$ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}
+ {{% else -%}}
+ policy, create a MachineConfig as follows:
+
+ ---
+ apiVersion: machineconfiguration.openshift.io/v1
+ kind: MachineConfig
+ metadata:
+ labels:
+ machineconfiguration.openshift.io/role: master
+ name: 50-master-configure-crypto-policy
+ spec:
+ config:
+ ignition:
+ version: 3.1.0
+ systemd:
+ units:
+ - name: configure-crypto-policy.service
+ enabled: true
+ contents: |
+ [Unit]
+ Before=kubelet.service
+ [Service]
+ Type=oneshot
+ ExecStart=update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}
+ RemainAfterExit=yes
+ [Install]
+ WantedBy=multi-user.target
+
+ + This will configure the crypto policy appropriately in all the + nodes labeled with the "master" role. +
+ {{{ machineconfig_description_footer() | indent(4) }}} + {{% endif -%}} The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. diff --git a/shared/macros.jinja b/shared/macros.jinja index cb44280235f..95842cac7a6 100644 --- a/shared/macros.jinja +++ b/shared/macros.jinja @@ -757,6 +757,9 @@ Operator see As a user with administrator privileges, log into a node in the relevant pool:
$ oc debug node/$NODE_NAME
- sh-4.4# chroot /host
+
+ At the sh-4.4#prompt, run: +
+ # chroot /host
{{% endmacro %}}