From 540749b68a01872e05a4414829c7abd9b513285e Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Mon, 13 Mar 2023 18:02:15 -0700 Subject: [PATCH] OCP optimize rule for hypershift We optimized hypershift related rules so we don't have to extend a template tailoredprofile when use it on HyperShift --- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../api_server_audit_log_maxbackup/rule.yml | 6 ++-- .../api_server_audit_log_maxsize/rule.yml | 6 ++-- .../api_server_audit_log_path/rule.yml | 6 ++-- .../api_server_auth_mode_no_aa/rule.yml | 6 ++-- .../api_server_auth_mode_node/rule.yml | 6 ++-- .../api_server_auth_mode_rbac/rule.yml | 6 ++-- .../api-server/api_server_basic_auth/rule.yml | 6 ++-- .../api_server_bind_address/rule.yml | 6 ++-- .../api-server/api_server_client_ca/rule.yml | 30 ++++++++--------- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../api-server/api_server_etcd_ca/rule.yml | 30 ++++++++--------- .../api-server/api_server_etcd_cert/rule.yml | 6 ++-- .../api-server/api_server_etcd_key/rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../api_server_insecure_bind_address/rule.yml | 6 ++-- .../api_server_insecure_port/rule.yml | 6 ++-- .../rule.yml | 30 ++++++++--------- .../api_server_kubelet_client_cert/rule.yml | 20 +++++------ .../api_server_kubelet_client_key/rule.yml | 20 +++++------ .../rule.yml | 6 ++-- .../api_server_request_timeout/rule.yml | 8 +++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../api-server/api_server_tls_cert/rule.yml | 21 ++++++------ .../api_server_tls_cipher_suites/rule.yml | 6 ++-- .../api_server_tls_private_key/rule.yml | 21 ++++++------ .../api-server/api_server_token_auth/rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 8 +++-- .../controller_secure_port/rule.yml | 7 ++-- .../controller_service_account_ca/rule.yml | 7 ++-- .../rule.yml | 7 ++-- .../controller_use_service_account/rule.yml | 6 ++-- .../openshift/etcd/etcd_auto_tls/rule.yml | 8 +++-- .../openshift/etcd/etcd_cert_file/rule.yml | 8 +++-- .../etcd/etcd_client_cert_auth/rule.yml | 8 +++-- .../openshift/etcd/etcd_key_file/rule.yml | 8 +++-- .../etcd/etcd_peer_auto_tls/rule.yml | 8 +++-- .../etcd/etcd_peer_cert_file/rule.yml | 8 +++-- .../etcd/etcd_peer_client_cert_auth/rule.yml | 8 +++-- .../etcd/etcd_peer_key_file/rule.yml | 8 +++-- .../tls_version_check_apiserver/rule.yml | 22 ++++++++++--- .../tests/tls_version.fail.sh | 33 ------------------- .../tests/tls_version.pass.sh | 33 ------------------- .../kubelet_configure_tls_cert/rule.yml | 31 +++++++++-------- .../kubelet_configure_tls_key/rule.yml | 30 ++++++++--------- .../kubelet_disable_readonly_port/rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../tests/ocp4/e2e.yml | 0 .../ocp_api_server_audit_log_maxsize/rule.yml | 6 ++-- .../tests/hypershift.nomatch.fail.sh | 0 .../tests/hypershift.pass.sh | 0 .../tests/ocp.nomatch.fail.sh | 0 .../tests/ocp.pass.sh | 0 .../tests/ocp4/e2e.yml | 0 .../rule.yml | 6 ++-- .../scheduler_no_bind_address/rule.yml | 8 +++-- .../scheduler/scheduler_port_is_zero/rule.yml | 8 +++-- 66 files changed, 342 insertions(+), 294 deletions(-) delete mode 100755 applications/openshift/general/tls_version_check_apiserver/tests/tls_version.fail.sh delete mode 100755 applications/openshift/general/tls_version_check_apiserver/tests/tls_version.pass.sh rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxbackup/rule.yml (83%) rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxbackup/tests/ocp4/e2e.yml (100%) rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxsize/rule.yml (83%) rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxsize/tests/hypershift.nomatch.fail.sh (100%) rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh (100%) rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxsize/tests/ocp.nomatch.fail.sh (100%) rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh (100%) rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxsize/tests/ocp4/e2e.yml (100%) diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_alwaysadmit/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_alwaysadmit/rule.yml index be88c59db486..79cbc8fcf3a4 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_alwaysadmit/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_alwaysadmit/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable the AlwaysAdmit Admission Control Plugin' -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_alwayspullimages/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_alwayspullimages/rule.yml index 5c88bb0f79b4..c88171def903 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_alwayspullimages/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_alwayspullimages/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure that the Admission Control Plugin AlwaysPullImages is not set' -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_namespacelifecycle/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_namespacelifecycle/rule.yml index fb424a22eb59..75d920fae372 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_namespacelifecycle/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_namespacelifecycle/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable the NamespaceLifecycle Admission Control Plugin' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_noderestriction/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_noderestriction/rule.yml index 89a2a4f2774f..0544815d0248 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_noderestriction/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_noderestriction/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable the NodeRestriction Admission Control Plugin' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_scc/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_scc/rule.yml index c9ec8da1f765..096612b38d9f 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_scc/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_scc/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable the SecurityContextConstraint Admission Control Plugin' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_securitycontextdeny/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_securitycontextdeny/rule.yml index b998a925b40b..969759e03af6 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_securitycontextdeny/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_securitycontextdeny/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used' -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_service_account/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_service_account/rule.yml index 54d60c8ba678..753d828ffa9e 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_service_account/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_service_account/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable the ServiceAccount Admission Control Plugin' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_audit_log_maxbackup/rule.yml b/applications/openshift/api-server/api_server_audit_log_maxbackup/rule.yml index 17ae4549bd80..947858a4bef7 100644 --- a/applications/openshift/api-server/api_server_audit_log_maxbackup/rule.yml +++ b/applications/openshift/api-server/api_server_audit_log_maxbackup/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Kubernetes API Server Maximum Retained Audit Logs' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_audit_log_maxsize/rule.yml b/applications/openshift/api-server/api_server_audit_log_maxsize/rule.yml index 23273028f250..d1409dc1a9e9 100644 --- a/applications/openshift/api-server/api_server_audit_log_maxsize/rule.yml +++ b/applications/openshift/api-server/api_server_audit_log_maxsize/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure Kubernetes API Server Maximum Audit Log Size' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_audit_log_path/rule.yml b/applications/openshift/api-server/api_server_audit_log_path/rule.yml index 1f7bb8f47c70..f35df59b718e 100644 --- a/applications/openshift/api-server/api_server_audit_log_path/rule.yml +++ b/applications/openshift/api-server/api_server_audit_log_path/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Audit Log Path' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_auth_mode_no_aa/rule.yml b/applications/openshift/api-server/api_server_auth_mode_no_aa/rule.yml index 20695109d93d..60b7a76cc029 100644 --- a/applications/openshift/api-server/api_server_auth_mode_no_aa/rule.yml +++ b/applications/openshift/api-server/api_server_auth_mode_no_aa/rule.yml @@ -2,10 +2,12 @@ prodtype: ocp4 title: The authorization-mode cannot be AlwaysAllow -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: 'Do not always authorize all requests.' diff --git a/applications/openshift/api-server/api_server_auth_mode_node/rule.yml b/applications/openshift/api-server/api_server_auth_mode_node/rule.yml index a42f4e1ccae4..15a6cb763c96 100644 --- a/applications/openshift/api-server/api_server_auth_mode_node/rule.yml +++ b/applications/openshift/api-server/api_server_auth_mode_node/rule.yml @@ -2,10 +2,12 @@ prodtype: ocp4 title: Ensure authorization-mode Node is configured -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: 'Restrict kubelet nodes to reading only objects associated with them.' diff --git a/applications/openshift/api-server/api_server_auth_mode_rbac/rule.yml b/applications/openshift/api-server/api_server_auth_mode_rbac/rule.yml index 819861dc1c01..7002ded7699c 100644 --- a/applications/openshift/api-server/api_server_auth_mode_rbac/rule.yml +++ b/applications/openshift/api-server/api_server_auth_mode_rbac/rule.yml @@ -2,10 +2,12 @@ prodtype: ocp4 title: Ensure authorization-mode RBAC is configured -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_basic_auth/rule.yml b/applications/openshift/api-server/api_server_basic_auth/rule.yml index 65df690e8ef7..95ef7b349993 100644 --- a/applications/openshift/api-server/api_server_basic_auth/rule.yml +++ b/applications/openshift/api-server/api_server_basic_auth/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable basic-auth-file for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_bind_address/rule.yml b/applications/openshift/api-server/api_server_bind_address/rule.yml index d7e105380ea7..6c9009b3090d 100644 --- a/applications/openshift/api-server/api_server_bind_address/rule.yml +++ b/applications/openshift/api-server/api_server_bind_address/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: Ensure that the bindAddress is set to a relevant secure port -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: "The bindAddress is set by default to 0.0.0.0:6443, and listening with TLS enabled." diff --git a/applications/openshift/api-server/api_server_client_ca/rule.yml b/applications/openshift/api-server/api_server_client_ca/rule.yml index 2f916bd4172e..4f43695c035e 100644 --- a/applications/openshift/api-server/api_server_client_ca/rule.yml +++ b/applications/openshift/api-server/api_server_client_ca/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Client Certificate Authority for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["client-ca-file"]) | .apiServerArguments["client-ca-file"][] | select(test("{{.var_apiserver_client_ca}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["client-ca-file"]) | .apiServerArguments["client-ca-file"][] | select(test("/etc/kubernetes/certs/client-ca/ca.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -58,15 +60,13 @@ warnings: {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}} template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["client-ca-file"]' - entity_check: "all" - xccdf_variable: var_apiserver_client_ca - embedded_data: "true" - values: - - value: '(.+)' - operation: "pattern match" - type: "string" \ No newline at end of file + name: yamlfile_value + vars: + ocp_data: "true" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" + values: + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml b/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml index d693b87d4354..8de19deaf91b 100644 --- a/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml +++ b/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Encryption Provider Cipher' -{{% set custom_jqfilter = '{{.var_apiserver_encryption_filter}}' %}} {{% set default_jqfilter = '[.spec.encryption.type]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}{{else}}{{.var_apiserver_encryption_path}}{{end}}' %}} {{% set default_api_path = '/apis/config.openshift.io/v1/apiservers/cluster' %}} +{{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}' %}} +{{% set hypershift_jqfilter = '[.spec.secretEncryption.type]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_encryption_provider_config/rule.yml b/applications/openshift/api-server/api_server_encryption_provider_config/rule.yml index 0497de9a0bd9..e8d4aaba381d 100644 --- a/applications/openshift/api-server/api_server_encryption_provider_config/rule.yml +++ b/applications/openshift/api-server/api_server_encryption_provider_config/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Encryption Provider' -{{% set custom_jqfilter = '{{.var_apiserver_encryption_filter}}' %}} {{% set default_jqfilter = '[.spec.encryption.type]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}{{else}}{{.var_apiserver_encryption_path}}{{end}}' %}} {{% set default_api_path = '/apis/config.openshift.io/v1/apiservers/cluster' %}} +{{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}' %}} +{{% set hypershift_jqfilter = '[.spec.secretEncryption.type]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_etcd_ca/rule.yml b/applications/openshift/api-server/api_server_etcd_ca/rule.yml index be96cb52bbcc..7e24829c0b84 100644 --- a/applications/openshift/api-server/api_server_etcd_ca/rule.yml +++ b/applications/openshift/api-server/api_server_etcd_ca/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the etcd Certificate Authority for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["etcd-cafile"]) | .apiServerArguments["etcd-cafile"][] | select(test("{{.var_apiserver_etcd_ca}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["etcd-cafile"]) | .apiServerArguments["etcd-cafile"][] | select(test("/etc/kubernetes/certs/etcd-ca/ca.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -58,15 +60,13 @@ warnings: {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}} template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["etcd-cafile"][:]' - entity_check: "all" - xccdf_variable: var_apiserver_etcd_ca - embedded_data: "true" - values: - - value: '(.+)' - operation: "pattern match" - type: "string" \ No newline at end of file + name: yamlfile_value + vars: + ocp_data: "true" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" + values: + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/api-server/api_server_etcd_cert/rule.yml b/applications/openshift/api-server/api_server_etcd_cert/rule.yml index 2b7fa1ee12ea..5b1148a51c43 100644 --- a/applications/openshift/api-server/api_server_etcd_cert/rule.yml +++ b/applications/openshift/api-server/api_server_etcd_cert/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the etcd Certificate for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_etcd_key/rule.yml b/applications/openshift/api-server/api_server_etcd_key/rule.yml index 15d097d541e7..2938cc0139a8 100644 --- a/applications/openshift/api-server/api_server_etcd_key/rule.yml +++ b/applications/openshift/api-server/api_server_etcd_key/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the etcd Certificate Key for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml b/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml index 45a140893eaa..bf12ef52103b 100644 --- a/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml +++ b/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure that the --kubelet-https argument is set to true' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_insecure_bind_address/rule.yml b/applications/openshift/api-server/api_server_insecure_bind_address/rule.yml index 8b88c5965de6..5cf825e5501f 100644 --- a/applications/openshift/api-server/api_server_insecure_bind_address/rule.yml +++ b/applications/openshift/api-server/api_server_insecure_bind_address/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable Use of the Insecure Bind Address' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson | .apiServerArguments' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson | .apiServerArguments' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson | .apiServerArguments' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_insecure_port/rule.yml b/applications/openshift/api-server/api_server_insecure_port/rule.yml index 380f60a9ebda..07b14ebab505 100644 --- a/applications/openshift/api-server/api_server_insecure_port/rule.yml +++ b/applications/openshift/api-server/api_server_insecure_port/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Prevent Insecure Port Access' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_kubelet_certificate_authority/rule.yml b/applications/openshift/api-server/api_server_kubelet_certificate_authority/rule.yml index ef05b3f2e8e5..fedd202b5329 100644 --- a/applications/openshift/api-server/api_server_kubelet_certificate_authority/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_certificate_authority/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the kubelet Certificate Authority for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-certificate-authority"]) | .apiServerArguments["kubelet-certificate-authority"][] | select(test("{{.var_apiserver_kubelet_certificate_authority}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-certificate-authority"]) | .apiServerArguments["kubelet-certificate-authority"][] | select(test("/etc/kubernetes/certs/kubelet-ca/ca.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -57,15 +59,13 @@ warnings: {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}} template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["kubelet-certificate-authority"][:]' - entity_check: "all" - xccdf_variable: var_apiserver_kubelet_certificate_authority - embedded_data: "true" - values: - - value: '(.+)' - operation: "pattern match" - type: "string" \ No newline at end of file + name: yamlfile_value + vars: + ocp_data: "true" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" + values: + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml index 3dc412af013e..ba136489d27d 100644 --- a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the kubelet Certificate File for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("{{.var_apiserver_kubelet_client_cert}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("/etc/kubernetes/certs/kubelet/tls.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -60,12 +62,10 @@ template: name: yamlfile_value vars: ocp_data: "true" - entity_check: "all" filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["kubelet-client-certificate"][:]' - xccdf_variable: var_apiserver_kubelet_client_cert - embedded_data: "true" + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" values: - - value: '(.+)' - type: "string" - operation: "pattern match" + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml index ce81f69a16ad..78cbf20f10bf 100644 --- a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the kubelet Certificate Key for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("{{.var_apiserver_kubelet_client_key}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("/etc/kubernetes/certs/kubelet/tls.key"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -60,12 +62,10 @@ template: name: yamlfile_value vars: ocp_data: "true" - entity_check: "all" filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["kubelet-client-key"][:]' - xccdf_variable: var_apiserver_kubelet_client_key - embedded_data: "true" + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" values: - - value: '(.+)' - type: "string" - operation: "pattern match" + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/api-server/api_server_no_adm_ctrl_plugins_disabled/rule.yml b/applications/openshift/api-server/api_server_no_adm_ctrl_plugins_disabled/rule.yml index 88484f77da77..9eb707f106d1 100644 --- a/applications/openshift/api-server/api_server_no_adm_ctrl_plugins_disabled/rule.yml +++ b/applications/openshift/api-server/api_server_no_adm_ctrl_plugins_disabled/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure all admission control plugins are enabled' -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} diff --git a/applications/openshift/api-server/api_server_request_timeout/rule.yml b/applications/openshift/api-server/api_server_request_timeout/rule.yml index 6a0d3e073f76..380b95bc909d 100644 --- a/applications/openshift/api-server/api_server_request_timeout/rule.yml +++ b/applications/openshift/api-server/api_server_request_timeout/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the API Server Minimum Request Timeout' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -51,7 +53,7 @@ ocil: |- warnings: - general: |- - {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-apiserver/configmaps/config") | indent(4) }}} + {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}} template: name: yamlfile_value diff --git a/applications/openshift/api-server/api_server_service_account_lookup/rule.yml b/applications/openshift/api-server/api_server_service_account_lookup/rule.yml index 1b8cd1a2b697..1ea6e35e2343 100644 --- a/applications/openshift/api-server/api_server_service_account_lookup/rule.yml +++ b/applications/openshift/api-server/api_server_service_account_lookup/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: Ensure that the service-account-lookup argument is set to true -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: Validate service account before validating token. diff --git a/applications/openshift/api-server/api_server_service_account_public_key/rule.yml b/applications/openshift/api-server/api_server_service_account_public_key/rule.yml index e27f0b9dc6d1..4b9dc3eab42a 100644 --- a/applications/openshift/api-server/api_server_service_account_public_key/rule.yml +++ b/applications/openshift/api-server/api_server_service_account_public_key/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Service Account Public Key for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_tls_cert/rule.yml b/applications/openshift/api-server/api_server_tls_cert/rule.yml index b50ba7537c57..2039c0692ab9 100644 --- a/applications/openshift/api-server/api_server_tls_cert/rule.yml +++ b/applications/openshift/api-server/api_server_tls_cert/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Certificate for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["tls-cert-file"]) | .apiServerArguments["tls-cert-file"][] | select(test("{{.var_apiserver_tls_cert}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["tls-cert-file"]) | .apiServerArguments["tls-cert-file"][] | select(test("/etc/kubernetes/certs/server/tls.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -59,12 +61,11 @@ template: name: yamlfile_value vars: ocp_data: "true" - entity_check: "all" filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["tls-cert-file"][:]' - xccdf_variable: var_apiserver_tls_cert - embedded_data: "true" + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" values: - - value: '(.+)' - operation: "pattern match" - type: "string" + - value: "(.*?)" + operation: "pattern match" + diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml index fa7d59953952..c3d222404c5d 100644 --- a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml +++ b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Use Strong Cryptographic Ciphers on the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_tls_private_key/rule.yml b/applications/openshift/api-server/api_server_tls_private_key/rule.yml index 804c6c9f1486..d12a4aeaa10b 100644 --- a/applications/openshift/api-server/api_server_tls_private_key/rule.yml +++ b/applications/openshift/api-server/api_server_tls_private_key/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Certificate Key for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["tls-private-key-file"]) | .apiServerArguments["tls-private-key-file"][] | select(test("{{.var_apiserver_tls_private_key}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["tls-private-key-file"]) | .apiServerArguments["tls-private-key-file"][] | select(test("/etc/kubernetes/certs/server/tls.key"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -59,12 +61,11 @@ template: name: yamlfile_value vars: ocp_data: "true" - entity_check: "all" filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["tls-private-key-file"][:]' - xccdf_variable: var_apiserver_tls_private_key - embedded_data: "true" + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" values: - - value: '(.+)' - operation: "pattern match" - type: "string" + - value: "(.*?)" + operation: "pattern match" + diff --git a/applications/openshift/api-server/api_server_token_auth/rule.yml b/applications/openshift/api-server/api_server_token_auth/rule.yml index a70bba845d12..ca8accb62f45 100644 --- a/applications/openshift/api-server/api_server_token_auth/rule.yml +++ b/applications/openshift/api-server/api_server_token_auth/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable Token-based Authentication' -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/controller/controller_insecure_port_disabled/rule.yml b/applications/openshift/controller/controller_insecure_port_disabled/rule.yml index d58932ad695b..f7bef8335e5b 100644 --- a/applications/openshift/controller/controller_insecure_port_disabled/rule.yml +++ b/applications/openshift/controller/controller_insecure_port_disabled/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure Controller insecure port argument is unset' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_port_zero_filter}}' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson | if .extendedArguments["port"]!=null then .extendedArguments["port"]==["0"] else true end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '[[.items[0].spec.containers[0].args[] | select(. | match("--port=[1-9]*[1-9]+") )] | length | if . == 0 then true else false end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml index 05a419c67f53..0f26328655ec 100644 --- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml +++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml @@ -4,12 +4,16 @@ prodtype: ocp4 title: 'Ensure that the RotateKubeletServerCertificate argument is set' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_rotate_kubelet_server_certs_filter}}' %}} + {{% set default_jqfilter = '.data."config.yaml" | fromjson | .extendedArguments["feature-gates"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '.items[0].spec.containers[0].args' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} + description: |- To enforce kublet server certificate rotation on the Controller Manager, set the RotateKubeletServerCertificate option to true diff --git a/applications/openshift/controller/controller_secure_port/rule.yml b/applications/openshift/controller/controller_secure_port/rule.yml index 5528a8539078..a804abd9a8dc 100644 --- a/applications/openshift/controller/controller_secure_port/rule.yml +++ b/applications/openshift/controller/controller_secure_port/rule.yml @@ -4,12 +4,15 @@ prodtype: ocp4 title: 'Ensure Controller secure-port argument is set' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_secure_port_filter}}' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson | if .extendedArguments["secure-port"][]=="10257" then true else false end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '[[.items[0].spec.containers[0].args[] | select(. | match("--secure-port=10257") )] | length | if . ==1 then true else false end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} + description: |- To ensure the Controller Manager service is bound to secure loopback address using a secure port, diff --git a/applications/openshift/controller/controller_service_account_ca/rule.yml b/applications/openshift/controller/controller_service_account_ca/rule.yml index 90f69242f78d..0ee450e52859 100644 --- a/applications/openshift/controller/controller_service_account_ca/rule.yml +++ b/applications/openshift/controller/controller_service_account_ca/rule.yml @@ -4,10 +4,13 @@ prodtype: ocp4 title: 'Configure the Service Account Certificate Authority Key for the Controller Manager' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_service_account_ca_filter}}' %}} + {{% set default_jqfilter = '[.data."config.yaml" | fromjson | if .extendedArguments["root-ca-file"]!=null then true else false end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '[[.items[0].spec.containers[0].args[] | select(. | match("--root-ca-file") )] | length | if . ==1 then true else false end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/controller/controller_service_account_private_key/rule.yml b/applications/openshift/controller/controller_service_account_private_key/rule.yml index fb64ec9226ce..1f76b5955e10 100644 --- a/applications/openshift/controller/controller_service_account_private_key/rule.yml +++ b/applications/openshift/controller/controller_service_account_private_key/rule.yml @@ -4,12 +4,15 @@ prodtype: ocp4 title: 'Configure the Service Account Private Key for the Controller Manager' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_service_account_private_key_filter}}' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson | if .extendedArguments["service-account-private-key-file"]!=null then true else false end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '[[.items[0].spec.containers[0].args[] | select(. | match("--service-account-private-key-file") )] | length | if . ==1 then true else false end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} + description: |- To ensure the API Server utilizes its own key pair, set the privateKeyFile parameter to the public key file for service accounts in the openshift-kube-controller-manager configmap on the master diff --git a/applications/openshift/controller/controller_use_service_account/rule.yml b/applications/openshift/controller/controller_use_service_account/rule.yml index cac05ebc92e9..5211e135ce36 100644 --- a/applications/openshift/controller/controller_use_service_account/rule.yml +++ b/applications/openshift/controller/controller_use_service_account/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure that use-service-account-credentials is enabled' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_use_service_account_filter}}' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson | if .extendedArguments["use-service-account-credentials"][]=="true" then true else false end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '[[.items[0].spec.containers[0].args[] | select(. | match("--use-service-account-credentials=true") )] | length | if . ==1 then true else false end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_auto_tls/rule.yml b/applications/openshift/etcd/etcd_auto_tls/rule.yml index 774669c5b479..b54523eda1a3 100644 --- a/applications/openshift/etcd/etcd_auto_tls/rule.yml +++ b/applications/openshift/etcd/etcd_auto_tls/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable etcd Self-Signed Certificates' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_cert_file/rule.yml b/applications/openshift/etcd/etcd_cert_file/rule.yml index 4339feaf9e9f..3b6cbcaa5cf0 100644 --- a/applications/openshift/etcd/etcd_cert_file/rule.yml +++ b/applications/openshift/etcd/etcd_cert_file/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The etcd Client Certificate Is Correctly Set' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_client_cert_auth/rule.yml b/applications/openshift/etcd/etcd_client_cert_auth/rule.yml index 924c1eb62b53..5244ea7037c8 100644 --- a/applications/openshift/etcd/etcd_client_cert_auth/rule.yml +++ b/applications/openshift/etcd/etcd_client_cert_auth/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable The Client Certificate Authentication' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_key_file/rule.yml b/applications/openshift/etcd/etcd_key_file/rule.yml index 30763cdfc76c..3ebf47906fe7 100644 --- a/applications/openshift/etcd/etcd_key_file/rule.yml +++ b/applications/openshift/etcd/etcd_key_file/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The etcd Key File Is Correctly Set' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_peer_auto_tls/rule.yml b/applications/openshift/etcd/etcd_peer_auto_tls/rule.yml index be12e834049b..7d3bd6c1eadf 100644 --- a/applications/openshift/etcd/etcd_peer_auto_tls/rule.yml +++ b/applications/openshift/etcd/etcd_peer_auto_tls/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable etcd Peer Self-Signed Certificates' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_peer_cert_file/rule.yml b/applications/openshift/etcd/etcd_peer_cert_file/rule.yml index 820e55270961..601315477aa7 100644 --- a/applications/openshift/etcd/etcd_peer_cert_file/rule.yml +++ b/applications/openshift/etcd/etcd_peer_cert_file/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The etcd Peer Client Certificate Is Correctly Set' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_peer_client_cert_auth/rule.yml b/applications/openshift/etcd/etcd_peer_client_cert_auth/rule.yml index cc5244c86566..da739f2a2fb0 100644 --- a/applications/openshift/etcd/etcd_peer_client_cert_auth/rule.yml +++ b/applications/openshift/etcd/etcd_peer_client_cert_auth/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable The Peer Client Certificate Authentication' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_peer_key_file/rule.yml b/applications/openshift/etcd/etcd_peer_key_file/rule.yml index f34f225d04b9..17fef182323b 100644 --- a/applications/openshift/etcd/etcd_peer_key_file/rule.yml +++ b/applications/openshift/etcd/etcd_peer_key_file/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The etcd Peer Key File Is Correctly Set' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/general/tls_version_check_apiserver/rule.yml b/applications/openshift/general/tls_version_check_apiserver/rule.yml index 76329f9e9f3c..9c5222187597 100644 --- a/applications/openshift/general/tls_version_check_apiserver/rule.yml +++ b/applications/openshift/general/tls_version_check_apiserver/rule.yml @@ -5,6 +5,14 @@ title: Ensure TLS v1.2 is minimum for Openshift APIServer description: |- Verify tls version for the openshift APIServer. +{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} +{{% set default_api_path = '/api/v1/namespaces/openshift-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/openshift-apiserver' %}} +{{% set hypershift_jqfilter = '.data."config.yaml"' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} +{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} + rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The system must implement cryptographic modules adhering to the higher @@ -29,13 +37,17 @@ severity: medium warnings: - general: |- - {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-apiserver/configmaps/config") | indent(4) }}} + {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}} + template: name: yamlfile_value vars: ocp_data: "true" - filepath: /api/v1/namespaces/openshift-apiserver/configmaps/config - yamlpath: ".data['config.yaml']" + entity_check: "at least one" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: '.servingInfo["minTLSVersion"][:]' values: - - value: "VersionTLS1[2-9]{1}" - operation: "pattern match" + - value: 'VersionTLS1[2-9]{1}' + operation: "pattern match" + type: "string" + entity_check: "at least one" diff --git a/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.fail.sh b/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.fail.sh deleted file mode 100755 index 61ac63f79c2e..000000000000 --- a/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.fail.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# remediation = none - -yum install -y jq - -kube_apipath="/kubernetes-api-resources" - -# Create infra file for CPE to pass - -mkdir -p "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps" -config_apipath="/api/v1/namespaces/openshift-apiserver/configmaps/config" -cat < "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps/config" - -{ - "apiVersion": "v1", - "data": { - "config.yaml": "{\"apiServerArguments\":{\"audit-log-format\":[\"json\"],\"audit-log-maxbackup\":[\"10\"],\"audit-log-maxsize\":[\"100\"],\"audit-log-path\":[\"/var/log/openshift-apiserver/audit.log\"],\"audit-policy-file\":[\"/var/run/configmaps/audit/policy.yaml\"],\"shutdown-delay-duration\":[\"10s\"]},\"apiVersion\":\"openshiftcontrolplane.config.openshift.io/v1\",\"imagePolicyConfig\":{\"externalRegistryHostnames\":[\"default-route-openshift-image-registry.apps-crc.testing\"],\"internalRegistryHostname\":\"image-registry.openshift-image-registry.svc:5000\"},\"kind\":\"OpenShiftAPIServerConfig\",\"projectConfig\":{\"projectRequestMessage\":\"\"},\"routingConfig\":{\"subdomain\":\"apps-crc.testing\"},\"servingInfo\":{\"bindNetwork\":\"tcp\",\"cipherSuites\":[\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"],\"minTLSVersion\":\"VersionTLS11\"},\"storageConfig\":{\"urls\":[\"https://192.168.126.11:2379\"]}}" - }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2021-10-14T03:46:50Z", - "name": "config", - "namespace": "openshift-apiserver", - "resourceVersion": "19457", - "uid": "3222a317-422d-4355-94cd-d64ffd757a7c" - } -} -EOF - - -# Get file path. This will actually be read by the scan -filepath="$kube_apipath$config_apipath#$(echo -n "$config_apipath" | sha256sum | awk '{print $1}')" diff --git a/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.pass.sh b/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.pass.sh deleted file mode 100755 index fe1c40655a75..000000000000 --- a/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.pass.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# remediation = none - -yum install -y jq - -kube_apipath="/kubernetes-api-resources" - -# Create infra file for CPE to pass - -mkdir -p "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps" -config_apipath="/api/v1/namespaces/openshift-apiserver/configmaps/config" -cat < "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps/config" - -{ - "apiVersion": "v1", - "data": { - "config.yaml": "{\"apiServerArguments\":{\"audit-log-format\":[\"json\"],\"audit-log-maxbackup\":[\"10\"],\"audit-log-maxsize\":[\"100\"],\"audit-log-path\":[\"/var/log/openshift-apiserver/audit.log\"],\"audit-policy-file\":[\"/var/run/configmaps/audit/policy.yaml\"],\"shutdown-delay-duration\":[\"10s\"]},\"apiVersion\":\"openshiftcontrolplane.config.openshift.io/v1\",\"imagePolicyConfig\":{\"externalRegistryHostnames\":[\"default-route-openshift-image-registry.apps-crc.testing\"],\"internalRegistryHostname\":\"image-registry.openshift-image-registry.svc:5000\"},\"kind\":\"OpenShiftAPIServerConfig\",\"projectConfig\":{\"projectRequestMessage\":\"\"},\"routingConfig\":{\"subdomain\":\"apps-crc.testing\"},\"servingInfo\":{\"bindNetwork\":\"tcp\",\"cipherSuites\":[\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"],\"minTLSVersion\":\"VersionTLS12\"},\"storageConfig\":{\"urls\":[\"https://192.168.126.11:2379\"]}}" - }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2021-10-14T03:46:50Z", - "name": "config", - "namespace": "openshift-apiserver", - "resourceVersion": "19457", - "uid": "3222a317-422d-4355-94cd-d64ffd757a7c" - } -} -EOF - - -# Get file path. This will actually be read by the scan -filepath="$kube_apipath$config_apipath#$(echo -n "$config_apipath" | sha256sum | awk '{print $1}')" diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml index a434a915979b..0f7179550f9b 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The kubelet Client Certificate Is Correctly Set' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("{{.var_apiserver_kubelet_client_cert}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("/etc/kubernetes/certs/kubelet/tls.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -47,16 +49,13 @@ warnings: {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}} template: - name: yamlfile_value - vars: - ocp_data: "true" - entity_check: "all" - filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["kubelet-client-certificate"][:]' - xccdf_variable: var_apiserver_kubelet_client_cert - embedded_data: "true" - values: - - value: '(.+)' - type: "string" - operation: "pattern match" - + name: yamlfile_value + vars: + ocp_data: "true" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" + values: + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml index 9f55d7f235b9..b698e7c35ca9 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The kubelet Server Key Is Correctly Set' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("{{.var_apiserver_kubelet_client_key}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("/etc/kubernetes/certs/kubelet/tls.key"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -47,15 +49,13 @@ warnings: {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}} template: - name: yamlfile_value - vars: - ocp_data: "true" - entity_check: "all" - filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["kubelet-client-key"][:]' - xccdf_variable: var_apiserver_kubelet_client_key - embedded_data: "true" - values: - - value: '(.+)' - type: "string" - operation: "pattern match" + name: yamlfile_value + vars: + ocp_data: "true" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" + values: + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/kubelet/kubelet_disable_readonly_port/rule.yml b/applications/openshift/kubelet/kubelet_disable_readonly_port/rule.yml index c382f8b17d96..5924e97293ca 100644 --- a/applications/openshift/kubelet/kubelet_disable_readonly_port/rule.yml +++ b/applications/openshift/kubelet/kubelet_disable_readonly_port/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'kubelet - Disable the Read-Only Port' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxbackup/rule.yml b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/rule.yml similarity index 83% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxbackup/rule.yml rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/rule.yml index b3f7ae53e085..0ce56241a3ff 100644 --- a/applications/openshift/api-server/ocp_api_server_audit_log_maxbackup/rule.yml +++ b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the OpenShift API Server Maximum Retained Audit Logs' -{{% set custom_jqfilter = '{{.var_openshift_apiserver_filter}}' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_apiserver_namespace}}/configmaps/{{.var_openshift_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/openshift-apiserver' %}} +{{% set hypershift_jqfilter = '.data."config.yaml"' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxbackup/tests/ocp4/e2e.yml b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/tests/ocp4/e2e.yml similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxbackup/tests/ocp4/e2e.yml rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/tests/ocp4/e2e.yml diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/rule.yml b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/rule.yml similarity index 83% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/rule.yml rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/rule.yml index 0499a5829a2d..a5224dc78e41 100644 --- a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/rule.yml +++ b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure OpenShift API Server Maximum Audit Log Size' -{{% set custom_jqfilter = '{{.var_openshift_apiserver_filter}}' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_apiserver_namespace}}/configmaps/{{.var_openshift_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/openshift-apiserver' %}} +{{% set hypershift_jqfilter = '.data."config.yaml"' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.nomatch.fail.sh b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.nomatch.fail.sh similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.nomatch.fail.sh rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.nomatch.fail.sh diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp.nomatch.fail.sh b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp.nomatch.fail.sh similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp.nomatch.fail.sh rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp.nomatch.fail.sh diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp4/e2e.yml b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp4/e2e.yml similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp4/e2e.yml rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp4/e2e.yml diff --git a/applications/openshift/openshift-api-server/openshift_api_server_audit_log_path/rule.yml b/applications/openshift/openshift-api-server/openshift_api_server_audit_log_path/rule.yml index c8a1a697ebb9..4cc72d6ab7d0 100644 --- a/applications/openshift/openshift-api-server/openshift_api_server_audit_log_path/rule.yml +++ b/applications/openshift/openshift-api-server/openshift_api_server_audit_log_path/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Audit Log Path' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/scheduler/scheduler_no_bind_address/rule.yml b/applications/openshift/scheduler/scheduler_no_bind_address/rule.yml index 555a6cac8f41..8aca2cfd2267 100644 --- a/applications/openshift/scheduler/scheduler_no_bind_address/rule.yml +++ b/applications/openshift/scheduler/scheduler_no_bind_address/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: Ensure that the bind-address parameter is not used -{{% set custom_jqfilter = '{{.var_scheduler_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-scheduler{{else}}{{.var_scheduler_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-scheduler' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].args | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/scheduler/scheduler_port_is_zero/rule.yml b/applications/openshift/scheduler/scheduler_port_is_zero/rule.yml index a7fa34675234..e0fec3591a15 100644 --- a/applications/openshift/scheduler/scheduler_port_is_zero/rule.yml +++ b/applications/openshift/scheduler/scheduler_port_is_zero/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: Ensure that the port parameter is zero -{{% set custom_jqfilter = '{{.var_scheduler_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-scheduler{{else}}{{.var_scheduler_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-scheduler' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].args | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |-