Recently, the file integrity checks failed for the master, worker, and infra nodes. Upon describing the respective configmaps, it was seen that the failure occurred due to a change in the kubelet-ca.crt file on the nodes.
OCP-Chandler-Prod#1$oc get cm | grep -i failed
aide-infra-fileintegrity-qdosxpftsm0001-kw8dv-infra-wkkph-failed 1 38h
aide-master-fileintegrity-qdosxpftsm0001-kw8dv-master-1-failed 1 37h
aide-worker-fileintegrity-qdosxpftsm0001-kw8dv-worker-mhqlw-failed 1 38h
~~~All three failed because of the change in kubelet-ca.crt on nodes:~~~
SHA512 : R3kbibQqfVYK9Qw0Qo6Seg5+EZJ1P/dt | 5eTUtvqXhawMjdfcjRyynv+bYK+l2oJE
z9sNINKbbMSE580AwA1OaYZZQj/vkfvy | AaWjz1iRxGUj36IWEXCxDH4ohjD5fqM0
l+Ek4mK0ftfE4KTGMLpHSg== | OnFDNaYENwm3mgeuWurj/Q==
~~~The exact change that occurred in these files is the addition of this new certificate:
Not Before: Apr 3 15:13:50 2023 GMT
Not After : Apr 2 15:13:51 2024 GMT
~~~Since this change is valid, I understand that this issue can be resolved by re-initializing the aide database for the respective File Integrities.I am also aware that I can exclude this file from being checked by the file integrity operator by adding its entry into the respective file integrity configmaps.However, according to my point of view, if changes to these core files are made by default OpenShift Components or Operators, the integrity check should get Passed (at least for changes like these - the cert rotation for default OpenShift Components). I feel like this is something that can be considered for improvement.If there is any other perspective to this, I am happy to know about it.