File Integrity Operator release notes
The File Integrity Operator for OpenShift Container Platform continually runs file integrity checks on RHCOS nodes.
These release notes track the development of the File Integrity Operator in the OpenShift Container Platform.
For an overview of the File Integrity Operator, see Understanding the File Integrity Operator.
To access the latest release, see Updating the File Integrity Operator.
OpenShift File Integrity Operator 1.3.8
The following advisory is available for the OpenShift File Integrity Operator 1.3.8:
Bug fixes
-
Previously, the file-integrity-operator pods and the aide pods running the database used by recently installed FIO would go into a terminating state, adding error log entries that were not useful. With this release, the pods needed by FIO do not go into terminating state unless a relevant error occurred or they completed their work. (CMP-3757)
-
This update includes upgraded dependencies in the underlying base images.
OpenShift File Integrity Operator 1.3.7
The following advisory is available for the OpenShift File Integrity Operator 1.3.7:
This update includes upgraded dependencies in underlying base images.
OpenShift File Integrity Operator 1.3.6
The following advisory is available for the OpenShift File Integrity Operator 1.3.6:
Bug fixes
-
Previously, running the
oc annotate fileintegrities/<fileintegrity-name> file-integrity.openshift.io/re-init-on-failed=command would trigger a reinitialization on all nodes. Now, it only reinitializes the nodes where failures occurred. (OCPBUGS-18933) -
Previously, resetting FIO cleared the
NodeHasIntegrityFailurealert. This occurred because themetric file_integrity_operator_node_failedsetting was also reset. With this release, restarting FIO does not affect theNodeHasIntegrityFailurealert. (OCPBUGS-42807) -
Previously, when a new node was added to a cluster by scaling up the
machinesetobject, FIO marked the new node asFailedbefore the node was ready. With this release FIO waits until the new node is ready. (OCPBUGS-36483) -
Previously, the Advanced Intrusion Detection Environment (AIDE) daemonset pods would constantly force-initialize the AIDE database. With this release, FIO initializes the AIDE database only once. (OCPBUGS-37300)
-
Previously, some link paths in the Machine Config Operator (MCO) configuration, such as
/hostroot/etc/ipsec.d/openshift.confandhostroot/etc/mco/internal-registry-pull-secret.json, were modified during an MCO update. This led to failed file integrity checks on nodes after the update, which disrupted user experience. With this update, the modified file link paths in the MCO configuration have been updated. File integrity checks now pass after an update, helping to ensure a stable cluster. (OCPBUGS-41628)
OpenShift File Integrity Operator 1.3.5
The following advisory is available for the OpenShift File Integrity Operator 1.3.5:
This update includes upgraded dependencies in underlying base images.
OpenShift File Integrity Operator 1.3.4
The following advisory is available for the OpenShift File Integrity Operator 1.3.4:
Bug fixes
Previously, File Integrity Operator would issue a NodeHasIntegrityFailure alert due to multus certificate rotation. With this release, the alert and failing status are now correctly triggered. (OCPBUGS-31257)
OpenShift File Integrity Operator 1.3.3
The following advisory is available for the OpenShift File Integrity Operator 1.3.3:
This update addresses a CVE in an underlying dependency.
New features and enhancements
-
You can install and use the File Integrity Operator in an OpenShift Container Platform cluster running in FIPS mode.
Important
To enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Switching RHEL to FIPS mode.
When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
Bug fixes
-
Previously, some FIO pods with private default mount propagation in combination with
hostPath: path: /volume mounts would break the CSI driver relying on multipath. This problem has been fixed and the CSI driver works correctly. (Some OpenShift Operator pods blocking unmounting of CSI volumes when multipath is in use) -
This update resolves CVE-2023-39325. (CVE-2023-39325)
OpenShift File Integrity Operator 1.3.2
The following advisory is available for the OpenShift File Integrity Operator 1.3.2:
This update addresses a CVE in an underlying dependency.
OpenShift File Integrity Operator 1.3.1
The following advisory is available for the OpenShift File Integrity Operator 1.3.1:
New features and enhancements
-
FIO now includes kubelet certificates as default files, excluding them from issuing warnings when they’re managed by OpenShift Container Platform. (OCPBUGS-14348)
-
FIO now correctly directs email to the address for Red Hat Technical Support. (OCPBUGS-5023)
Bug fixes
-
Previously, FIO would not clean up
FileIntegrityNodeStatusCRDs when nodes are removed from the cluster. FIO has been updated to correctly clean up node status CRDs on node removal. (OCPBUGS-4321) -
Previously, FIO would also erroneously indicate that new nodes failed integrity checks. FIO has been updated to correctly show node status CRDs when adding new nodes to the cluster. This provides correct node status notifications. (OCPBUGS-8502)
-
Previously, when FIO was reconciling
FileIntegrityCRDs, it would pause scanning until the reconciliation was done. This caused an overly aggressive re-initiatization process on nodes not impacted by the reconciliation. This problem also resulted in unnecessary daemonsets for machine config pools which are unrelated to theFileIntegritybeing changed. FIO correctly handles these cases and only pauses AIDE scanning for nodes that are affected by file integrity changes. (CMP-1097)
Known Issues
In FIO 1.3.1, increasing nodes in IBM Z® clusters might result in Failed File Integrity node status. For more information, see Adding nodes in IBM Power® clusters can result in failed File Integrity node status.
OpenShift File Integrity Operator 1.2.1
The following advisory is available for the OpenShift File Integrity Operator 1.2.1:
-
RHBA-2023:1684 OpenShift File Integrity Operator Bug Fix Update
-
This release includes updated container dependencies.
OpenShift File Integrity Operator 1.2.0
The following advisory is available for the OpenShift File Integrity Operator 1.2.0:
New features and enhancements
-
The File Integrity Operator Custom Resource (CR) now contains an
initialDelayfeature that specifies the number of seconds to wait before starting the first AIDE integrity check. For more information, see Creating the FileIntegrity custom resource. -
The File Integrity Operator is now stable and the release channel is upgraded to
stable. Future releases will follow Semantic Versioning. To access the latest release, see Updating the File Integrity Operator.
OpenShift File Integrity Operator 1.0.0
The following advisory is available for the OpenShift File Integrity Operator 1.0.0:
OpenShift File Integrity Operator 0.1.32
The following advisory is available for the OpenShift File Integrity Operator 0.1.32:
Bug fixes
-
Previously, alerts issued by the File Integrity Operator did not set a namespace, making it difficult to understand from which namespace the alert originated. Now, the Operator sets the appropriate namespace, providing more information about the alert. (BZ#2112394)
-
Previously, The File Integrity Operator did not update the metrics service on Operator startup, causing the metrics targets to be unreachable. With this release, the File Integrity Operator now ensures the metrics service is updated on Operator startup. (BZ#2115821)
OpenShift File Integrity Operator 0.1.30
The following advisory is available for the OpenShift File Integrity Operator 0.1.30:
New features and enhancements
-
The File Integrity Operator is now supported on the following architectures:
-
IBM Power®
-
IBM Z® and IBM® LinuxONE
-
Bug fixes
-
Previously, alerts issued by the File Integrity Operator did not set a namespace, making it difficult to understand where the alert originated. Now, the Operator sets the appropriate namespace, increasing understanding of the alert. (BZ#2101393)
OpenShift File Integrity Operator 0.1.24
The following advisory is available for the OpenShift File Integrity Operator 0.1.24:
New features and enhancements
-
You can now configure the maximum number of backups stored in the
FileIntegrityCustom Resource (CR) with theconfig.maxBackupsattribute. This attribute specifies the number of AIDE database and log backups left over from there-initprocess to keep on the node. Older backups beyond the configured number are automatically pruned. The default is set to five backups.
Bug fixes
-
Previously, upgrading the Operator from versions older than 0.1.21 to 0.1.22 could cause the
re-initfeature to fail. This was a result of the Operator failing to updateconfigMapresource labels. Now, upgrading to the latest version fixes the resource labels. (BZ#2049206) -
Previously, when enforcing the default
configMapscript contents, the wrong data keys were compared. This resulted in theaide-reinitscript not being updated properly after an Operator upgrade, and caused there-initprocess to fail. Now,daemonSetsrun to completion and the AIDE databasere-initprocess executes successfully. (BZ#2072058)
OpenShift File Integrity Operator 0.1.22
The following advisory is available for the OpenShift File Integrity Operator 0.1.22:
Bug fixes
-
Previously, a system with a File Integrity Operator installed might interrupt the OpenShift Container Platform update, due to the
/etc/kubernetes/aide.reinitfile. This occurred if the/etc/kubernetes/aide.reinitfile was present, but later removed prior to theostreevalidation. With this update,/etc/kubernetes/aide.reinitis moved to the/rundirectory so that it does not conflict with the OpenShift Container Platform update. (BZ#2033311)
OpenShift File Integrity Operator 0.1.21
The following advisory is available for the OpenShift File Integrity Operator 0.1.21:
New features and enhancements
-
The metrics related to
FileIntegrityscan results and processing metrics are displayed on the monitoring dashboard on the web console. The results are labeled with the prefix offile_integrity_operator_. -
If a node has an integrity failure for more than 1 second, the default
PrometheusRuleprovided in the operator namespace alerts with a warning. -
The following dynamic Machine Config Operator and Cluster Version Operator related filepaths are excluded from the default AIDE policy to help prevent false positives during node updates:
-
/etc/machine-config-daemon/currentconfig
-
/etc/pki/ca-trust/extracted/java/cacerts
-
/etc/cvo/updatepayloads
-
/root/.kube
-
-
The AIDE daemon process has stability improvements over v0.1.16, and is more resilient to errors that might occur when the AIDE database is initialized.
Bug fixes
-
Previously, when the Operator automatically upgraded, outdated daemon sets were not removed. With this release, outdated daemon sets are removed during the automatic upgrade.