Skip to content

Config Drift Monitor should alert on unexpected SSH key changes #3538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cheesesashimi wants to merge 8 commits into from
Closed

Config Drift Monitor should alert on unexpected SSH key changes #3538

cheesesashimi wants to merge 8 commits into from

Conversation

@cheesesashimi
Copy link
Member

@cheesesashimi cheesesashimi commented Feb 3, 2023

- What I did

The Config Drift Monitor should listen for mutations to the SSH key files. Additionally, in the case of RHCOS 8 -> RHCOS 9, it should alert if an SSH key was written to the old path.

- How to verify it

  1. Run the Config Drift Monitor unit test suite.
  2. Launch a cluster and mutate the SSH key file (/home/core/.ssh/authorized_keys for RHCOS 8, /home/core/.ssh/authorized_keys.d/ignition for RHCOS 9). The node should drift.
  3. Put an SSH key in the incorrect place.

- Description for the changelog
Config Drift Monitor watches for mutations to SSH key files

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 3, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 3, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 3, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheesesashimi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 3, 2023
@sinnykumari
Copy link
Contributor

sinnykumari commented Feb 6, 2023

@cheesesashimi Looks like this will also solve, https://issues.redhat.com/browse/MCO-435. Does that sounds correct?

@cheesesashimi cheesesashimi force-pushed the zzlotnik/fix-config-drift-ssh-keys branch from c20025f to 59b01c0 Compare February 6, 2023 18:15
@cheesesashimi cheesesashimi force-pushed the zzlotnik/fix-config-drift-ssh-keys branch from 59b01c0 to 0dbd157 Compare February 6, 2023 22:24
@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 6, 2023

@cheesesashimi Looks like this will also solve, https://issues.redhat.com/browse/MCO-435. Does that sounds correct?

Yes, this should fix that one as well.

@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 6, 2023

/test unit
/test verify
/test e2e-gcp-op
/test e2e-gcp-op-single-node

@cheesesashimi cheesesashimi mentioned this pull request Feb 7, 2023
Closed
@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 7, 2023

/test unit
/test verify

@cheesesashimi cheesesashimi force-pushed the zzlotnik/fix-config-drift-ssh-keys branch from d75802b to d467d81 Compare February 7, 2023 21:34
@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 7, 2023

/test unit
/test verify

1 similar comment
@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 7, 2023

/test unit
/test verify

@cheesesashimi cheesesashimi force-pushed the zzlotnik/fix-config-drift-ssh-keys branch 3 times, most recently from a794dda to 7c8c61e Compare February 8, 2023 01:48
@cheesesashimi cheesesashimi force-pushed the zzlotnik/fix-config-drift-ssh-keys branch from 7c8c61e to 52e3975 Compare February 8, 2023 01:49
@cheesesashimi cheesesashimi force-pushed the zzlotnik/fix-config-drift-ssh-keys branch from 52e3975 to 7fa099d Compare February 8, 2023 01:59
@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 8, 2023

/test unit
/test verify
/test e2e-gcp-op

2 similar comments
@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 8, 2023

/test unit
/test verify
/test e2e-gcp-op

@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 8, 2023

/test unit
/test verify
/test e2e-gcp-op

@cheesesashimi cheesesashimi force-pushed the zzlotnik/fix-config-drift-ssh-keys branch from 595c20c to b54f305 Compare February 8, 2023 23:49
@cheesesashimi cheesesashimi force-pushed the zzlotnik/fix-config-drift-ssh-keys branch from b54f305 to b1f6747 Compare February 8, 2023 23:56
@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 8, 2023

/test unit
/test verify
/test e2e-gcp-op

@cheesesashimi cheesesashimi changed the title config drift monitor should drift on SSH key changes Config Drift Monitor should alert on unexpected SSH key changes Feb 10, 2023
@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 10, 2023

/test unit
/test verify
/test e2e-gcp-op

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 18, 2023
@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Feb 18, 2023

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@cheesesashimi
Copy link
Member Author

cheesesashimi commented Feb 22, 2023

I plan to pare this PR down in both scope and complexity by breaking up the refactoring into separate PRs so that this can be focused solely on what's needed to make Config Drift Monitor aware of SSH keys.

@openshift-bot
Copy link
Contributor

openshift-bot commented May 24, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 24, 2023
@openshift-bot
Copy link
Contributor

openshift-bot commented Jun 23, 2023

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci openshift-ci bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 23, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 3, 2023

@cheesesashimi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-op-single-node 0dbd157ebf9193e0c483885e825ee2780db53c1e link false /test e2e-gcp-op-single-node
ci/prow/e2e-gcp-op 06263b4 link true /test e2e-gcp-op
ci/prow/e2e-hypershift 06263b4 link true /test e2e-hypershift

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-bot
Copy link
Contributor

openshift-bot commented Aug 3, 2023

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

@openshift-ci openshift-ci bot closed this Aug 3, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 3, 2023

@openshift-bot: Closed this PR.

Details

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@cheesesashimi cheesesashimi deleted the zzlotnik/fix-config-drift-ssh-keys branch March 21, 2024 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cheesesashimi @sinnykumari @openshift-merge-robot @openshift-bot