From d5ce5251b36413369a276e183ac39a40a3bdd4c0 Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Mon, 13 Mar 2023 18:02:15 -0700 Subject: [PATCH] OCP optimize rule for hypershift We optimized hypershift related rules so we don't have to extend a template tailoredprofile when use it on HyperShift --- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../api_server_audit_log_maxbackup/rule.yml | 6 ++-- .../api_server_audit_log_maxsize/rule.yml | 6 ++-- .../api_server_audit_log_path/rule.yml | 6 ++-- .../api_server_auth_mode_no_aa/rule.yml | 6 ++-- .../api_server_auth_mode_node/rule.yml | 6 ++-- .../api_server_auth_mode_rbac/rule.yml | 6 ++-- .../api-server/api_server_basic_auth/rule.yml | 6 ++-- .../api_server_bind_address/rule.yml | 6 ++-- .../api-server/api_server_client_ca/rule.yml | 30 ++++++++-------- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../api-server/api_server_etcd_ca/rule.yml | 30 ++++++++-------- .../api-server/api_server_etcd_cert/rule.yml | 6 ++-- .../api-server/api_server_etcd_key/rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../api_server_insecure_bind_address/rule.yml | 6 ++-- .../api_server_insecure_port/rule.yml | 6 ++-- .../rule.yml | 30 ++++++++-------- .../api_server_kubelet_client_cert/rule.yml | 20 +++++------ .../api_server_kubelet_client_key/rule.yml | 20 +++++------ .../rule.yml | 6 ++-- .../api_server_request_timeout/rule.yml | 8 +++-- .../rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../api-server/api_server_tls_cert/rule.yml | 21 +++++------ .../api_server_tls_cipher_suites/rule.yml | 6 ++-- .../api_server_tls_private_key/rule.yml | 21 +++++------ .../api-server/api_server_token_auth/rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../rule.yml | 8 +++-- .../controller_secure_port/rule.yml | 7 ++-- .../controller_service_account_ca/rule.yml | 7 ++-- .../rule.yml | 7 ++-- .../controller_use_service_account/rule.yml | 6 ++-- .../openshift/etcd/etcd_auto_tls/rule.yml | 8 +++-- .../openshift/etcd/etcd_cert_file/rule.yml | 8 +++-- .../etcd/etcd_client_cert_auth/rule.yml | 8 +++-- .../openshift/etcd/etcd_key_file/rule.yml | 8 +++-- .../etcd/etcd_peer_auto_tls/rule.yml | 8 +++-- .../etcd/etcd_peer_cert_file/rule.yml | 8 +++-- .../etcd/etcd_peer_client_cert_auth/rule.yml | 8 +++-- .../etcd/etcd_peer_key_file/rule.yml | 8 +++-- .../tls_version_check_apiserver/rule.yml | 21 ++++++++--- .../tests/hypershift.nomatch.fail.sh | 23 ++++++++++++ .../tests/hypershift.pass.sh | 0 .../tests/ocp.nomatch.fail.sh | 36 +++++++++++++++++++ .../tests/ocp.pass.sh | 0 .../tests/tls_version.fail.sh | 33 ----------------- .../tests/tls_version.pass.sh | 33 ----------------- .../kubelet_configure_tls_cert/rule.yml | 31 ++++++++-------- .../kubelet_configure_tls_key/rule.yml | 30 ++++++++-------- .../kubelet_disable_readonly_port/rule.yml | 6 ++-- .../rule.yml | 6 ++-- .../tests/ocp4/e2e.yml | 0 .../ocp_api_server_audit_log_maxsize/rule.yml | 6 ++-- .../tests/hypershift.nomatch.fail.sh | 0 .../tests/hypershift.pass.sh | 23 ++++++++++++ .../tests/ocp.nomatch.fail.sh | 0 .../tests/ocp.pass.sh | 36 +++++++++++++++++++ .../tests/ocp4/e2e.yml | 0 .../rule.yml | 6 ++-- .../scheduler_no_bind_address/rule.yml | 8 +++-- .../scheduler/scheduler_port_is_zero/rule.yml | 8 +++-- 70 files changed, 459 insertions(+), 294 deletions(-) create mode 100644 applications/openshift/general/tls_version_check_apiserver/tests/hypershift.nomatch.fail.sh rename applications/openshift/{api-server/ocp_api_server_audit_log_maxsize => general/tls_version_check_apiserver}/tests/hypershift.pass.sh (100%) create mode 100644 applications/openshift/general/tls_version_check_apiserver/tests/ocp.nomatch.fail.sh rename applications/openshift/{api-server/ocp_api_server_audit_log_maxsize => general/tls_version_check_apiserver}/tests/ocp.pass.sh (100%) delete mode 100755 applications/openshift/general/tls_version_check_apiserver/tests/tls_version.fail.sh delete mode 100755 applications/openshift/general/tls_version_check_apiserver/tests/tls_version.pass.sh rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxbackup/rule.yml (83%) rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxbackup/tests/ocp4/e2e.yml (100%) rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxsize/rule.yml (83%) rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxsize/tests/hypershift.nomatch.fail.sh (100%) create mode 100644 applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxsize/tests/ocp.nomatch.fail.sh (100%) create mode 100644 applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh rename applications/openshift/{api-server => openshift-api-server}/ocp_api_server_audit_log_maxsize/tests/ocp4/e2e.yml (100%) diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_alwaysadmit/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_alwaysadmit/rule.yml index be88c59db48..79cbc8fcf3a 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_alwaysadmit/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_alwaysadmit/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable the AlwaysAdmit Admission Control Plugin' -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_alwayspullimages/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_alwayspullimages/rule.yml index 5c88bb0f79b..c88171def90 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_alwayspullimages/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_alwayspullimages/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure that the Admission Control Plugin AlwaysPullImages is not set' -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_namespacelifecycle/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_namespacelifecycle/rule.yml index fb424a22eb5..75d920fae37 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_namespacelifecycle/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_namespacelifecycle/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable the NamespaceLifecycle Admission Control Plugin' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_noderestriction/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_noderestriction/rule.yml index 89a2a4f2774..0544815d024 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_noderestriction/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_noderestriction/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable the NodeRestriction Admission Control Plugin' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_scc/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_scc/rule.yml index c9ec8da1f76..096612b38d9 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_scc/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_scc/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable the SecurityContextConstraint Admission Control Plugin' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_securitycontextdeny/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_securitycontextdeny/rule.yml index b998a925b40..969759e03af 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_securitycontextdeny/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_securitycontextdeny/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used' -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_admission_control_plugin_service_account/rule.yml b/applications/openshift/api-server/api_server_admission_control_plugin_service_account/rule.yml index 54d60c8ba67..753d828ffa9 100644 --- a/applications/openshift/api-server/api_server_admission_control_plugin_service_account/rule.yml +++ b/applications/openshift/api-server/api_server_admission_control_plugin_service_account/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable the ServiceAccount Admission Control Plugin' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_audit_log_maxbackup/rule.yml b/applications/openshift/api-server/api_server_audit_log_maxbackup/rule.yml index 17ae4549bd8..947858a4bef 100644 --- a/applications/openshift/api-server/api_server_audit_log_maxbackup/rule.yml +++ b/applications/openshift/api-server/api_server_audit_log_maxbackup/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Kubernetes API Server Maximum Retained Audit Logs' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_audit_log_maxsize/rule.yml b/applications/openshift/api-server/api_server_audit_log_maxsize/rule.yml index 23273028f25..d1409dc1a9e 100644 --- a/applications/openshift/api-server/api_server_audit_log_maxsize/rule.yml +++ b/applications/openshift/api-server/api_server_audit_log_maxsize/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure Kubernetes API Server Maximum Audit Log Size' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_audit_log_path/rule.yml b/applications/openshift/api-server/api_server_audit_log_path/rule.yml index 1f7bb8f47c7..f35df59b718 100644 --- a/applications/openshift/api-server/api_server_audit_log_path/rule.yml +++ b/applications/openshift/api-server/api_server_audit_log_path/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Audit Log Path' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_auth_mode_no_aa/rule.yml b/applications/openshift/api-server/api_server_auth_mode_no_aa/rule.yml index 20695109d93..60b7a76cc02 100644 --- a/applications/openshift/api-server/api_server_auth_mode_no_aa/rule.yml +++ b/applications/openshift/api-server/api_server_auth_mode_no_aa/rule.yml @@ -2,10 +2,12 @@ prodtype: ocp4 title: The authorization-mode cannot be AlwaysAllow -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: 'Do not always authorize all requests.' diff --git a/applications/openshift/api-server/api_server_auth_mode_node/rule.yml b/applications/openshift/api-server/api_server_auth_mode_node/rule.yml index a42f4e1ccae..15a6cb763c9 100644 --- a/applications/openshift/api-server/api_server_auth_mode_node/rule.yml +++ b/applications/openshift/api-server/api_server_auth_mode_node/rule.yml @@ -2,10 +2,12 @@ prodtype: ocp4 title: Ensure authorization-mode Node is configured -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: 'Restrict kubelet nodes to reading only objects associated with them.' diff --git a/applications/openshift/api-server/api_server_auth_mode_rbac/rule.yml b/applications/openshift/api-server/api_server_auth_mode_rbac/rule.yml index 819861dc1c0..7002ded7699 100644 --- a/applications/openshift/api-server/api_server_auth_mode_rbac/rule.yml +++ b/applications/openshift/api-server/api_server_auth_mode_rbac/rule.yml @@ -2,10 +2,12 @@ prodtype: ocp4 title: Ensure authorization-mode RBAC is configured -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_basic_auth/rule.yml b/applications/openshift/api-server/api_server_basic_auth/rule.yml index 65df690e8ef..95ef7b34999 100644 --- a/applications/openshift/api-server/api_server_basic_auth/rule.yml +++ b/applications/openshift/api-server/api_server_basic_auth/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable basic-auth-file for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_bind_address/rule.yml b/applications/openshift/api-server/api_server_bind_address/rule.yml index d7e105380ea..6c9009b3090 100644 --- a/applications/openshift/api-server/api_server_bind_address/rule.yml +++ b/applications/openshift/api-server/api_server_bind_address/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: Ensure that the bindAddress is set to a relevant secure port -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: "The bindAddress is set by default to 0.0.0.0:6443, and listening with TLS enabled." diff --git a/applications/openshift/api-server/api_server_client_ca/rule.yml b/applications/openshift/api-server/api_server_client_ca/rule.yml index 2f916bd4172..4f43695c035 100644 --- a/applications/openshift/api-server/api_server_client_ca/rule.yml +++ b/applications/openshift/api-server/api_server_client_ca/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Client Certificate Authority for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["client-ca-file"]) | .apiServerArguments["client-ca-file"][] | select(test("{{.var_apiserver_client_ca}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["client-ca-file"]) | .apiServerArguments["client-ca-file"][] | select(test("/etc/kubernetes/certs/client-ca/ca.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -58,15 +60,13 @@ warnings: {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}} template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["client-ca-file"]' - entity_check: "all" - xccdf_variable: var_apiserver_client_ca - embedded_data: "true" - values: - - value: '(.+)' - operation: "pattern match" - type: "string" \ No newline at end of file + name: yamlfile_value + vars: + ocp_data: "true" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" + values: + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml b/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml index d693b87d435..8de19deaf91 100644 --- a/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml +++ b/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Encryption Provider Cipher' -{{% set custom_jqfilter = '{{.var_apiserver_encryption_filter}}' %}} {{% set default_jqfilter = '[.spec.encryption.type]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}{{else}}{{.var_apiserver_encryption_path}}{{end}}' %}} {{% set default_api_path = '/apis/config.openshift.io/v1/apiservers/cluster' %}} +{{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}' %}} +{{% set hypershift_jqfilter = '[.spec.secretEncryption.type]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_encryption_provider_config/rule.yml b/applications/openshift/api-server/api_server_encryption_provider_config/rule.yml index 0497de9a0bd..e8d4aaba381 100644 --- a/applications/openshift/api-server/api_server_encryption_provider_config/rule.yml +++ b/applications/openshift/api-server/api_server_encryption_provider_config/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Encryption Provider' -{{% set custom_jqfilter = '{{.var_apiserver_encryption_filter}}' %}} {{% set default_jqfilter = '[.spec.encryption.type]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}{{else}}{{.var_apiserver_encryption_path}}{{end}}' %}} {{% set default_api_path = '/apis/config.openshift.io/v1/apiservers/cluster' %}} +{{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/clusters/hostedclusters/{{.hypershift_cluster}}' %}} +{{% set hypershift_jqfilter = '[.spec.secretEncryption.type]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_etcd_ca/rule.yml b/applications/openshift/api-server/api_server_etcd_ca/rule.yml index be96cb52bbc..7e24829c0b8 100644 --- a/applications/openshift/api-server/api_server_etcd_ca/rule.yml +++ b/applications/openshift/api-server/api_server_etcd_ca/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the etcd Certificate Authority for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["etcd-cafile"]) | .apiServerArguments["etcd-cafile"][] | select(test("{{.var_apiserver_etcd_ca}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["etcd-cafile"]) | .apiServerArguments["etcd-cafile"][] | select(test("/etc/kubernetes/certs/etcd-ca/ca.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -58,15 +60,13 @@ warnings: {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}} template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["etcd-cafile"][:]' - entity_check: "all" - xccdf_variable: var_apiserver_etcd_ca - embedded_data: "true" - values: - - value: '(.+)' - operation: "pattern match" - type: "string" \ No newline at end of file + name: yamlfile_value + vars: + ocp_data: "true" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" + values: + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/api-server/api_server_etcd_cert/rule.yml b/applications/openshift/api-server/api_server_etcd_cert/rule.yml index 2b7fa1ee12e..5b1148a51c4 100644 --- a/applications/openshift/api-server/api_server_etcd_cert/rule.yml +++ b/applications/openshift/api-server/api_server_etcd_cert/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the etcd Certificate for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_etcd_key/rule.yml b/applications/openshift/api-server/api_server_etcd_key/rule.yml index 15d097d541e..2938cc0139a 100644 --- a/applications/openshift/api-server/api_server_etcd_key/rule.yml +++ b/applications/openshift/api-server/api_server_etcd_key/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the etcd Certificate Key for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml b/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml index 45a140893ea..bf12ef52103 100644 --- a/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml +++ b/applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure that the --kubelet-https argument is set to true' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_insecure_bind_address/rule.yml b/applications/openshift/api-server/api_server_insecure_bind_address/rule.yml index 8b88c5965de..5cf825e5501 100644 --- a/applications/openshift/api-server/api_server_insecure_bind_address/rule.yml +++ b/applications/openshift/api-server/api_server_insecure_bind_address/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable Use of the Insecure Bind Address' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson | .apiServerArguments' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson | .apiServerArguments' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson | .apiServerArguments' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_insecure_port/rule.yml b/applications/openshift/api-server/api_server_insecure_port/rule.yml index 380f60a9ebd..07b14ebab50 100644 --- a/applications/openshift/api-server/api_server_insecure_port/rule.yml +++ b/applications/openshift/api-server/api_server_insecure_port/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Prevent Insecure Port Access' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_kubelet_certificate_authority/rule.yml b/applications/openshift/api-server/api_server_kubelet_certificate_authority/rule.yml index ef05b3f2e8e..fedd202b532 100644 --- a/applications/openshift/api-server/api_server_kubelet_certificate_authority/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_certificate_authority/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the kubelet Certificate Authority for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-certificate-authority"]) | .apiServerArguments["kubelet-certificate-authority"][] | select(test("{{.var_apiserver_kubelet_certificate_authority}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-certificate-authority"]) | .apiServerArguments["kubelet-certificate-authority"][] | select(test("/etc/kubernetes/certs/kubelet-ca/ca.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -57,15 +59,13 @@ warnings: {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}} template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["kubelet-certificate-authority"][:]' - entity_check: "all" - xccdf_variable: var_apiserver_kubelet_certificate_authority - embedded_data: "true" - values: - - value: '(.+)' - operation: "pattern match" - type: "string" \ No newline at end of file + name: yamlfile_value + vars: + ocp_data: "true" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" + values: + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml index 3dc412af013..ba136489d27 100644 --- a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the kubelet Certificate File for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("{{.var_apiserver_kubelet_client_cert}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("/etc/kubernetes/certs/kubelet/tls.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -60,12 +62,10 @@ template: name: yamlfile_value vars: ocp_data: "true" - entity_check: "all" filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["kubelet-client-certificate"][:]' - xccdf_variable: var_apiserver_kubelet_client_cert - embedded_data: "true" + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" values: - - value: '(.+)' - type: "string" - operation: "pattern match" + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml index ce81f69a16a..78cbf20f10b 100644 --- a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the kubelet Certificate Key for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("{{.var_apiserver_kubelet_client_key}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("/etc/kubernetes/certs/kubelet/tls.key"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -60,12 +62,10 @@ template: name: yamlfile_value vars: ocp_data: "true" - entity_check: "all" filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["kubelet-client-key"][:]' - xccdf_variable: var_apiserver_kubelet_client_key - embedded_data: "true" + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" values: - - value: '(.+)' - type: "string" - operation: "pattern match" + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/api-server/api_server_no_adm_ctrl_plugins_disabled/rule.yml b/applications/openshift/api-server/api_server_no_adm_ctrl_plugins_disabled/rule.yml index 88484f77da7..9eb707f106d 100644 --- a/applications/openshift/api-server/api_server_no_adm_ctrl_plugins_disabled/rule.yml +++ b/applications/openshift/api-server/api_server_no_adm_ctrl_plugins_disabled/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure all admission control plugins are enabled' -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} diff --git a/applications/openshift/api-server/api_server_request_timeout/rule.yml b/applications/openshift/api-server/api_server_request_timeout/rule.yml index 6a0d3e073f7..380b95bc909 100644 --- a/applications/openshift/api-server/api_server_request_timeout/rule.yml +++ b/applications/openshift/api-server/api_server_request_timeout/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the API Server Minimum Request Timeout' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -51,7 +53,7 @@ ocil: |- warnings: - general: |- - {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-apiserver/configmaps/config") | indent(4) }}} + {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}} template: name: yamlfile_value diff --git a/applications/openshift/api-server/api_server_service_account_lookup/rule.yml b/applications/openshift/api-server/api_server_service_account_lookup/rule.yml index 1b8cd1a2b69..1ea6e35e234 100644 --- a/applications/openshift/api-server/api_server_service_account_lookup/rule.yml +++ b/applications/openshift/api-server/api_server_service_account_lookup/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: Ensure that the service-account-lookup argument is set to true -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: Validate service account before validating token. diff --git a/applications/openshift/api-server/api_server_service_account_public_key/rule.yml b/applications/openshift/api-server/api_server_service_account_public_key/rule.yml index e27f0b9dc6d..4b9dc3eab42 100644 --- a/applications/openshift/api-server/api_server_service_account_public_key/rule.yml +++ b/applications/openshift/api-server/api_server_service_account_public_key/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Service Account Public Key for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_tls_cert/rule.yml b/applications/openshift/api-server/api_server_tls_cert/rule.yml index b50ba7537c5..2039c0692ab 100644 --- a/applications/openshift/api-server/api_server_tls_cert/rule.yml +++ b/applications/openshift/api-server/api_server_tls_cert/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Certificate for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["tls-cert-file"]) | .apiServerArguments["tls-cert-file"][] | select(test("{{.var_apiserver_tls_cert}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["tls-cert-file"]) | .apiServerArguments["tls-cert-file"][] | select(test("/etc/kubernetes/certs/server/tls.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -59,12 +61,11 @@ template: name: yamlfile_value vars: ocp_data: "true" - entity_check: "all" filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["tls-cert-file"][:]' - xccdf_variable: var_apiserver_tls_cert - embedded_data: "true" + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" values: - - value: '(.+)' - operation: "pattern match" - type: "string" + - value: "(.*?)" + operation: "pattern match" + diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml index fa7d5995395..c3d222404c5 100644 --- a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml +++ b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Use Strong Cryptographic Ciphers on the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/api_server_tls_private_key/rule.yml b/applications/openshift/api-server/api_server_tls_private_key/rule.yml index 804c6c9f148..d12a4aeaa10 100644 --- a/applications/openshift/api-server/api_server_tls_private_key/rule.yml +++ b/applications/openshift/api-server/api_server_tls_private_key/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Certificate Key for the API Server' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["tls-private-key-file"]) | .apiServerArguments["tls-private-key-file"][] | select(test("{{.var_apiserver_tls_private_key}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["tls-private-key-file"]) | .apiServerArguments["tls-private-key-file"][] | select(test("/etc/kubernetes/certs/server/tls.key"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -59,12 +61,11 @@ template: name: yamlfile_value vars: ocp_data: "true" - entity_check: "all" filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["tls-private-key-file"][:]' - xccdf_variable: var_apiserver_tls_private_key - embedded_data: "true" + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" values: - - value: '(.+)' - operation: "pattern match" - type: "string" + - value: "(.*?)" + operation: "pattern match" + diff --git a/applications/openshift/api-server/api_server_token_auth/rule.yml b/applications/openshift/api-server/api_server_token_auth/rule.yml index a70bba845d1..ca8accb62f4 100644 --- a/applications/openshift/api-server/api_server_token_auth/rule.yml +++ b/applications/openshift/api-server/api_server_token_auth/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable Token-based Authentication' -{{% set custom_jqfilter = '[.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson]' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/controller/controller_insecure_port_disabled/rule.yml b/applications/openshift/controller/controller_insecure_port_disabled/rule.yml index d58932ad695..f7bef8335e5 100644 --- a/applications/openshift/controller/controller_insecure_port_disabled/rule.yml +++ b/applications/openshift/controller/controller_insecure_port_disabled/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure Controller insecure port argument is unset' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_port_zero_filter}}' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson | if .extendedArguments["port"]!=null then .extendedArguments["port"]==["0"] else true end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '[[.items[0].spec.containers[0].args[] | select(. | match("--port=[1-9]*[1-9]+") )] | length | if . == 0 then true else false end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml index 05a419c67f5..0f26328655e 100644 --- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml +++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml @@ -4,12 +4,16 @@ prodtype: ocp4 title: 'Ensure that the RotateKubeletServerCertificate argument is set' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_rotate_kubelet_server_certs_filter}}' %}} + {{% set default_jqfilter = '.data."config.yaml" | fromjson | .extendedArguments["feature-gates"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '.items[0].spec.containers[0].args' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} + description: |- To enforce kublet server certificate rotation on the Controller Manager, set the RotateKubeletServerCertificate option to true diff --git a/applications/openshift/controller/controller_secure_port/rule.yml b/applications/openshift/controller/controller_secure_port/rule.yml index 5528a853907..a804abd9a8d 100644 --- a/applications/openshift/controller/controller_secure_port/rule.yml +++ b/applications/openshift/controller/controller_secure_port/rule.yml @@ -4,12 +4,15 @@ prodtype: ocp4 title: 'Ensure Controller secure-port argument is set' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_secure_port_filter}}' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson | if .extendedArguments["secure-port"][]=="10257" then true else false end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '[[.items[0].spec.containers[0].args[] | select(. | match("--secure-port=10257") )] | length | if . ==1 then true else false end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} + description: |- To ensure the Controller Manager service is bound to secure loopback address using a secure port, diff --git a/applications/openshift/controller/controller_service_account_ca/rule.yml b/applications/openshift/controller/controller_service_account_ca/rule.yml index 90f69242f78..0ee450e5285 100644 --- a/applications/openshift/controller/controller_service_account_ca/rule.yml +++ b/applications/openshift/controller/controller_service_account_ca/rule.yml @@ -4,10 +4,13 @@ prodtype: ocp4 title: 'Configure the Service Account Certificate Authority Key for the Controller Manager' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_service_account_ca_filter}}' %}} + {{% set default_jqfilter = '[.data."config.yaml" | fromjson | if .extendedArguments["root-ca-file"]!=null then true else false end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '[[.items[0].spec.containers[0].args[] | select(. | match("--root-ca-file") )] | length | if . ==1 then true else false end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/controller/controller_service_account_private_key/rule.yml b/applications/openshift/controller/controller_service_account_private_key/rule.yml index fb64ec9226c..1f76b5955e1 100644 --- a/applications/openshift/controller/controller_service_account_private_key/rule.yml +++ b/applications/openshift/controller/controller_service_account_private_key/rule.yml @@ -4,12 +4,15 @@ prodtype: ocp4 title: 'Configure the Service Account Private Key for the Controller Manager' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_service_account_private_key_filter}}' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson | if .extendedArguments["service-account-private-key-file"]!=null then true else false end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '[[.items[0].spec.containers[0].args[] | select(. | match("--service-account-private-key-file") )] | length | if . ==1 then true else false end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} + description: |- To ensure the API Server utilizes its own key pair, set the privateKeyFile parameter to the public key file for service accounts in the openshift-kube-controller-manager configmap on the master diff --git a/applications/openshift/controller/controller_use_service_account/rule.yml b/applications/openshift/controller/controller_use_service_account/rule.yml index cac05ebc92e..5211e135ce3 100644 --- a/applications/openshift/controller/controller_use_service_account/rule.yml +++ b/applications/openshift/controller/controller_use_service_account/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure that use-service-account-credentials is enabled' -{{% set custom_jqfilter = '{{.var_kube_controller_manager_use_service_account_filter}}' %}} {{% set default_jqfilter = '[.data."config.yaml" | fromjson | if .extendedArguments["use-service-account-credentials"][]=="true" then true else false end]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager{{else}}{{.var_kube_controller_manager_config_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-controller-manager' %}} +{{% set hypershift_jqfilter = '[[.items[0].spec.containers[0].args[] | select(. | match("--use-service-account-credentials=true") )] | length | if . ==1 then true else false end]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_auto_tls/rule.yml b/applications/openshift/etcd/etcd_auto_tls/rule.yml index 774669c5b47..b54523eda1a 100644 --- a/applications/openshift/etcd/etcd_auto_tls/rule.yml +++ b/applications/openshift/etcd/etcd_auto_tls/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable etcd Self-Signed Certificates' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_cert_file/rule.yml b/applications/openshift/etcd/etcd_cert_file/rule.yml index 4339feaf9e9..3b6cbcaa5cf 100644 --- a/applications/openshift/etcd/etcd_cert_file/rule.yml +++ b/applications/openshift/etcd/etcd_cert_file/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The etcd Client Certificate Is Correctly Set' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_client_cert_auth/rule.yml b/applications/openshift/etcd/etcd_client_cert_auth/rule.yml index 924c1eb62b5..5244ea7037c 100644 --- a/applications/openshift/etcd/etcd_client_cert_auth/rule.yml +++ b/applications/openshift/etcd/etcd_client_cert_auth/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable The Client Certificate Authentication' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_key_file/rule.yml b/applications/openshift/etcd/etcd_key_file/rule.yml index 30763cdfc76..3ebf47906fe 100644 --- a/applications/openshift/etcd/etcd_key_file/rule.yml +++ b/applications/openshift/etcd/etcd_key_file/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The etcd Key File Is Correctly Set' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_peer_auto_tls/rule.yml b/applications/openshift/etcd/etcd_peer_auto_tls/rule.yml index be12e834049..7d3bd6c1ead 100644 --- a/applications/openshift/etcd/etcd_peer_auto_tls/rule.yml +++ b/applications/openshift/etcd/etcd_peer_auto_tls/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Disable etcd Peer Self-Signed Certificates' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_peer_cert_file/rule.yml b/applications/openshift/etcd/etcd_peer_cert_file/rule.yml index 820e5527096..601315477aa 100644 --- a/applications/openshift/etcd/etcd_peer_cert_file/rule.yml +++ b/applications/openshift/etcd/etcd_peer_cert_file/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The etcd Peer Client Certificate Is Correctly Set' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_peer_client_cert_auth/rule.yml b/applications/openshift/etcd/etcd_peer_client_cert_auth/rule.yml index cc5244c8656..da739f2a2fb 100644 --- a/applications/openshift/etcd/etcd_peer_client_cert_auth/rule.yml +++ b/applications/openshift/etcd/etcd_peer_client_cert_auth/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Enable The Peer Client Certificate Authentication' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/etcd/etcd_peer_key_file/rule.yml b/applications/openshift/etcd/etcd_peer_key_file/rule.yml index f34f225d04b..17fef182323 100644 --- a/applications/openshift/etcd/etcd_peer_key_file/rule.yml +++ b/applications/openshift/etcd/etcd_peer_key_file/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The etcd Peer Key File Is Correctly Set' -{{% set custom_jqfilter = '{{.var_etcd_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd{{else}}{{.var_etcd_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Detcd' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].command | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/general/tls_version_check_apiserver/rule.yml b/applications/openshift/general/tls_version_check_apiserver/rule.yml index 76329f9e9f3..391ca7dee65 100644 --- a/applications/openshift/general/tls_version_check_apiserver/rule.yml +++ b/applications/openshift/general/tls_version_check_apiserver/rule.yml @@ -5,6 +5,14 @@ title: Ensure TLS v1.2 is minimum for Openshift APIServer description: |- Verify tls version for the openshift APIServer. +{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} +{{% set default_api_path = '/api/v1/namespaces/openshift-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/openshift-apiserver' %}} +{{% set hypershift_jqfilter = '.data."config.yaml"' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} +{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} + rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The system must implement cryptographic modules adhering to the higher @@ -29,13 +37,16 @@ severity: medium warnings: - general: |- - {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-apiserver/configmaps/config") | indent(4) }}} + {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}} + template: name: yamlfile_value vars: ocp_data: "true" - filepath: /api/v1/namespaces/openshift-apiserver/configmaps/config - yamlpath: ".data['config.yaml']" + entity_check: "at least one" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: '.servingInfo["minTLSVersion"]' values: - - value: "VersionTLS1[2-9]{1}" - operation: "pattern match" + - value: 'VersionTLS1[2-9]{1}' + operation: "pattern match" + type: "string" diff --git a/applications/openshift/general/tls_version_check_apiserver/tests/hypershift.nomatch.fail.sh b/applications/openshift/general/tls_version_check_apiserver/tests/hypershift.nomatch.fail.sh new file mode 100644 index 00000000000..f83425d16d8 --- /dev/null +++ b/applications/openshift/general/tls_version_check_apiserver/tests/hypershift.nomatch.fail.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# remediation = none + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" +ocp_apipath="/api/v1/namespaces/openshift-apiserver/configmaps/config" + +mkdir -p "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps/" + +jq_filter_default='.data."config.yaml" | fromjson' + +jq_filter='.data."config.yaml"' + +# Get filtered path. This will actually be read by the scan +filteredpath="$kube_apipath$ocp_apipath#$(echo -n "$ocp_apipath$jq_filter_default" | sha256sum | awk '{print $1}')" + +cat << EOF > $kube_apipath$ocp_apipath +{"kind":"ConfigMap","apiVersion":"v1","metadata":{"name":"openshift-apiserver","namespace":"clusters-wenshen-hypershift","uid":"5ec57109-8d0d-46a0-8c6e-b711afa03dec","resourceVersion":"158040","creationTimestamp":"2023-02-27T21:49:46Z","ownerReferences":[{"apiVersion":"hypershift.openshift.io/v1beta1","kind":"HostedControlPlane","name":"wenshen-hypershift","uid":"50a4550a-e450-4546-a7b4-254011fc5dfe","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"hypershift-controlplane-manager","operation":"Update","apiVersion":"v1","time":"2023-02-27T21:49:46Z","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:config.yaml":{}},"f:metadata":{"f:ownerReferences":{".":{},"k:{\"uid\":\"50a4550a-e450-4546-a7b4-254011fc5dfe\"}":{}}}}}]},"data":{"config.yaml":"admission: {}\naggregatorConfig:\n allowedNames: null\n clientCA: \"\"\n extraHeaderPrefixes: null\n groupHeaders: null\n usernameHeaders: null\napiServerArguments:\n audit-log-format:\n - json\n audit-log-maxsize:\n - \"50\"\n audit-log-path:\n - /var/log/openshift-apiserver/audit.log\n audit-policy-file:\n - /etc/kubernetes/audit-config/policy.yaml\n shutdown-delay-duration:\n - 3s\napiVersion: openshiftcontrolplane.config.openshift.io/v1\nauditConfig:\n auditFilePath: \"\"\n enabled: false\n logFormat: \"\"\n maximumFileRetentionDays: 0\n maximumFileSizeMegabytes: 0\n maximumRetainedFiles: 0\n policyConfiguration: null\n policyFile: \"\"\n webHookKubeConfig: \"\"\n webHookMode: \"\"\ncloudProviderFile: \"\"\ncorsAllowedOrigins: null\nimagePolicyConfig:\n additionalTrustedCA: \"\"\n allowedRegistriesForImport: null\n externalRegistryHostnames: null\n internalRegistryHostname: image-registry.openshift-image-registry.svc:5000\n maxImagesBulkImportedPerRepository: 0\njenkinsPipelineConfig:\n autoProvisionEnabled: null\n parameters: null\n serviceName: \"\"\n templateName: \"\"\n templateNamespace: \"\"\nkind: OpenShiftAPIServerConfig\nkubeClientConfig:\n connectionOverrides:\n acceptContentTypes: \"\"\n burst: 0\n contentType: \"\"\n qps: 0\n kubeConfig: /etc/kubernetes/secrets/svc-kubeconfig/kubeconfig\nprojectConfig:\n defaultNodeSelector: \"\"\n projectRequestMessage: \"\"\n projectRequestTemplate: \"\"\nroutingConfig:\n subdomain: apps.wenshen-hypershift.devcluster.openshift.com\nserviceAccountOAuthGrantMethod: \"\"\nservingInfo:\n bindAddress: \"\"\n bindNetwork: \"\"\n certFile: /etc/kubernetes/certs/serving/tls.crt\n cipherSuites:\n - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n clientCA: /etc/kubernetes/certs/client-ca/ca.crt\n keyFile: /etc/kubernetes/certs/serving/tls.key\n maxRequestsInFlight: 0\n minTLSVersion: VersionTLS02\n requestTimeoutSeconds: 0\nstorageConfig:\n ca: /etc/kubernetes/certs/etcd-client-ca/ca.crt\n certFile: /etc/kubernetes/certs/etcd-client/etcd-client.crt\n keyFile: /etc/kubernetes/certs/etcd-client/etcd-client.key\n storagePrefix: \"\"\n urls:\n - https://etcd-client:2379\n"}} +EOF + +jq -r "$jq_filter" "$kube_apipath$ocp_apipath" > "$filteredpath" + diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh b/applications/openshift/general/tls_version_check_apiserver/tests/hypershift.pass.sh similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh rename to applications/openshift/general/tls_version_check_apiserver/tests/hypershift.pass.sh diff --git a/applications/openshift/general/tls_version_check_apiserver/tests/ocp.nomatch.fail.sh b/applications/openshift/general/tls_version_check_apiserver/tests/ocp.nomatch.fail.sh new file mode 100644 index 00000000000..1705ba06142 --- /dev/null +++ b/applications/openshift/general/tls_version_check_apiserver/tests/ocp.nomatch.fail.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# remediation = none + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" +ocp_apipath="/api/v1/namespaces/openshift-apiserver/configmaps/config" + +mkdir -p "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps/" + +jq_filter_default='.data."config.yaml" | fromjson' + +jq_filter='.data."config.yaml" | fromjson' + +# Get filtered path. This will actually be read by the scan +filteredpath="$kube_apipath$ocp_apipath#$(echo -n "$ocp_apipath$jq_filter_default" | sha256sum | awk '{print $1}')" + +cat << EOF > $kube_apipath$ocp_apipath +{ + "apiVersion": "v1", + "data": { + "config.yaml": "{\"apiServerArguments\":{\"audit-log-format\":[\"json\"],\"audit-log-maxbackup\":[\"10\"],\"audit-log-maxsize\":[\"50\"],\"audit-log-path\":[\"/var/log/openshift-apiserver/audit.log\"],\"audit-policy-file\":[\"/var/run/configmaps/audit/policy.yaml\"],\"shutdown-delay-duration\":[\"15s\"],\"shutdown-send-retry-after\":[\"true\"]},\"apiVersion\":\"openshiftcontrolplane.config.openshift.io/v1\",\"imagePolicyConfig\":{\"internalRegistryHostname\":\"image-registry.openshift-image-registry.svc:5000\"},\"kind\":\"OpenShiftAPIServerConfig\",\"projectConfig\":{\"projectRequestMessage\":\"\"},\"routingConfig\":{\"subdomain\":\"apps.ci-ln-xllhdgb-76ef8.origin-ci-int-aws.dev.rhcloud.com\"},\"servingInfo\":{\"bindNetwork\":\"tcp\",\"cipherSuites\":[\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"],\"minTLSVersion\":\"VersionTLS02\"},\"storageConfig\":{\"urls\":[\"https://10.0.137.27:2379\",\"https://10.0.158.132:2379\",\"https://10.0.204.8:2379\"]}}" + }, + "kind": "ConfigMap", + "metadata": { + "creationTimestamp": "2023-02-28T05:44:46Z", + "name": "config", + "namespace": "openshift-apiserver", + "resourceVersion": "20949", + "uid": "50c1c8ce-5ae3-465d-b60c-47ef2208f665" + } +} +EOF + +jq "$jq_filter" "$kube_apipath$ocp_apipath" > "$filteredpath" + diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh b/applications/openshift/general/tls_version_check_apiserver/tests/ocp.pass.sh similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh rename to applications/openshift/general/tls_version_check_apiserver/tests/ocp.pass.sh diff --git a/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.fail.sh b/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.fail.sh deleted file mode 100755 index 61ac63f79c2..00000000000 --- a/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.fail.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# remediation = none - -yum install -y jq - -kube_apipath="/kubernetes-api-resources" - -# Create infra file for CPE to pass - -mkdir -p "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps" -config_apipath="/api/v1/namespaces/openshift-apiserver/configmaps/config" -cat < "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps/config" - -{ - "apiVersion": "v1", - "data": { - "config.yaml": "{\"apiServerArguments\":{\"audit-log-format\":[\"json\"],\"audit-log-maxbackup\":[\"10\"],\"audit-log-maxsize\":[\"100\"],\"audit-log-path\":[\"/var/log/openshift-apiserver/audit.log\"],\"audit-policy-file\":[\"/var/run/configmaps/audit/policy.yaml\"],\"shutdown-delay-duration\":[\"10s\"]},\"apiVersion\":\"openshiftcontrolplane.config.openshift.io/v1\",\"imagePolicyConfig\":{\"externalRegistryHostnames\":[\"default-route-openshift-image-registry.apps-crc.testing\"],\"internalRegistryHostname\":\"image-registry.openshift-image-registry.svc:5000\"},\"kind\":\"OpenShiftAPIServerConfig\",\"projectConfig\":{\"projectRequestMessage\":\"\"},\"routingConfig\":{\"subdomain\":\"apps-crc.testing\"},\"servingInfo\":{\"bindNetwork\":\"tcp\",\"cipherSuites\":[\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"],\"minTLSVersion\":\"VersionTLS11\"},\"storageConfig\":{\"urls\":[\"https://192.168.126.11:2379\"]}}" - }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2021-10-14T03:46:50Z", - "name": "config", - "namespace": "openshift-apiserver", - "resourceVersion": "19457", - "uid": "3222a317-422d-4355-94cd-d64ffd757a7c" - } -} -EOF - - -# Get file path. This will actually be read by the scan -filepath="$kube_apipath$config_apipath#$(echo -n "$config_apipath" | sha256sum | awk '{print $1}')" diff --git a/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.pass.sh b/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.pass.sh deleted file mode 100755 index fe1c40655a7..00000000000 --- a/applications/openshift/general/tls_version_check_apiserver/tests/tls_version.pass.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash - -# remediation = none - -yum install -y jq - -kube_apipath="/kubernetes-api-resources" - -# Create infra file for CPE to pass - -mkdir -p "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps" -config_apipath="/api/v1/namespaces/openshift-apiserver/configmaps/config" -cat < "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps/config" - -{ - "apiVersion": "v1", - "data": { - "config.yaml": "{\"apiServerArguments\":{\"audit-log-format\":[\"json\"],\"audit-log-maxbackup\":[\"10\"],\"audit-log-maxsize\":[\"100\"],\"audit-log-path\":[\"/var/log/openshift-apiserver/audit.log\"],\"audit-policy-file\":[\"/var/run/configmaps/audit/policy.yaml\"],\"shutdown-delay-duration\":[\"10s\"]},\"apiVersion\":\"openshiftcontrolplane.config.openshift.io/v1\",\"imagePolicyConfig\":{\"externalRegistryHostnames\":[\"default-route-openshift-image-registry.apps-crc.testing\"],\"internalRegistryHostname\":\"image-registry.openshift-image-registry.svc:5000\"},\"kind\":\"OpenShiftAPIServerConfig\",\"projectConfig\":{\"projectRequestMessage\":\"\"},\"routingConfig\":{\"subdomain\":\"apps-crc.testing\"},\"servingInfo\":{\"bindNetwork\":\"tcp\",\"cipherSuites\":[\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"],\"minTLSVersion\":\"VersionTLS12\"},\"storageConfig\":{\"urls\":[\"https://192.168.126.11:2379\"]}}" - }, - "kind": "ConfigMap", - "metadata": { - "creationTimestamp": "2021-10-14T03:46:50Z", - "name": "config", - "namespace": "openshift-apiserver", - "resourceVersion": "19457", - "uid": "3222a317-422d-4355-94cd-d64ffd757a7c" - } -} -EOF - - -# Get file path. This will actually be read by the scan -filepath="$kube_apipath$config_apipath#$(echo -n "$config_apipath" | sha256sum | awk '{print $1}')" diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml index a434a915979..0f7179550f9 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The kubelet Client Certificate Is Correctly Set' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("{{.var_apiserver_kubelet_client_cert}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("/etc/kubernetes/certs/kubelet/tls.crt"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -47,16 +49,13 @@ warnings: {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}} template: - name: yamlfile_value - vars: - ocp_data: "true" - entity_check: "all" - filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["kubelet-client-certificate"][:]' - xccdf_variable: var_apiserver_kubelet_client_cert - embedded_data: "true" - values: - - value: '(.+)' - type: "string" - operation: "pattern match" - + name: yamlfile_value + vars: + ocp_data: "true" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" + values: + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml index 9f55d7f235b..b698e7c35ca 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Ensure That The kubelet Server Key Is Correctly Set' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} -{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} +{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("{{.var_apiserver_kubelet_client_key}}"))]' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-key"]) | .apiServerArguments["kubelet-client-key"][] | select(test("/etc/kubernetes/certs/kubelet/tls.key"))]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- @@ -47,15 +49,13 @@ warnings: {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}} template: - name: yamlfile_value - vars: - ocp_data: "true" - entity_check: "all" - filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} - yamlpath: '.apiServerArguments["kubelet-client-key"][:]' - xccdf_variable: var_apiserver_kubelet_client_key - embedded_data: "true" - values: - - value: '(.+)' - type: "string" - operation: "pattern match" + name: yamlfile_value + vars: + ocp_data: "true" + filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} + yamlpath: "[:]" + check_existence: "at_least_one_exists" + entity_check: "all" + values: + - value: "(.*?)" + operation: "pattern match" diff --git a/applications/openshift/kubelet/kubelet_disable_readonly_port/rule.yml b/applications/openshift/kubelet/kubelet_disable_readonly_port/rule.yml index c382f8b17d9..5924e97293c 100644 --- a/applications/openshift/kubelet/kubelet_disable_readonly_port/rule.yml +++ b/applications/openshift/kubelet/kubelet_disable_readonly_port/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'kubelet - Disable the Read-Only Port' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxbackup/rule.yml b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/rule.yml similarity index 83% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxbackup/rule.yml rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/rule.yml index b3f7ae53e08..0ce56241a3f 100644 --- a/applications/openshift/api-server/ocp_api_server_audit_log_maxbackup/rule.yml +++ b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the OpenShift API Server Maximum Retained Audit Logs' -{{% set custom_jqfilter = '{{.var_openshift_apiserver_filter}}' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_apiserver_namespace}}/configmaps/{{.var_openshift_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/openshift-apiserver' %}} +{{% set hypershift_jqfilter = '.data."config.yaml"' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxbackup/tests/ocp4/e2e.yml b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/tests/ocp4/e2e.yml similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxbackup/tests/ocp4/e2e.yml rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/tests/ocp4/e2e.yml diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/rule.yml b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/rule.yml similarity index 83% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/rule.yml rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/rule.yml index 0499a5829a2..a5224dc78e4 100644 --- a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/rule.yml +++ b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure OpenShift API Server Maximum Audit Log Size' -{{% set custom_jqfilter = '{{.var_openshift_apiserver_filter}}' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_apiserver_namespace}}/configmaps/{{.var_openshift_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/openshift-apiserver' %}} +{{% set hypershift_jqfilter = '.data."config.yaml"' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.nomatch.fail.sh b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.nomatch.fail.sh similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.nomatch.fail.sh rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.nomatch.fail.sh diff --git a/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh new file mode 100644 index 00000000000..3d7c82620fe --- /dev/null +++ b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/hypershift.pass.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# remediation = none + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" +ocp_apipath="/api/v1/namespaces/openshift-apiserver/configmaps/config" + +mkdir -p "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps/" + +jq_filter_default='.data."config.yaml" | fromjson' + +jq_filter='.data."config.yaml"' + +# Get filtered path. This will actually be read by the scan +filteredpath="$kube_apipath$ocp_apipath#$(echo -n "$ocp_apipath$jq_filter_default" | sha256sum | awk '{print $1}')" + +cat << EOF > $kube_apipath$ocp_apipath +{"kind":"ConfigMap","apiVersion":"v1","metadata":{"name":"openshift-apiserver","namespace":"clusters-wenshen-hypershift","uid":"5ec57109-8d0d-46a0-8c6e-b711afa03dec","resourceVersion":"158040","creationTimestamp":"2023-02-27T21:49:46Z","ownerReferences":[{"apiVersion":"hypershift.openshift.io/v1beta1","kind":"HostedControlPlane","name":"wenshen-hypershift","uid":"50a4550a-e450-4546-a7b4-254011fc5dfe","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"hypershift-controlplane-manager","operation":"Update","apiVersion":"v1","time":"2023-02-27T21:49:46Z","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:config.yaml":{}},"f:metadata":{"f:ownerReferences":{".":{},"k:{\"uid\":\"50a4550a-e450-4546-a7b4-254011fc5dfe\"}":{}}}}}]},"data":{"config.yaml":"admission: {}\naggregatorConfig:\n allowedNames: null\n clientCA: \"\"\n extraHeaderPrefixes: null\n groupHeaders: null\n usernameHeaders: null\napiServerArguments:\n audit-log-format:\n - json\n audit-log-maxsize:\n - \"100\"\n audit-log-path:\n - /var/log/openshift-apiserver/audit.log\n audit-policy-file:\n - /etc/kubernetes/audit-config/policy.yaml\n shutdown-delay-duration:\n - 3s\napiVersion: openshiftcontrolplane.config.openshift.io/v1\nauditConfig:\n auditFilePath: \"\"\n enabled: false\n logFormat: \"\"\n maximumFileRetentionDays: 0\n maximumFileSizeMegabytes: 0\n maximumRetainedFiles: 0\n policyConfiguration: null\n policyFile: \"\"\n webHookKubeConfig: \"\"\n webHookMode: \"\"\ncloudProviderFile: \"\"\ncorsAllowedOrigins: null\nimagePolicyConfig:\n additionalTrustedCA: \"\"\n allowedRegistriesForImport: null\n externalRegistryHostnames: null\n internalRegistryHostname: image-registry.openshift-image-registry.svc:5000\n maxImagesBulkImportedPerRepository: 0\njenkinsPipelineConfig:\n autoProvisionEnabled: null\n parameters: null\n serviceName: \"\"\n templateName: \"\"\n templateNamespace: \"\"\nkind: OpenShiftAPIServerConfig\nkubeClientConfig:\n connectionOverrides:\n acceptContentTypes: \"\"\n burst: 0\n contentType: \"\"\n qps: 0\n kubeConfig: /etc/kubernetes/secrets/svc-kubeconfig/kubeconfig\nprojectConfig:\n defaultNodeSelector: \"\"\n projectRequestMessage: \"\"\n projectRequestTemplate: \"\"\nroutingConfig:\n subdomain: apps.wenshen-hypershift.devcluster.openshift.com\nserviceAccountOAuthGrantMethod: \"\"\nservingInfo:\n bindAddress: \"\"\n bindNetwork: \"\"\n certFile: /etc/kubernetes/certs/serving/tls.crt\n cipherSuites:\n - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n clientCA: /etc/kubernetes/certs/client-ca/ca.crt\n keyFile: /etc/kubernetes/certs/serving/tls.key\n maxRequestsInFlight: 0\n minTLSVersion: VersionTLS12\n requestTimeoutSeconds: 0\nstorageConfig:\n ca: /etc/kubernetes/certs/etcd-client-ca/ca.crt\n certFile: /etc/kubernetes/certs/etcd-client/etcd-client.crt\n keyFile: /etc/kubernetes/certs/etcd-client/etcd-client.key\n storagePrefix: \"\"\n urls:\n - https://etcd-client:2379\n"}} +EOF + +jq -r "$jq_filter" "$kube_apipath$ocp_apipath" > "$filteredpath" + diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp.nomatch.fail.sh b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp.nomatch.fail.sh similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp.nomatch.fail.sh rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp.nomatch.fail.sh diff --git a/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh new file mode 100644 index 00000000000..f031ed1dbfa --- /dev/null +++ b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp.pass.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# remediation = none + +yum install -y jq + +kube_apipath="/kubernetes-api-resources" +ocp_apipath="/api/v1/namespaces/openshift-apiserver/configmaps/config" + +mkdir -p "$kube_apipath/api/v1/namespaces/openshift-apiserver/configmaps/" + +jq_filter_default='.data."config.yaml" | fromjson' + +jq_filter='.data."config.yaml" | fromjson' + +# Get filtered path. This will actually be read by the scan +filteredpath="$kube_apipath$ocp_apipath#$(echo -n "$ocp_apipath$jq_filter_default" | sha256sum | awk '{print $1}')" + +cat << EOF > $kube_apipath$ocp_apipath +{ + "apiVersion": "v1", + "data": { + "config.yaml": "{\"apiServerArguments\":{\"audit-log-format\":[\"json\"],\"audit-log-maxbackup\":[\"10\"],\"audit-log-maxsize\":[\"100\"],\"audit-log-path\":[\"/var/log/openshift-apiserver/audit.log\"],\"audit-policy-file\":[\"/var/run/configmaps/audit/policy.yaml\"],\"shutdown-delay-duration\":[\"15s\"],\"shutdown-send-retry-after\":[\"true\"]},\"apiVersion\":\"openshiftcontrolplane.config.openshift.io/v1\",\"imagePolicyConfig\":{\"internalRegistryHostname\":\"image-registry.openshift-image-registry.svc:5000\"},\"kind\":\"OpenShiftAPIServerConfig\",\"projectConfig\":{\"projectRequestMessage\":\"\"},\"routingConfig\":{\"subdomain\":\"apps.ci-ln-xllhdgb-76ef8.origin-ci-int-aws.dev.rhcloud.com\"},\"servingInfo\":{\"bindNetwork\":\"tcp\",\"cipherSuites\":[\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"],\"minTLSVersion\":\"VersionTLS12\"},\"storageConfig\":{\"urls\":[\"https://10.0.137.27:2379\",\"https://10.0.158.132:2379\",\"https://10.0.204.8:2379\"]}}" + }, + "kind": "ConfigMap", + "metadata": { + "creationTimestamp": "2023-02-28T05:44:46Z", + "name": "config", + "namespace": "openshift-apiserver", + "resourceVersion": "20949", + "uid": "50c1c8ce-5ae3-465d-b60c-47ef2208f665" + } +} +EOF + +jq "$jq_filter" "$kube_apipath$ocp_apipath" > "$filteredpath" + diff --git a/applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp4/e2e.yml b/applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp4/e2e.yml similarity index 100% rename from applications/openshift/api-server/ocp_api_server_audit_log_maxsize/tests/ocp4/e2e.yml rename to applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/tests/ocp4/e2e.yml diff --git a/applications/openshift/openshift-api-server/openshift_api_server_audit_log_path/rule.yml b/applications/openshift/openshift-api-server/openshift_api_server_audit_log_path/rule.yml index c8a1a697ebb..4cc72d6ab7d 100644 --- a/applications/openshift/openshift-api-server/openshift_api_server_audit_log_path/rule.yml +++ b/applications/openshift/openshift-api-server/openshift_api_server_audit_log_path/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: 'Configure the Audit Log Path' -{{% set custom_jqfilter = '.data."{{.var_openshift_kube_apiserver_config_data_name}}" | fromjson' %}} {{% set default_jqfilter = '.data."config.yaml" | fromjson' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{else}}/api/v1/namespaces/{{.var_openshift_kube_apiserver_namespace}}/configmaps/{{.var_openshift_kube_apiserver_config}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/configmaps/kas-config' %}} +{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/scheduler/scheduler_no_bind_address/rule.yml b/applications/openshift/scheduler/scheduler_no_bind_address/rule.yml index 555a6cac8f4..8aca2cfd226 100644 --- a/applications/openshift/scheduler/scheduler_no_bind_address/rule.yml +++ b/applications/openshift/scheduler/scheduler_no_bind_address/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: Ensure that the bind-address parameter is not used -{{% set custom_jqfilter = '{{.var_scheduler_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-scheduler{{else}}{{.var_scheduler_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-scheduler' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].args | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |- diff --git a/applications/openshift/scheduler/scheduler_port_is_zero/rule.yml b/applications/openshift/scheduler/scheduler_port_is_zero/rule.yml index a7fa3467523..e0fec3591a1 100644 --- a/applications/openshift/scheduler/scheduler_port_is_zero/rule.yml +++ b/applications/openshift/scheduler/scheduler_port_is_zero/rule.yml @@ -4,10 +4,12 @@ prodtype: ocp4 title: Ensure that the port parameter is zero -{{% set custom_jqfilter = '{{.var_scheduler_argument_filter}}' %}} -{{% set default_jqfilter = '[.data."pod.yaml"]' %}} -{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-scheduler{{else}}{{.var_scheduler_filepath}}{{end}}' %}} {{% set default_api_path = '/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod' %}} +{{% set default_jqfilter = '[.data."pod.yaml"]' %}} +{{% set hypershift_path = '/api/v1/namespaces/clusters-{{.hypershift_cluster}}/pods?labelSelector=app%3Dkube-scheduler' %}} +{{% set hypershift_jqfilter = '[.items[0].spec.containers[0].args | join(" ")]' %}} +{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}} +{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} description: |-