Skip to content

add a daemonset yaml for disabling auditd logging#67

Merged
SergeyKanzhelev merged 1 commit intoGoogleCloudPlatform:masterfrom
eugenenuke:cleanup-auditd-daemonset
Feb 10, 2026
Merged

add a daemonset yaml for disabling auditd logging#67
SergeyKanzhelev merged 1 commit intoGoogleCloudPlatform:masterfrom
eugenenuke:cleanup-auditd-daemonset

Conversation

@eugenenuke
Copy link
Copy Markdown
Contributor

fixes: #66

@eugenenuke
Copy link
Copy Markdown
Contributor Author

this yaml was tested on a sample cluster, audit logs stopped coming after the DS was deployed

@SergeyKanzhelev
Copy link
Copy Markdown
Collaborator

it may benefit from some readme notes updates.

@wangzhen127 you've been one of the authors of the DS long time ago. Interested to review?

name: cleanup-auditd
spec:
hostPID: true
containers:
Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from security perspective it is better to have a init container, so the high priv container executes and shuts down instead of hanging around giving possibility to hack into it.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

hostPID: true
containers:
- name: auditd-disabler
image: busybox
Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't use images from dockerhub

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

switched to GKE-specific gke.gcr.io/gke-distroless/bash (init) and gke.gcr.io/pause:3.8 (main)

I've also replaced 'ubuntu' in the "auditd enabler" yaml with gke.gcr.io/gke-distroless/bash for consistency

@eugenenuke eugenenuke force-pushed the cleanup-auditd-daemonset branch from 1b31363 to 2ec55bf Compare February 10, 2026 08:02
command:
- /bin/bash
- -c
- "chroot /host systemctl enable --now cloud-audit-setup.service"
Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the improvement. Have you tested it manually?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, the updated "installer" and "disabler"

@SergeyKanzhelev
Copy link
Copy Markdown
Collaborator

do you think you can throw some minimal instructions in a readme before the official docs are updated? Other than that it looks good

@eugenenuke eugenenuke force-pushed the cleanup-auditd-daemonset branch from 2ec55bf to 09bc8db Compare February 10, 2026 08:21
@eugenenuke
Copy link
Copy Markdown
Contributor Author

the README was updated, PTAL

Comment thread troubleshooting/os-audit/README.md Outdated

- `cos-auditd-logging.yaml`: A DaemonSet that enables and starts the `cloud-audit-setup` and `audit-rules` services on the host.

- `cos-auditd-logging-disable.yaml`: A DaemonSet that disables these services to revert changes and restore the default node logging state. No newline at end of file
Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `cos-auditd-logging-disable.yaml`: A DaemonSet that disables these services to revert changes and restore the default node logging state.
- `cos-auditd-logging-disable.yaml`: A DaemonSet that disables these services to revert changes and restore the default node logging state.
-
After logging was enabled, remove the daemonset `cos-auditd-logging`, wait for all Pods deleted. Than ensure that the second DaemonSet is fully rolled out and succeeded on all nodes. After this, the `cleanup-auditd` daemonset can be deleted.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I added some more details to make it more autonomous

@eugenenuke eugenenuke force-pushed the cleanup-auditd-daemonset branch from 09bc8db to 696cc01 Compare February 10, 2026 08:59
@SergeyKanzhelev SergeyKanzhelev merged commit 58f24d0 into GoogleCloudPlatform:master Feb 10, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add a daemonset to disable cos-auditd-logging

2 participants