We are implementing puppet on top of the vm deployments using vRO. Since puppet runs as root on the client and puppet runs as root on the puppet master. How do we protect the integrity of root permissions as a Linux team? My thought process was to build the vm, run a workflow to install the agent on the new server, then run a command on the puppet master to accept the cert. However, to do this vRO needs to maintain root permissions on both the client and the master. Therefore, how do we protect these permissions from the VMware team while at the same time completing our objectives?
One technique that has been used for decades on Linux is to create a 2nd account with UID=0. That way, you essentially have 2 root accounts. Not as secure but might solve your problem.
You could use foreman + autosign.. it's another layer but removes the need for you to log in to the puppet master as root.