robot]

Please note that we're already in Code Freeze for the upcoming v1.36.0 release.

Adding the milestone to this PR is strictly prohibited without proper approval. If this PR needs to be included in the v1.36.0 release:

1. Technical review: get the PR reviewed and approved as usual (/lgtm and /approve)
2. Inclusion in release: ping @sig-release-leads on the #sig-release Slack channel and suggest to add the v1.36.0 milestone to the PR

---

We're also in Test Freeze for the release-1.36 branch. This means every merged PR will be automatically fast-forwarded via the periodic ci-fast-forward job to the release branch of the upcoming v1.36.0 release.

Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Tue Apr 14 14:21:49 UTC 2026.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: gregkh / name: Greg Kroah-Hartman (cdea617)

[k8s-ci-robot]

Hi @gregkh. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gregkh
Once this PR has been reviewed and has the lgtm label, please assign sjenning for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/kubelet/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bart0sh]

/triage accepted
/priority important-soon

@gregkh Please, add unit test(s).

[bart0sh]

/ok-to-test

[k8s-ci-robot]

@gregkh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubernetes-unit-windows-master	cdea617	link	false	/test pull-kubernetes-unit-windows-master

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.