Skip to content

Commit

Permalink
Chart: Allow to enable auditd service through `global.components.au…
Browse files Browse the repository at this point in the history
…ditd.enabled`. (#335)

Co-authored-by: Nick Jüttner <[email protected]>
  • Loading branch information
Gacko and njuettner authored Sep 18, 2024
1 parent a6e751d commit 85f1447
Show file tree
Hide file tree
Showing 6 changed files with 29 additions and 0 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Added

- Chart: Allow to enable `auditd` service through `global.components.auditd.enabled`.

## [1.0.0] - 2024-07-24

### Changed
Expand Down
2 changes: 2 additions & 0 deletions helm/cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,8 @@ Advanced configuration of components that are running on all nodes.

| **Property** | **Description** | **More Details** |
| :----------- | :-------------- | :--------------- |
| `global.components.auditd` | **Auditd** - Enable Auditd service.|**Type:** `object`<br/>|
| `global.components.auditd.enabled` | **Enabled** - Whether or not the Auditd service shall be enabled. When true, the Auditd service is enabled. When false, the Auditd service is disabled.|**Type:** `boolean`<br/>**Default:** `false`|
| `global.components.containerd` | **Containerd** - Configuration of containerd.|**Type:** `object`<br/>|
| `global.components.containerd.containerRegistries` | **Container registries** - Endpoints and credentials configuration for container registries.|**Type:** `object`<br/>**Default:** `{"docker.io":[{"endpoint":"registry-1.docker.io"},{"endpoint":"giantswarm.azurecr.io"}],"gsoci.azurecr.io":[{"endpoint":"gsoci.azurecr.io"}]}`|
| `global.components.containerd.containerRegistries.*` | **Registries** - Container registries and mirrors|**Type:** `array`<br/>|
Expand Down
2 changes: 2 additions & 0 deletions helm/cluster/templates/clusterapi/_helpers_files.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -123,11 +123,13 @@ and is used to join the node to the teleport cluster.

{{/* Audit rules for all nodes */}}
{{- define "cluster.internal.kubeadm.files.auditrules" }}
{{- if $.Values.global.components.auditd.enabled }}
- path: /etc/audit/rules.d/99-default.rules
permissions: "0640"
encoding: base64
content: {{ $.Files.Get "files/etc/audit/rules.d/99-default.rules" | b64enc }}
{{- end }}
{{- end }}

{{/* Provider-specific files for all nodes */}}
{{- define "cluster.internal.kubeadm.files.provider" }}
Expand Down
5 changes: 5 additions & 0 deletions helm/cluster/templates/clusterapi/_helpers_flatcar.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@
CPUAccounting=true
MemoryAccounting=true
Slice=kubereserved.slice
{{- if $.Values.global.components.auditd.enabled }}
- name: audit-rules.service
enabled: true
dropins:
Expand All @@ -189,6 +190,10 @@
[Service]
ExecStartPre=/bin/bash -c "while [ ! -f /etc/audit/rules.d/containerd.rules ]; do echo 'Waiting for /etc/audit/rules.d/containerd.rules to be written' && sleep 1; done"
Restart=on-failure
{{- else }}
- name: auditd.service
enabled: false
{{- end }}
{{- end }}

{{- define "cluster.internal.kubeadm.ignition.containerLinuxConfig.additionalConfig.systemd.units.teleport" }}
Expand Down
14 changes: 14 additions & 0 deletions helm/cluster/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -1166,6 +1166,20 @@
"description": "Advanced configuration of components that are running on all nodes.",
"additionalProperties": false,
"properties": {
"auditd": {
"type": "object",
"title": "Auditd",
"description": "Enable Auditd service.",
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean",
"title": "Enabled",
"description": "Whether or not the Auditd service shall be enabled. When true, the Auditd service is enabled. When false, the Auditd service is disabled.",
"default": false
}
}
},
"containerd": {
"type": "object",
"title": "Containerd",
Expand Down
2 changes: 2 additions & 0 deletions helm/cluster/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ global:
verticalPodAutoscaler: {}
verticalPodAutoscalerCrd: {}
components:
auditd:
enabled: false
containerd:
containerRegistries:
docker.io:
Expand Down

0 comments on commit 85f1447

Please sign in to comment.