From 59708f9aa18181822fc428c2ec9e3060dcea23a7 Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Mon, 29 Jan 2024 23:22:25 -0800 Subject: [PATCH 1/3] OCP4: Fix OCP version regex We have issues when the OCP version is something like 4.14.6, the old regex matches this version into both 4.6 and 4.14, this commit change the regex so it requires the match to start with '4'. --- shared/applicability/oval/installed_app_is_ocp4.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/applicability/oval/installed_app_is_ocp4.xml b/shared/applicability/oval/installed_app_is_ocp4.xml index b5cef4b2419..c98d7927c6b 100644 --- a/shared/applicability/oval/installed_app_is_ocp4.xml +++ b/shared/applicability/oval/installed_app_is_ocp4.xml @@ -138,7 +138,7 @@ - 4\.{{{ minorversion }}}.* + \b4\.{{{ minorversion }}}.* From b3c374d98470484d5863035d1b2aa05e19da283a Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Wed, 31 Jan 2024 21:24:26 -0800 Subject: [PATCH 2/3] Adding ocp4.14 ocp4.15 to applicable ocp rules Adding ocp4.14 ocp4.15 to applicable rules so they get run on those OCP versions --- .../rule.yml | 2 +- .../api-server/api_server_kubelet_client_cert/rule.yml | 2 +- .../openshift/api-server/api_server_kubelet_client_key/rule.yml | 2 +- .../openshift/kubelet/kubelet_configure_tls_cert/rule.yml | 2 +- .../openshift/kubelet/kubelet_configure_tls_key/rule.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml index 05006c1427f..19be7580b29 100644 --- a/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml +++ b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@ocp4: CCE-86390-2 platforms: - - ocp4.11 or ocp4.12 or ocp4.13 + - ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 severity: medium diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml index 1d661e04bd7..c0e29775dca 100644 --- a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml @@ -34,7 +34,7 @@ identifiers: cce@ocp4: CCE-84080-1 platforms: - - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted + - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted severity: high diff --git a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml index 7697ff49310..7a3e46f95cd 100644 --- a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml +++ b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml @@ -34,7 +34,7 @@ identifiers: cce@ocp4: CCE-83591-8 platforms: - - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted + - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted severity: high diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml index d3ce8ddd258..28053c9ccf3 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml @@ -27,7 +27,7 @@ identifiers: cce@ocp4: CCE-83396-2 platforms: - - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted + - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted references: cis@ocp4: 4.2.9 diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml index 1eb2c1009fc..69593fe6dd4 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml @@ -27,7 +27,7 @@ identifiers: cce@ocp4: CCE-90614-9 platforms: - - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted + - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted references: cis@ocp4: 4.2.9 From 26626d30f216e7ff2f6fccad2538035447d8eb29 Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Mon, 19 Feb 2024 20:46:32 -0800 Subject: [PATCH 3/3] OCP4: add api_server_api_priority_v1_flowschema_catch_all OCP 4.16 has introduced flowcontrol.apiserver.k8s.io/v1, this commit adds the v1 for ocp 4.16 --- .../oval/shared.xml | 18 +++-- .../rule.yml | 2 +- .../rule.yml | 67 +++++++++++++++++++ .../tests/ocp4/4.16.yml | 3 + .../rule.yml | 2 +- .../tests/ocp4/4.14.yml | 3 + .../tests/ocp4/4.15.yml | 3 + products/ocp4/profiles/default.profile | 1 + shared/references/cce-redhat-avail.txt | 1 - 9 files changed, 90 insertions(+), 10 deletions(-) create mode 100644 applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml create mode 100644 applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml create mode 100644 applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml create mode 100644 applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml diff --git a/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml b/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml index 8e05c3f6ff4..87917c29507 100644 --- a/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml +++ b/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml @@ -1,11 +1,15 @@ - - {{{ oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}} - - - - - + {{{ + oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}} + + + + diff --git a/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml index b04efb9486e..f990f73a6eb 100644 --- a/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml +++ b/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml @@ -45,4 +45,4 @@ ocil: |- warnings: - general: |- - {{{ openshift_cluster_setting(["/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all"], true) | indent(8) }}} + {{{ openshift_cluster_setting(["/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all"], true) | indent(8) }}} diff --git a/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml new file mode 100644 index 00000000000..b78100414b6 --- /dev/null +++ b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml @@ -0,0 +1,67 @@ +documentation_complete: true + +title: 'Ensure catch-all FlowSchema object for API Priority and Fairness Exists' + +description: |- + Using APIPriorityAndFairness feature provides a fine-grained way + to control the behaviour of the Kubernetes API server in an overload + situation. The well-known FlowSchema catch-all should be available + to make sure that every request gets some kind of classification. By default, + the catch-all priority level only allows one concurrency share and + does not queue requests. To inspect all the FlowSchema objects, run: + 
oc get flowschema
+ To inspect the well-known catch-all object, run the following: + 
oc describe flowschema catch-all
+ +rationale: |- + The FlowSchema API objects enforce a limit on the + number of events that the API Server will accept in a given time slice + In a large multi-tenant cluster, there might be a small percentage of + misbehaving tenants which could have a significant impact on the + performance of the cluster overall. It is recommended to limit the rate + of events that the API Server will accept. + +identifiers: + cce@ocp4: CCE-86097-3 + +platforms: + - ocp4.16 + +severity: medium + +references: + cis@ocp4: 1.2.10 + nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1 + nist: CM-6,CM-6(1) + pcidss: Req-2.2 + srg: SRG-APP-000516-CTR-001325 + +ocil_clause: 'A FlowSchema object catch-all exists' + +ocil: |- + Run the following commands: + 
oc get flowschema
+ and inspect the FlowSchema objects. Make sure that at least the catch-all + object exists by calling: + 
oc describe flowschema catch-all
+ +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all", true) | indent(4) }}} +- dependency: |- + Note that this is only applicable in OpenShift Container Platform version 4.16 + and higher + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all" + yamlpath: '.spec.rules[0].subjects[:].group["name"]' + check_existence: "at_least_one_exists" + entity_check: "at least one" + values: + - value: "system:authenticated" + operation: "pattern match" + check_existence: "at_least_one_exists" + entity_check: "at least one" diff --git a/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml new file mode 100644 index 00000000000..a700773455b --- /dev/null +++ b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml @@ -0,0 +1,3 @@ +--- +default_result: PASS + diff --git a/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml index 19be7580b29..152ffc65e31 100644 --- a/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml +++ b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@ocp4: CCE-86390-2 platforms: - - ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 + - ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 severity: medium diff --git a/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml new file mode 100644 index 00000000000..a700773455b --- /dev/null +++ b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml @@ -0,0 +1,3 @@ +--- +default_result: PASS + diff --git a/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml new file mode 100644 index 00000000000..a700773455b --- /dev/null +++ b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml @@ -0,0 +1,3 @@ +--- +default_result: PASS + diff --git a/products/ocp4/profiles/default.profile b/products/ocp4/profiles/default.profile index 71e340a6468..aa4a79e4196 100644 --- a/products/ocp4/profiles/default.profile +++ b/products/ocp4/profiles/default.profile @@ -43,6 +43,7 @@ selections: - kubelet_eviction_thresholds_set_soft_imagefs_inodesfree - file_groupowner_kubeconfig - api_server_api_priority_v1alpha1_flowschema_catch_all + - api_server_api_priority_v1_flowschema_catch_all - file_groupowner_openvswitch - gcp_disk_encryption_enabled - kubelet_configure_tls_cipher_suites_ingresscontroller diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 08e6a876d39..a3c56b660ea 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -6,7 +6,6 @@ CCE-86082-5 CCE-86083-3 CCE-86087-4 CCE-86088-2 -CCE-86097-3 CCE-86101-3 CCE-86105-4 CCE-86106-2