File Integrity Operator release notes

These release notes track the development of the File Integrity Operator in the OKD.

For an overview of the File Integrity Operator, see Understanding the File Integrity Operator.

To access the latest release, see .

The following advisory is available for the OpenShift File Integrity Operator 1.2.1:

OpenShift File Integrity Operator 1.2.0

The following advisory is available for the OpenShift File Integrity Operator 1.2.0:

The File Integrity Operator Custom Resource (CR) now contains an feature that specifies the number of seconds to wait before starting the first AIDE integrity check. For more information, see .
The File Integrity Operator is now stable and the release channel is upgraded to stable. Future releases will follow Semantic Versioning. To access the latest release, see .

The following advisory is available for the OpenShift File Integrity Operator 0.1.32:

Previously, alerts issued by the File Integrity Operator did not set a namespace, making it difficult to understand from which namespace the alert originated. Now, the Operator sets the appropriate namespace, providing more information about the alert. ()
Previously, The File Integrity Operator did not update the metrics service on Operator startup, causing the metrics targets to be unreachable. With this release, the File Integrity Operator now ensures the metrics service is updated on Operator startup. (BZ#2115821)

The following advisory is available for the OpenShift File Integrity Operator 0.1.30:

The File Integrity Operator is now supported on the following architectures:
- IBM Power
- IBM Z and LinuxONE

The following advisory is available for the OpenShift File Integrity Operator 0.1.24:

You can now configure the maximum number of backups stored in the FileIntegrity Custom Resource (CR) with the config.maxBackups attribute. This attribute specifies the number of AIDE database and log backups left over from the re-init process to keep on the node. Older backups beyond the configured number are automatically pruned. The default is set to five backups.

Previously, upgrading the Operator from versions older than 0.1.21 to 0.1.22 could cause the re-init feature to fail. This was a result of the Operator failing to update resource labels. Now, upgrading to the latest version fixes the resource labels. ()

The following advisory is available for the OpenShift File Integrity Operator 0.1.22:

Previously, a system with a File Integrity Operator installed might interrupt the OKD update, due to the file. This occurred if the /etc/kubernetes/aide.reinit file was present, but later removed prior to the ostree validation. With this update, /etc/kubernetes/aide.reinit is moved to the /run directory so that it does not conflict with the OKD update. ()

The following advisory is available for the OpenShift File Integrity Operator 0.1.21:

The metrics related to FileIntegrity scan results and processing metrics are displayed on the monitoring dashboard on the web console. The results are labeled with the prefix of .
If a node has an integrity failure for more than 1 second, the default PrometheusRule provided in the operator namespace alerts with a warning.
The following dynamic Machine Config Operator and Cluster Version Operator related filepaths are excluded from the default AIDE policy to help prevent false positives during node updates:
- /etc/machine-config-daemon/currentconfig
- /etc/pki/ca-trust/extracted/java/cacerts
- /etc/cvo/updatepayloads
- /root/.kube