OCP optimize rule for hypershift #10333
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Start a new ephemeral environment with changes proposed in this pull request: ocp4 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the trimmed diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwaysadmit'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwaysadmit
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwaysadmit
@@ -10,9 +10,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- [.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson]{{else}}[.data."config.yaml" | fromjson]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwayspullimages'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwayspullimages
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_alwayspullimages
@@ -10,9 +10,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- [.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson]{{else}}[.data."config.yaml" | fromjson]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_namespacelifecycle'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_namespacelifecycle
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_namespacelifecycle
@@ -8,9 +8,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_noderestriction'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_noderestriction
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_noderestriction
@@ -11,9 +11,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_scc'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_scc
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_scc
@@ -9,9 +9,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_securitycontextdeny'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_securitycontextdeny
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_securitycontextdeny
@@ -15,9 +15,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- [.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson]{{else}}[.data."config.yaml" | fromjson]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_service_account'.
--- xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_service_account
+++ xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_service_account
@@ -12,9 +12,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_audit_log_maxbackup'.
--- xccdf_org.ssgproject.content_rule_api_server_audit_log_maxbackup
+++ xccdf_org.ssgproject.content_rule_api_server_audit_log_maxbackup
@@ -16,9 +16,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_audit_log_maxsize'.
--- xccdf_org.ssgproject.content_rule_api_server_audit_log_maxsize
+++ xccdf_org.ssgproject.content_rule_api_server_audit_log_maxsize
@@ -16,9 +16,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_audit_log_path'.
--- xccdf_org.ssgproject.content_rule_api_server_audit_log_path
+++ xccdf_org.ssgproject.content_rule_api_server_audit_log_path
@@ -16,9 +16,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_auth_mode_no_aa'.
--- xccdf_org.ssgproject.content_rule_api_server_auth_mode_no_aa
+++ xccdf_org.ssgproject.content_rule_api_server_auth_mode_no_aa
@@ -8,9 +8,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- [.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson]{{else}}[.data."config.yaml" | fromjson]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_auth_mode_node'.
--- xccdf_org.ssgproject.content_rule_api_server_auth_mode_node
+++ xccdf_org.ssgproject.content_rule_api_server_auth_mode_node
@@ -8,9 +8,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_auth_mode_rbac'.
--- xccdf_org.ssgproject.content_rule_api_server_auth_mode_rbac
+++ xccdf_org.ssgproject.content_rule_api_server_auth_mode_rbac
@@ -10,9 +10,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_basic_auth'.
--- xccdf_org.ssgproject.content_rule_api_server_basic_auth
+++ xccdf_org.ssgproject.content_rule_api_server_basic_auth
@@ -21,9 +21,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_bind_address'.
--- xccdf_org.ssgproject.content_rule_api_server_bind_address
+++ xccdf_org.ssgproject.content_rule_api_server_bind_address
@@ -8,9 +8,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_client_ca'.
--- xccdf_org.ssgproject.content_rule_api_server_client_ca
+++ xccdf_org.ssgproject.content_rule_api_server_client_ca
@@ -20,11 +20,11 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["client-ca-file"]) | .apiServerArguments["client-ca-file"][] | select(test("/etc/kubernetes/certs/client-ca/ca.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["client-ca-file"]) | .apiServerArguments["client-ca-file"][] | select(test("{{.var_apiserver_client_ca}}"))]{{end}}
and persist it to the local
- /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
+ /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#d56e72c377d8f85e0601a704d4218064a0ea4a2235ceee82d20db6cdafc74608
file.
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher'.
--- xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher
+++ xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher
@@ -17,9 +17,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}{{else}}{{.var_apiserver_encryption_path}}{{end}}
+{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}{{else}}/apis/config.openshift.io/v1/apiservers/cluster{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_apiserver_encryption_filter}}
+ {{if ne .hypershift_cluster "None"}}[.spec.secretEncryption.type]{{else}}[.spec.encryption.type]{{end}}
and persist it to the local
/apis/config.openshift.io/v1/apiservers/cluster#a1d4b20a86b76e7e2d634dbeff420b1a80df6800836dad1b552314d1b24a18cb
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_encryption_provider_config'.
--- xccdf_org.ssgproject.content_rule_api_server_encryption_provider_config
+++ xccdf_org.ssgproject.content_rule_api_server_encryption_provider_config
@@ -17,9 +17,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}{{else}}{{.var_apiserver_encryption_path}}{{end}}
+{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}{{else}}/apis/config.openshift.io/v1/apiservers/cluster{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_apiserver_encryption_filter}}
+ {{if ne .hypershift_cluster "None"}}[.spec.secretEncryption.type]{{else}}[.spec.encryption.type]{{end}}
and persist it to the local
/apis/config.openshift.io/v1/apiservers/cluster#a1d4b20a86b76e7e2d634dbeff420b1a80df6800836dad1b552314d1b24a18cb
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_etcd_ca'.
--- xccdf_org.ssgproject.content_rule_api_server_etcd_ca
+++ xccdf_org.ssgproject.content_rule_api_server_etcd_ca
@@ -20,11 +20,11 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["etcd-cafile"]) | .apiServerArguments["etcd-cafile"][] | select(test("/etc/kubernetes/certs/etcd-ca/ca.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["etcd-cafile"]) | .apiServerArguments["etcd-cafile"][] | select(test("{{.var_apiserver_etcd_ca}}"))]{{end}}
and persist it to the local
- /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
+ /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#33769e7a3c14dd6dc237eb2b13a72140eeadf2ce49578f57bc9e0fd096cf4e9a
file.
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_etcd_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_etcd_cert
+++ xccdf_org.ssgproject.content_rule_api_server_etcd_cert
@@ -18,9 +18,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_etcd_key'.
--- xccdf_org.ssgproject.content_rule_api_server_etcd_key
+++ xccdf_org.ssgproject.content_rule_api_server_etcd_key
@@ -18,9 +18,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn'.
--- xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn
+++ xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn
@@ -10,9 +10,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_insecure_bind_address'.
--- xccdf_org.ssgproject.content_rule_api_server_insecure_bind_address
+++ xccdf_org.ssgproject.content_rule_api_server_insecure_bind_address
@@ -17,9 +17,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson | .apiServerArguments
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson | .apiServerArguments{{else}}.data."config.yaml" | fromjson | .apiServerArguments{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#95b5b27bb6ea2b122e810c99c17c2430c4845596942804847dd677557cfed88e
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_insecure_port'.
--- xccdf_org.ssgproject.content_rule_api_server_insecure_port
+++ xccdf_org.ssgproject.content_rule_api_server_insecure_port
@@ -20,9 +20,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_certificate_authority'.
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_certificate_authority
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_certificate_authority
@@ -18,11 +18,11 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-certificate-authority"]) | .apiServerArguments["kubelet-certificate-authority"][] | select(test("/etc/kubernetes/certs/kubelet-ca/ca.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-certificate-authority"]) | .apiServerArguments["kubelet-certificate-authority"][] | select(test("{{.var_apiserver_kubelet_certificate_authority}}"))]{{end}}
and persist it to the local
- /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
+ /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1118b118fc93b557cda9eb3f29584d2f92f5c3976f77dec35848eb54e0d819cc
file.
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
@@ -17,11 +17,11 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("/etc/kubernetes/certs/kubelet/tls.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("{{.var_apiserver_kubelet_client_cert}}"))]{{end}}
and persist it to the local
- /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
+ /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#e5500055b4aa2fcf00dc09ad0e66e44b6b42d67f8d53d1e72ff81b32f0e09865
file.
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key'.
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
@@ -17,11 +17,11 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("/etc/kubernetes/certs/kubelet/tls.key"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("{{.var_apiserver_kubelet_client_key}}"))]{{end}}
and persist it to the local
- /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
+ /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#1e2b7c1158e0b9a602cb20d62c82b4660907bb57b63dac11c6c7c64211c49c69
file.
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_no_adm_ctrl_plugins_disabled'.
--- xccdf_org.ssgproject.content_rule_api_server_no_adm_ctrl_plugins_disabled
+++ xccdf_org.ssgproject.content_rule_api_server_no_adm_ctrl_plugins_disabled
@@ -10,9 +10,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- [.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]{{else}}[.data."config.yaml" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c02c853df9307960712da853d79f916a091fe8bce6312720d7c17de03c2017b
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_request_timeout'.
--- xccdf_org.ssgproject.content_rule_api_server_request_timeout
+++ xccdf_org.ssgproject.content_rule_api_server_request_timeout
@@ -17,7 +17,13 @@
[warning]:
This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the /api/v1/namespaces/openshift-apiserver/configmaps/config API endpoint to the local /api/v1/namespaces/openshift-apiserver/configmaps/config file.
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
+ API endpoint, filter with with the jq utility using the following filter
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
+ and persist it to the local
+ /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
+ file.
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_service_account_lookup'.
--- xccdf_org.ssgproject.content_rule_api_server_service_account_lookup
+++ xccdf_org.ssgproject.content_rule_api_server_service_account_lookup
@@ -8,9 +8,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_service_account_public_key'.
--- xccdf_org.ssgproject.content_rule_api_server_service_account_public_key
+++ xccdf_org.ssgproject.content_rule_api_server_service_account_public_key
@@ -17,9 +17,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_cert'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_cert
+++ xccdf_org.ssgproject.content_rule_api_server_tls_cert
@@ -20,11 +20,11 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["tls-cert-file"]) | .apiServerArguments["tls-cert-file"][] | select(test("/etc/kubernetes/certs/server/tls.crt"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["tls-cert-file"]) | .apiServerArguments["tls-cert-file"][] | select(test("{{.var_apiserver_tls_cert}}"))]{{end}}
and persist it to the local
- /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
+ /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#bca394347bab5b9902f1d1568d4f5d6e5498b01ec27ddf8231443e376b18757d
file.
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
@@ -22,9 +22,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}.data."config.json" | fromjson{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_tls_private_key'.
--- xccdf_org.ssgproject.content_rule_api_server_tls_private_key
+++ xccdf_org.ssgproject.content_rule_api_server_tls_private_key
@@ -20,11 +20,11 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- .data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | select(.apiServerArguments["tls-private-key-file"]) | .apiServerArguments["tls-private-key-file"][] | select(test("/etc/kubernetes/certs/server/tls.key"))]{{else}}[.data."config.yaml" | fromjson | select(.apiServerArguments["tls-private-key-file"]) | .apiServerArguments["tls-private-key-file"][] | select(test("{{.var_apiserver_tls_private_key}}"))]{{end}}
and persist it to the local
- /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430
+ /api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c69c1fe6742f70a3a16c09461f57a19ef2a695143301cede2f2f5d307aa3508
file.
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_token_auth'.
--- xccdf_org.ssgproject.content_rule_api_server_token_auth
+++ xccdf_org.ssgproject.content_rule_api_server_token_auth
@@ -19,9 +19,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- [.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]
+ {{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson]{{else}}[.data."config.yaml" | fromjson]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup'.
--- xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup
+++ xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup
@@ -16,9 +16,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_apiserver_namespace}}/configmaps/{{.var_openshift_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/openshift-apiserver{{else}}/api/v1/namespaces/openshift-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_openshift_apiserver_filter}}
+ {{if ne .hypershift_cluster "None"}}.data."config.yaml"{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-apiserver/configmaps/config#45ae2c88fe28d39a42f19e165a1612353224e9663eb369000e03c7efcd10ef59
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize'.
--- xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize
+++ xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize
@@ -16,9 +16,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_apiserver_namespace}}/configmaps/{{.var_openshift_apiserver_config}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/openshift-apiserver{{else}}/api/v1/namespaces/openshift-apiserver/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_openshift_apiserver_filter}}
+ {{if ne .hypershift_cluster "None"}}.data."config.yaml"{{else}}.data."config.yaml" | fromjson{{end}}
and persist it to the local
/api/v1/namespaces/openshift-apiserver/configmaps/config#45ae2c88fe28d39a42f19e165a1612353224e9663eb369000e03c7efcd10ef59
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_controller_insecure_port_disabled'.
--- xccdf_org.ssgproject.content_rule_controller_insecure_port_disabled
+++ xccdf_org.ssgproject.content_rule_controller_insecure_port_disabled
@@ -23,9 +23,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_kube_controller_manager_port_zero_filter}}
+ {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--port=[1-9]*[1-9]+") )] | length | if . == 0 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["port"]!=null then .extendedArguments["port"]==["0"] else true end]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#9f09cca56dc1e9f9605eb5a94aed74de554fd209513a9222e4fe9c0ed669aeee
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_controller_rotate_kubelet_server_certs'.
--- xccdf_org.ssgproject.content_rule_controller_rotate_kubelet_server_certs
+++ xccdf_org.ssgproject.content_rule_controller_rotate_kubelet_server_certs
@@ -19,9 +19,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_kube_controller_manager_rotate_kubelet_server_certs_filter}}
+ {{if ne .hypershift_cluster "None"}}.items[0].spec.containers[0].args{{else}}.data."config.yaml" | fromjson | .extendedArguments["feature-gates"]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#4cbbbf49b93400715e43dc698f6484799805c502ad3aeb8285de579753b54d31
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_controller_secure_port'.
--- xccdf_org.ssgproject.content_rule_controller_secure_port
+++ xccdf_org.ssgproject.content_rule_controller_secure_port
@@ -17,9 +17,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_kube_controller_manager_secure_port_filter}}
+ {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--secure-port=10257") )] | length | if . ==1 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["secure-port"][]=="10257" then true else false end]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#8241ce1009dc5dd166436d0311b60b96aa3a2f591ba43a26e2b9d0bfc9071414
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_controller_service_account_ca'.
--- xccdf_org.ssgproject.content_rule_controller_service_account_ca
+++ xccdf_org.ssgproject.content_rule_controller_service_account_ca
@@ -17,9 +17,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_kube_controller_manager_service_account_ca_filter}}
+ {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--root-ca-file") )] | length | if . ==1 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["root-ca-file"]!=null then true else false end]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#e27218fb5fb7cd68a9911eb2db6bf715ca959f639e56cb60f90be782ddd7fcf8
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_controller_service_account_private_key'.
--- xccdf_org.ssgproject.content_rule_controller_service_account_private_key
+++ xccdf_org.ssgproject.content_rule_controller_service_account_private_key
@@ -17,9 +17,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_kube_controller_manager_service_account_private_key_filter}}
+ {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--service-account-private-key-file") )] | length | if . ==1 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["service-account-private-key-file"]!=null then true else false end]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#407a17f0f401ae8c92955bc382bc80ee34a9afd51ab787e405bf524d03ebf3c8
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_controller_use_service_account'.
--- xccdf_org.ssgproject.content_rule_controller_use_service_account
+++ xccdf_org.ssgproject.content_rule_controller_use_service_account
@@ -18,9 +18,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_kube_controller_manager_use_service_account_filter}}
+ {{if ne .hypershift_cluster "None"}}[[.items[0].spec.containers[0].args[] | select(. | match("--use-service-account-credentials=true") )] | length | if . ==1 then true else false end]{{else}}[.data."config.yaml" | fromjson | if .extendedArguments["use-service-account-credentials"][]=="true" then true else false end]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#be4ff4c2d3e706eb3b2f17921e5163bca81082bd313ff067ef625af9e6cb61ff
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_etcd_auto_tls'.
--- xccdf_org.ssgproject.content_rule_etcd_auto_tls
+++ xccdf_org.ssgproject.content_rule_etcd_auto_tls
@@ -12,9 +12,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod{{end}}
API endpoint, filter with with the jq utility using the following filter
- {{.var_etcd_argument_filter}}
+ {{if ne .hypershift_cluster "None"}}[.items[0].spec.containers[0].command | join(" ")]{{else}}[.data."pod.yaml"]{{end}}
and persist it to the local
/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027
file.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_etcd_cert_file'.
--- xccdf_org.ssgproject.content_rule_etcd_cert_file
+++ xccdf_org.ssgproject.content_rule_etcd_cert_file
@@ -15,9 +15,9 @@
[warning]:
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}
+{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod{{end}}
API endpoint, filter with with the jq utility using the followi
... The diff is trimmed here ... |
Vincent056
force-pushed
the
hypershift_tp
branch
4 times, most recently
from
21e5d14
to
3d55a4d
Compare
Vincent056
force-pushed
the
hypershift_tp
branch
4 times, most recently
from
540749b
to
02dfb08
Compare
|
/retest |
|
Verification pass with ComplianceAsCode/compliance-operator#235 and #10333. Verification steps: |
|
/retest |
1 similar comment
|
/retest |
jhrozek
reviewed
Mar 16, 2023
applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml
Show resolved
Hide resolved
|
/retest |
|
/retest |
We optimized hypershift related rules so we don't have to extend a template tailoredprofile when use it on HyperShift
Vincent056
force-pushed
the
hypershift_tp
branch
from
02dfb08
to
d5ce525
Compare
|
Code Climate has analyzed commit d5ce525 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.7% (0.0% change). View more on Code Climate. |
|
/retest |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We optimized hypershift related rules so we don't have to extend a template tailoredprofile when using it on HyperShift
Rationale:
In the past, you need to set many hypershift related variables in a tailoredProfile in order to use, with this patch, we injected all the variable into the rule so that it is not needed anymore, you only need to define
hypershift-clustervariable to specific which hypershift cluster to scan, and then what profile to extend using a tailoredProfile.Review Hints:
We need to merge: ComplianceAsCode/compliance-operator#235 to work