chore: don't include auditd rules in Linux VHDs #4253
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jackfrancis The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Codecov Report
@@ Coverage Diff @@
## master #4253 +/- ##
==========================================
- Coverage 72.08% 72.06% -0.02%
==========================================
Files 141 141
Lines 21715 21725 +10
==========================================
+ Hits 15653 15657 +4
- Misses 5107 5112 +5
- Partials 955 956 +1
Continue to review full report at Codecov.
|
| @@ -1196,6 +1196,18 @@ func (p *Properties) GetAADAdminGroupID() string { | |||
| return "" | |||
| } | |||
|
|
|||
| func (p *Properties) NeedsAuditdRules() bool { | |||
There was a problem hiding this comment.
This method makes it look like auditDEnabled is a cluster-wide setting, but the apimodel schema may give the wrong impression to users as the field can be set on both master and agent pools.
Out of scope if auditD will be removed eventually.
There was a problem hiding this comment.
It's just because both node types derive cloud-init data from a common dictionary that gets populated to the ARM template. So if any one node pool (or control plane) opts into auditd, that data is needed in the template in order to be consumed by cloud-init anywhere.
Reason for Change:
This PR changes the VHD configuration so that auditd rules are not put onto the VM filesystem as part of VHD creation. Also includes required ARM template composition changes due to the fact that there is no VHD context related to the need for these cloud-init requirements.
Issue Fixed:
Credit Where Due:
Does this change contain code from or inspired by another project?
If "Yes," did you notify that project's maintainers and provide attribution?
Requirements:
Notes: