Migrate auditd settings from the Cluster object to the auditd module

The deprecated auditd parameters of the Cluster object are no longer applied to the host operating system after the cluster update to 26.1 for MOSK clusters and to 2.31.0 for management clusters.

Therefore, if auditd is enabled on the management or MOSK clusters, migrate its settings to the dedicated auditd host operating system configuration module after updating to the releases mentioned above to unblock the feature.

To migrate auditd settings from the Cluster object to the auditd module:

1. Obtain the management cluster kubeconfig as described in Connect to a MOSK cluster.

2. Set the following variables:

   NAMESPACE="cluster_namespace"
   KUBECONFIG="path/to/mgmt-cluster-kubeconfig"
   CLUSTER_NAME="cluster_name"
   

3. In the Cluster object, ensure that the managed field in the spec.providerSpec.value.audit.auditd section is set to false:

   kubectl --kubeconfig "${KUBECONFIG}" -n "${NAMESPACE}" get cluster "${CLUSTER_NAME}" -o jsonpath="{.spec.providerSpec.value.audit.auditd.managed}"
   

   Otherwise, set managed to false manually.

4. Using the same section, capture all auditd parameters, except managed, for further use and store them securely:

   kubectl --kubeconfig "${KUBECONFIG}" -n "${NAMESPACE}" get cluster "${CLUSTER_NAME}" -oyaml | grep -A 15 auditd
   

   For example:

   auditd:
     backlogLimit: 4096
     enabled: true
     enabledAtBoot: true
     managed: false
   

5. Using the LABEL="<auditd-label-name>" variable, set a custom label for all machines of the cluster.

   for mname in $(kubectl --kubeconfig "${KUBECONFIG}" -n "${NAMESPACE}" get machine -oname); do
       kubectl --kubeconfig "${KUBECONFIG}" -n "${NAMESPACE}" patch "${mname}" --type=merge -p '{"metadata":{"labels":{"'"${LABEL}"'":"true"}}}'
   done
   

6. Verify that the label is set on all machines:

   for mname in $(kubectl --kubeconfig "${KUBECONFIG}" -n "${NAMESPACE}" get machine -oname); do
       kubectl --kubeconfig "${KUBECONFIG}" -n "${NAMESPACE}" get "${mname}" -o jsonpath="{.metadata.labels['${LABEL}']}"
   done
   

   Verify that the system output is true for all machines.

7. Prepare and apply the HostOSConfiguration object:

   • In the machineSelector field, specify the label configured in the previous step.

   • In the values field, specify the previously captured auditd parameters.

   • In the configs field, specify the auditd module and its version.

   Caution

   The customRulesX32 and customRulesX64 parameters are not present in the auditd module. Use the customRules parameter of the module instead.

   For configuration details, see:

   • Host OS configuration management workflow

   • HostOSConfiguration

   • Machine selector

   • auditd module documentation

8. Verify that the object is applied using the status field of the HostOSConfiguration object:

   kubectl --kubeconfig "${KUBECONFIG}" -n "${NAMESPACE}" get hoc <hoc-object-name> -o jsonpath="{.status.configs[*].error}"
   

   For a description of the status fields, see HostOSConfiguration status.

9. Optional. Remove the migrated auditd parameters from the Cluster object:

   kubectl --kubeconfig "${KUBECONFIG}" -n "${NAMESPACE}" edit cluster "${CLUSTER_NAME}"
   

   Leave the following fields only:

   spec:
     providerSpec:
       value:
         audit:
           auditd:
             managed: false