Toggle auditd

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Allow to enable `auditd` service through `global.components.auditd.enabled`.
+
 ## [1.2.2] - 2024-09-05
 
 ### Fixed

helm/cluster/README.md

@@ -205,6 +205,8 @@ Advanced configuration of components that are running on all nodes.
 
 | **Property** | **Description** | **More Details** |
 | :----------- | :-------------- | :--------------- |
+| `global.components.auditd` | **Auditd** - Enable Auditd rules service.|**Type:** `object`<br/>|
+| `global.components.auditd.enabled` | **Enabled** - Whether or not the Auditd rules service shall be enabled. When true, the Auditd rules service is enabled. When false, the Auditd rules service is disabled.|**Type:** `boolean`<br/>**Default:** `false`|
 | `global.components.containerd` | **Containerd** - Configuration of containerd.|**Type:** `object`<br/>|
 | `global.components.containerd.containerRegistries` | **Container registries** - Endpoints and credentials configuration for container registries.|**Type:** `object`<br/>**Default:** `{"docker.io":[{"endpoint":"registry-1.docker.io"},{"endpoint":"giantswarm.azurecr.io"}],"gsoci.azurecr.io":[{"endpoint":"gsoci.azurecr.io"}]}`|
 | `global.components.containerd.containerRegistries.*` | **Registries** - Container registries and mirrors|**Type:** `array`<br/>|

helm/cluster/templates/clusterapi/_helpers_files.tpl

@@ -121,11 +121,13 @@ and is used to join the node to the teleport cluster.
 
 {{/* Audit rules for all nodes */}}
 {{- define "cluster.internal.kubeadm.files.auditrules" }}
+{{- if $.Values.global.components.auditd.enabled }}
 - path: /etc/audit/rules.d/99-default.rules
   permissions: "0640"
   encoding: base64
   content: {{ $.Files.Get "files/etc/audit/rules.d/99-default.rules" | b64enc }}
 {{- end }}
+{{- end }}
 
 {{/* Provider-specific files for all nodes */}}
 {{- define "cluster.internal.kubeadm.files.provider" }}

helm/cluster/templates/clusterapi/_helpers_flatcar.tpl

@@ -181,6 +181,7 @@
       CPUAccounting=true
       MemoryAccounting=true
       Slice=kubereserved.slice
+{{- if $.Values.global.components.auditd.enabled }}
 - name: audit-rules.service
   enabled: true
   dropins:
@@ -189,6 +190,10 @@
       [Service]
       ExecStartPre=/bin/bash -c "while [ ! -f /etc/audit/rules.d/containerd.rules ]; do echo 'Waiting for /etc/audit/rules.d/containerd.rules to be written' && sleep 1; done"
       Restart=on-failure
+{{- else }}
+- name: auditd.service
+  enabled: false
+{{- end }}
 {{- end }}
 
 {{- define "cluster.internal.kubeadm.ignition.containerLinuxConfig.additionalConfig.systemd.units.teleport" }}

helm/cluster/tests/go.sum

@@ -68,6 +68,7 @@ golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
 golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
 google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

helm/cluster/values.schema.json

@@ -1172,6 +1172,20 @@
                     "description": "Advanced configuration of components that are running on all nodes.",
                     "additionalProperties": false,
                     "properties": {
+                        "auditd": {
+                            "type": "object",
+                            "title": "Auditd",
+                            "description": "Enable Auditd rules service.",
+                            "additionalProperties": false,
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean",
+                                    "title": "Enabled",
+                                    "description": "Whether or not the Auditd rules service shall be enabled. When true, the Auditd rules service is enabled. When false, the Auditd rules service is disabled.",
+                                    "default": false
+                                }
+                            }
+                        },
                         "containerd": {
                             "type": "object",
                             "title": "Containerd",

helm/cluster/values.yaml

@@ -27,6 +27,8 @@ global:
     verticalPodAutoscaler: {}
     verticalPodAutoscalerCrd: {}
   components:
+    auditd:
+      enabled: false
     containerd:
       containerRegistries:
         docker.io: