Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ocp rules to cis profile #5872

Merged
merged 1 commit into from Jul 1, 2020
Merged

Add ocp rules to cis profile #5872

merged 1 commit into from Jul 1, 2020

Conversation

redhatrises
Copy link
Contributor

  • enabling missing rules in prodtype

@redhatrises
Add ocp rules to cis profile
0ddaa8c 
- enabling missing rules in prodtype
@redhatrises redhatrises added this to the 0.1.51 milestone Jun 23, 2020
@mildas
Copy link
Contributor

mildas commented Jun 23, 2020

Changes identified:
Profile cis on ocp4:
 Rule kubelet_configure_tls_key, file_owner_cni_conf, scc_drop_container_capabilities, scc_limit_privileged_containers, configure_network_policies_namespaces, kubelet_authorization_mode, file_owner_kubelet_conf, file_permissions_kube_scheduler, controller_use_service_account, kubelet_disable_readonly_port, scc_limit_process_id_namespace, file_groupowner_kube_controller_manager, scc_limit_network_namespace, controller_service_account_private_key, file_owner_openvswitch, file_permissions_etcd_member, file_owner_kubeconfig, general_configure_imagepolicywebhook, file_owner_worker_kubeconfig, kubelet_enable_server_cert_rotation, file_permissions_openvswitch, configure_network_policies, api_server_encryption_provider_cipher, api_server_admission_control_plugin_AlwaysAdmit, file_owner_controller_manager_kubeconfig, file_permissions_cni_conf, file_owner_etcd_member, file_owner_kube_controller_manager, file_groupowner_worker_ca, controller_rotate_kubelet_server_certs, controller_service_account_ca, file_groupowner_kube_apiserver, file_permissions_worker_ca, scc_limit_container_allowed_capabilities, file_groupowner_proxy_kubeconfig, api_server_admission_control_plugin_SecurityContextDeny, file_groupowner_scheduler_kubeconfig, rbac_wildcard_use, kubelet_anonymous_auth, file_permissions_proxy_kubeconfig, file_permissions_kubelet_conf, file_permissions_controller_manager_kubeconfig, kubelet_enable_client_cert_rotation, controller_bind_address, api_server_admission_control_plugin_AlwaysPullImages, file_groupowner_cni_conf, kubelet_configure_event_creation, accounts_restrict_service_account_tokens, secrets_no_environment_variables, file_groupowner_etcd_member, file_permissions_var_lib_etcd, kubelet_enable_streaming_connections, api_server_tls_cipher_suites, rbac_limit_secrets_access, api_server_admission_control_plugin_PodSecurityPolicy, file_permissions_worker_service, api_server_admission_control_plugin_ServiceAccount, scc_limit_privilege_escalation, scc_limit_root_containers, kubelet_configure_tls_cert, file_permissions_kube_controller_manager, file_groupowner_controller_manager_kubeconfig, file_owner_worker_ca, rbac_limit_cluster_admin, file_groupowner_worker_service, api_server_admission_control_plugin_NamespaceLifecycle, api_server_admission_control_plugin_NodeRestriction, scc_limit_ipc_namespace, file_groupowner_kube_scheduler, file_permissions_scheduler_kubeconfig, file_groupowner_worker_kubeconfig, kubelet_configure_client_ca, file_groupowner_kubeconfig, file_permissions_worker_kubeconfig, rbac_pod_creation_access, api_server_encryption_provider_config, file_permissions_kube_apiserver, file_owner_worker_service, accounts_unique_service_account, file_owner_proxy_kubeconfig, file_permissions_kubeconfig, file_groupowner_kubelet_conf, file_owner_var_lib_etcd, file_owner_kube_apiserver, file_groupowner_openvswitch, file_owner_scheduler_kubeconfig, api_server_profiling, api_server_admission_control_plugin_EventRateLimit, file_owner_kube_scheduler, scheduler_profiling_argument, scc_limit_net_raw_capability added to cis profile.

Recommended tests to execute:
 build_product ocp4
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-ocp4-ds.xml cis

@redhatrises
Copy link
Contributor Author

/retest

@matejak
Copy link
Member

matejak commented Jul 1, 2020

Rule changes LGTM, and @redhatrises is the OCP4 CIS profile author, so merging.

@matejak matejak merged commit b1a7acc into ComplianceAsCode:master Jul 1, 2020
@matejak matejak self-assigned this Jul 1, 2020
@redhatrises redhatrises deleted the ocp_rules branch July 1, 2020 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@matejak matejak

Labels
None yet
Projects
None yet
Milestone
0.1.51
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@redhatrises @mildas @matejak