-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-11696: Update encryption type to support 4.13 deployments #10974
Conversation
applications/openshift/api-server/var_apiserver_encryption_type.var
Outdated
Show resolved
Hide resolved
/test help |
@rhmdnd: The specified target(s) for
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-aws-ocp4-cis |
/retest The infra was running into buildah signature issues, maybe they are solved. |
/hold for test |
@rhmdnd The rule will pass when the encryption is aescbc or aesgcm. The only problem is: for both releases(4.14 and 4.12), the encryption type after auto remediation is aescbc. Not sure if it is expected result? Thanks. |
Given that remediation for 4.12 and 4.14 need to be different, I think we will have to create another rule. |
Would it be possible to select a different remediation using a CPE? |
The XCCDF standard allows for different remediations based on CPE. But support for it is not implemented in CaC/content. Plus, I'm not sure how OpenSCAP would process them. |
I'm checking out what would be required to support rules with remediations of the same type for different platforms. |
If it's too heavy, or cumbersome, we can create a separate rule. |
Yeah, I think we will have to go with a separate rule for now. |
This datastream diff is auto generated by the check Click here to see the full diffkubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher' differs.
--- xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher
+++ xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher
@@ -5,4 +5,4 @@
name: cluster
spec:
encryption:
- type: aescbc
+ type: "{{.var_apiserver_encryption_type}}" |
/test e2e-aws-ocp4-cis |
The scan for ocp4-cis will run into ERROR with code in this PR:
|
/hold |
applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml
Outdated
Show resolved
Hide resolved
applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml
Outdated
Show resolved
Hide resolved
applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml
Outdated
Show resolved
Hide resolved
/retest |
applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml
Show resolved
Hide resolved
The latest CIS guidance allows OpenShift users to configure the encryption type for the API server to `aescbc` or `aescgm`. Previously, we only evaluated `aescbc`, but this commit updates the check to also check that `aesgcm` is acceptable. It also updates the remediation to use the variable for the remediation, and clarifies its usage.
/test e2e-aws-ocp4-cis |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just pending review from @xiaojiey
This is the yamlfilecontent_state
that gets generated:
<ind:yamlfilecontent_state id="oval:ssg-state_api_server_encryption_provider_cipher:ste:1" version="1">
<ind:value datatype="record" entity_check="all">
<oval-def:field name="#" datatype="string" operation="pattern match">aescbc|aesgcm</oval-def:field>
</ind:value>
</ind:yamlfilecontent_state>
Weird, CI didn't react. Issuing command again: /test e2e-aws-ocp4-cis |
Code Climate has analyzed commit 0e54001 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.3% (0.0% change). View more on Code Climate. |
/test e2e-aws-ocp4-cis |
Verified with 4.14.0-0.nightly-2023-08-11-055332 + code in the PR.
|
Yes. |
/retest |
/unhold |
The latest CIS guidance allows OpenShift users to configure the
encryption type for the API server to
aescbc
oraescgm
. Previously,the variable used to evaluate this check only supported
aescbc
. Thiscommit update the variable to accept either type, as per the CIS
guidance.