Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-14348

File Integrity should exclude default changes of openshift in fileintegrity configmap

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Normal
    • None
    • 4.12
    • File Integrity Operator
    • None
    • ?
    • No
    • 1
    • CMP Sprint 65
    • 1
    • False
    • Hide

      None

      Show
      None
    • FIO now includes kubelet certificates as default files, excluding them from throwing warnings when they're managed by OpenShift.

    Description

      Description of problem:

      Recently, the file integrity checks failed for the master, worker, and infra nodes. Upon describing the respective configmaps, it was seen that the failure occurred due to a change in the kubelet-ca.crt file on the nodes.
~~~
OCP-Chandler-Prod#1$oc get cm | grep -i failed
aide-infra-fileintegrity-qdosxpftsm0001-kw8dv-infra-wkkph-failed 1 38h
aide-master-fileintegrity-qdosxpftsm0001-kw8dv-master-1-failed 1 37h
aide-worker-fileintegrity-qdosxpftsm0001-kw8dv-worker-mhqlw-failed 1 38h
~~~All three failed because of the change in kubelet-ca.crt on nodes:~~~
File: /hostroot/etc/kubernetes/kubelet-ca.crt
SHA512 : R3kbibQqfVYK9Qw0Qo6Seg5+EZJ1P/dt | 5eTUtvqXhawMjdfcjRyynv+bYK+l2oJE
z9sNINKbbMSE580AwA1OaYZZQj/vkfvy | AaWjz1iRxGUj36IWEXCxDH4ohjD5fqM0
l+Ek4mK0ftfE4KTGMLpHSg== | OnFDNaYENwm3mgeuWurj/Q==
~~~The exact change that occurred in these files is the addition of this new certificate:
~~~
Issuer: CN=openshift-kube-apiserver-operator_kube-apiserver-to-kubelet-signer@1680534831
Not Before: Apr 3 15:13:50 2023 GMT
Not After : Apr 2 15:13:51 2024 GMT
Subject: CN=openshift-kube-apiserver-operator_kube-apiserver-to-kubelet-signer@1680534831
~~~Since this change is valid, I understand that this issue can be resolved by re-initializing the aide database for the respective File Integrities.I am also aware that I can exclude this file from being checked by the file integrity operator by adding its entry into the respective file integrity configmaps.However, according to my point of view, if changes to these core files are made by default OpenShift Components or Operators, the integrity check should get Passed (at least for changes like these - the cert rotation for default OpenShift Components). I feel like this is something that can be considered for improvement.If there is any other perspective to this, I am happy to know about it.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Alawys when kubelet ca gets updated

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

      Integrity check fail becasue change in /hostroot/etc/kubernetes/kubelet-ca.crt

      Expected results:

      Integrity check to pass

      Additional info:

       

      Attachments

        Activity

          People

            wenshen@redhat.com Vincent Shen
            wenshen@redhat.com Vincent Shen
            Xiaojie Yuan Xiaojie Yuan
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: