-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-17216: Update rotate certificates check for OCP 4.14 #10973
Conversation
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation
@@ -7,10 +7,7 @@
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
-featureGates:
-...
- RotateKubeletServerCertificate: true
-...
+serverTLSBootstrap: true
[warning]:
This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation' differs.
--- ocil:ssg-kubelet_enable_server_cert_rotation_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_server_cert_rotation_ocil:questionnaire:1
@@ -1,5 +1,5 @@
Run the following command on the kubelet node(s):
-$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletServerCertificate; done
+$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
The output should return true.
Is it the case that the kubelet cannot rotate server certificate?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_master'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_master
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_master
@@ -7,10 +7,7 @@
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
-featureGates:
-...
- RotateKubeletServerCertificate: true
-...
+serverTLSBootstrap: true
[reference]:
CIP-003-8 R6
OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_master' differs.
--- ocil:ssg-kubelet_enable_server_cert_rotation_master_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_server_cert_rotation_master_ocil:questionnaire:1
@@ -1,5 +1,5 @@
Run the following command on the kubelet node(s):
-$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletServerCertificate; done
+$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap' done
The output should return true.
Is it the case that the kubelet cannot rotate server certificate?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_worker'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_worker
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_worker
@@ -7,10 +7,7 @@
file /etc/kubernetes/kubelet.conf
on the kubelet node(s) and set the below parameter:
-featureGates:
-...
- RotateKubeletServerCertificate: true
-...
+serverTLSBootstrap: true
[reference]:
CIP-003-8 R6
OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_worker' differs.
--- ocil:ssg-kubelet_enable_server_cert_rotation_worker_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_server_cert_rotation_worker_ocil:questionnaire:1
@@ -1,5 +1,5 @@
Run the following command on the kubelet node(s):
-$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletServerCertificate; done
+$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
The output should return true.
Is it the case that the kubelet cannot rotate server certificate?
|
applications/openshift/kubelet/kubelet_enable_server_cert_rotation_master/rule.yml
Outdated
Show resolved
Hide resolved
applications/openshift/kubelet/kubelet_enable_server_cert_rotation_worker/rule.yml
Outdated
Show resolved
Hide resolved
applications/openshift/kubelet/kubelet_enable_server_cert_rotation/rule.yml
Outdated
Show resolved
Hide resolved
By default, the rotate certificates rules for CIS 1.4.0 (section 4.2) fail on OpenShift 4.14. This commit updates the rule to check for the proper configuration so that it passes by default, since certificate rotation is enabled by default. This patch also updates the instructions to use a valid command for users looking to verify the configuration manually. The old command didn't return anything because it was looking in the wrong configuration section. This is documented upstream in the following doc: https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation
/test help |
@rhmdnd: The specified target(s) for
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-aws-ocp4-cis |
Code Climate has analyzed commit 325aaa5 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.3% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need to put the CPE in here now?
Verification pass with 4.14.0-0.nightly-2023-08-10-072041 + content in the PR: serverTLSBootstrap: true[xiyuafor node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; doneerverTLSBootstrap'; done |
@Vincent056 It is not clear to me why we would need CPE. It seems that |
I think so. I was able to find This rule should work across all supported versions of OpenShift. |
/lgtm |
By default, the rotate certificates rules for CIS 1.4.0 (section 4.2)
fail on OpenShift 4.14.
This commit updates the rule to check for the proper configuration so
that it passes by default, since certificate rotation is enabled by
default. This patch also updates the instructions to use a valid command
for users looking to verify the configuration manually. The old command
didn't return anything because it was looking in the wrong configuration
section.
This is documented upstream in the following doc:
https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation