CIS Node 4.2.3 - add template to kubelet_configure_client_ca/rule.yml

Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
ComplianceAsCode · Oct 13, 2020 · 138fee7 · 138fee7
1 parent 54ecc80
commit 138fee7
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml b/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml
@@ -52,3 +52,22 @@ identifiers:
 references:
     cis@ocp3: 2.1.4
     cis@ocp4: 4.2.3
+
+template:
+{{%- if product == "ocp4" %}}
+  name: yamlfile_value
+  vars:
+    filepath: /etc/kubernetes/kubelet.conf
+    yamlpath: ".authentication.x509.clientCAFile"
+    values:
+      - value: "/etc/kubernetes/kubelet-ca.crt"
+        operation: "equals"
+{{% else %}}
+  name: yamlfile_value
+  vars:
+    filepath: /etc/origin/node/node-config.yaml
+    yamlpath: ".servingInfo.clientCA"
+    values:
+      - value: "client-ca.crt"
+        operation: "equals"
+{{%- endif %}}
diff --git a/ocp4/profiles/cis-node.profile b/ocp4/profiles/cis-node.profile
@@ -79,7 +79,7 @@ selections:
   # 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow
     # - this seems to be the default in the code, so the rule should verify that authorization mode is NOT set to AlwaysAllow
   # 4.2.3 Ensure that the --client-ca-file argument is set as appropriate
-    # - like kubelet_anonymous_auth_disabled but check for authentication.x509.clientCAFile=/etc/kubernetes/kubelet-ca.crt
+    - kubelet_configure_client_ca
   # 4.2.4 Ensure that the --read-only-port argument is set to 0
     # - this is a platform rule (reads from a CM)
   # 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0