Add auditd to photon OS #271
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/S
|
cc: @codenrhoden |
|
Also, I think |
EleanorRigby
force-pushed
the
ta-photon-auditd
branch
from
6110aa2
to
c4e0752
Compare
k8s-ci-robot
added
size/M
EleanorRigby
force-pushed
the
ta-photon-auditd
branch
from
c4e0752
to
7428b72
Compare
k8s-ci-robot
added
the
do-not-merge/work-in-progress
EleanorRigby
force-pushed
the
ta-photon-auditd
branch
2 times, most recently
from
bd017c2
to
3f8beda
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
Thanks for working on this @EleanorRigby! I mostly have a few nits for you to consider, but also have a couple of questions.
Also (I can't comment on an empty file), it looks like an empty file is added (images/capi/ansible/roles/setup/handlers/main.yml) and that can be removed from this commit.
EleanorRigby
force-pushed
the
ta-photon-auditd
branch
2 times, most recently
from
1e8251b
to
37013ad
Compare
- Add auditd service - Enable on boot - Recreate log dir once sysprep cleans log dirs - Add containerd audit rules - Make sure all auditd customizations happen for photon OS only SYSPREP ROLE - Include Photon OS tasks at end. - Move machine mode fact out of OS specific sysprep role to set at begining of role execution.
EleanorRigby
force-pushed
the
ta-photon-auditd
branch
from
37013ad
to
4882ebe
Compare
There was a problem hiding this comment.
/lgtm
/approve
Thanks @EleanorRigby! I verified that I could build this image, and booted it up and checked out the new audit log and it was full of containerd entries. I think the auditd rules as they are may be more globally applicable beyond Photon (e.g. to AL2 as well) and if we find that to be the case, we'll start dropping them in for other OS's as well.
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: codenrhoden, EleanorRigby The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Agreed. |
commit d56a6d9 Merge: 30ede4f 40e8f02 Author: Kubernetes Prow Robot <k8s-ci-robot@users.noreply.github.com> Date: Mon Jul 13 20:39:20 2020 -0700 Merge pull request kubernetes-sigs#286 from EleanorRigby/ta-goss-ova Add GOSS provisioner to node OVA builder commit 40e8f02 Author: Tushar Aggarwal <taggarwal@vmware.com> Date: Thu Jul 9 15:54:32 2020 -0700 Add GOSS provisioner to node OVA builder - Runs goss verifier on node OVA - Extract out goss args in common config - Update GOSS version commit 30ede4f Merge: 00377e8 4882ebe Author: Kubernetes Prow Robot <k8s-ci-robot@users.noreply.github.com> Date: Thu Jul 9 15:46:34 2020 -0700 Merge pull request kubernetes-sigs#271 from EleanorRigby/ta-photon-auditd Add auditd to photon OS commit 4882ebe Author: Tushar Aggarwal <taggarwal@vmware.com> Date: Wed Jul 1 19:18:44 2020 -0700 Add auditd to Node image for photon OS - Add auditd service - Enable on boot - Recreate log dir once sysprep cleans log dirs - Add containerd audit rules - Make sure all auditd customizations happen for photon OS only SYSPREP ROLE - Include Photon OS tasks at end. - Move machine mode fact out of OS specific sysprep role to set at begining of role execution. commit 00377e8 Merge: b5b9fd5 e2d88dd Author: Kubernetes Prow Robot <k8s-ci-robot@users.noreply.github.com> Date: Fri Jul 3 04:16:48 2020 -0700 Merge pull request kubernetes-sigs#273 from justinsb/kops_1_17_0_image Legacy images for kops: preload assets commit e2d88dd Author: Justin SB <justinsb@google.com> Date: Thu Jul 2 15:43:13 2020 -0400 Legacy images for kops: preload assets Create stretch-based images using the legacy image-builder; main change is preloading the correct assets. We are maintaining the availability of this image-stream as part of our deprecation.
Add auditd to Node image for photon OS
SYSPREP ROLE
at begining of role execution.