The File Integrity Operator for OpenShift Container Platform deploys file integrity checking for RHCOS nodes.
These release notes track the development of the File Integrity Operator in the OpenShift Container Platform.
For an overview of the File Integrity Operator, see Understanding the File Integrity Operator.
The following advisory is available for the OpenShift File Integrity Operator 0.1.22:
Previously, a system with a File Integrity Operator installed might interrupt the OpenShift Container Platform update, due to the /etc/kubernetes/aide.reinit
file. This occurred if the /etc/kubernetes/aide.reinit
file was present, but later removed prior to the ostree
validation. With this update, /etc/kubernetes/aide.reinit
is moved to the /run
directory so that it does not conflict with the OpenShift Container Platform update. (BZ#2033311)
The following advisory is available for the OpenShift File Integrity Operator 0.1.21:
The metrics related to FileIntegrity
scan results and processing metrics are displayed on the monitoring dashboard on the web console. The results are labeled with the prefix of file_integrity_operator_
.
If a node has an integrity failure for more than 1 second, the default PrometheusRule
provided in the operator namespace alerts with a warning.
The following dynamic Machine Config Operator and Cluster Version Operator related filepaths are excluded from the default AIDE policy to help prevent false positives during node updates:
/etc/machine-config-daemon/currentconfig
/etc/pki/ca-trust/extracted/java/cacerts
/etc/cvo/updatepayloads
/root/.kube
The AIDE daemon process has stability improvements over v0.1.16, and is more resilient to errors that might occur when the AIDE database is initialized.