content
content copied to clipboard
ComplianceAsCode
Retire old TLS Cipher Checks and homogenize the active ones
Description:
Removing kubelet_configure_tls_cipher_suites_openshiftapiserver_operator and kubelet_configure_tls_cipher_suites_kubeapiserver_operator and renaming kubelet_configure_tls_cipher_suites_ingresscontroller to create a more concise structure
this is part of a larger effort to make all TLS Cipher Suites and their remediations configurable with variables (see https://issues.redhat.com/browse/RFE-6859 )
Rationale:
The current state of the TLS Cipher Checks is a little bit heterogenous. There are currently 6 of them:
- api_server_tls_cipher_suites
- kubelet_tls_cipher_suites
- kubelet_configure_tls_cipher_suites_ingresscontroller
- etcd_check_cipher_suite
- kubelet_configure_tls_cipher_suites_openshiftapiserver_operator
- kubelet_configure_tls_cipher_suites_kubeapiserver_operator
while 1-4 are used in multiple profiles, kubelet_configure_tls_cipher_suites_openshiftapiserver_operator and kubelet_configure_tls_cipher_suites_kubeapiserver_operator are only used in the default profile. they also do not really have anything to do with kubelet and also have remediations which are unsupported or defect. There are nowadays better ways to configure TLS profiles and these are used by the newer rules.
Furthermore the kubelet_configure_tls_cipher_suites_ingresscontroller doesnt have anything to do with the kubelet. There are more rules regarding the ingresscontroller under networking. I believe this to be an artifact, since you can see, that the new api_server_tls_cipher_suites is under apiserver. Moving kubelet_configure_tls_cipher_suites_ingresscontroller to networking bundles the ingresscontroller tls rules together and makes it easier to get a grasp of what is existing.
These changes should prevent people creating new profiles to use the wrong/outdated rules and also more easily find relevant rules.
Review Hints:
I checked for occurences of the rules by grepping the repository
grep -iR kubelet_configure_tls_cipher_suites_openshiftapiserver_operator ./
./products/ocp4/profiles/default.profile: - kubelet_configure_tls_cipher_suites_openshiftapiserver_operator
grep -iR kubelet_configure_tls_cipher_suites_kubeapiserver_operator ./
./products/ocp4/profiles/default.profile: - kubelet_configure_tls_cipher_suites_kubeapiserver_operator
grep -iR kubelet_configure_tls_cipher_suites_ingresscontroller ./
controls/cis_ocp_1_4_0/section-4.yml: - kubelet_configure_tls_cipher_suites_ingresscontroller
I replaced the occurence in controls/cis_ocp_1_4_0/section-4.yml
with the new name.
IMHO this rule does not match the requirement, as the ingresscontroller has nothing to do with the kubelet. I would recommend to remove it, as the requirement is addressed by the kubelet rule.
Furthermore I wonder, why this rule is not used in more places.
one could also go one step further and unify the naming of the cipher rules, but I think this is creating no value.
Hi @sluetze. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Start a new ephemeral environment with changes proposed in this pull request:
Fedora Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
/lgtm
Premerge verification steps:
Objective: Ensure the old rules (kubelet-configure-tls-cipher-suites-openshiftapiserver-operator and kubelet-configure-tls-cipher-suites-kubeapiserver-operator) are removed and the rule kubelet-configure-tls-cipher-suites-ingresscontroller has been renamed to ingress-controller-tls-cipher-suites. Run compliance scan and see the remediation works.
- Old rules are removed:
$ oc get rule upstream-ocp4-kubelet-configure-tls-cipher-suites-openshiftapiserver-operator
Error from server (NotFound): rules.compliance.openshift.io "upstream-ocp4-kubelet-configure-tls-cipher-suites-openshiftapiserver-operator" not found
$ oc get rule upstream-ocp4-kubelet-configure-tls-cipher-suites-kubeapiserver-operator
Error from server (NotFound): rules.compliance.openshift.io "upstream-ocp4-kubelet-configure-tls-cipher-suites-kubeapiserver-operator" not found
$ oc get rule upstream-ocp4-kubelet-configure-tls-cipher-suites-ingresscontroller
Error from server (NotFound): rules.compliance.openshift.io "upstream-ocp4-kubelet-configure-tls-cipher-suites-ingresscontroller" not found
- Rule
ingress-controller-tls-cipher-suitesexists
$ oc get rule upstream-ocp4-ingress-controller-tls-cipher-suites
NAME AGE
upstream-ocp4-ingress-controller-tls-cipher-suites 30m
Run compliance scan and verify remediation gets applied:
$ oc compliance bind -N autotest -S default-auto-apply profile/upstream-ocp4-cis
Creating ScanSettingBinding autotest
$ oc get ccr |grep upstream-ocp4-cis-ingress-controller-tls-cipher-suites
upstream-ocp4-cis-ingress-controller-tls-cipher-suites FAIL medium
$ oc get cr |grep upstream-ocp4-cis-ingress-controller-tls-cipher-suites
NAME STATE
upstream-ocp4-cis-ingress-controller-tls-cipher-suites Applied
$ oc compliance rerun-now scansettingbindings autotest
Rerunning scans from 'autotest': upstream-ocp4-cis
Re-running scan 'openshift-compliance/upstream-ocp4-cis'
$ oc get ccr |grep upstream-ocp4-cis-ingress-controller-tls-cipher-suites
upstream-ocp4-cis-ingress-controller-tls-cipher-suites PASS medium
@sluetze Please resolve the conflicts and rebase on the latest upstream master branch.
Code Climate has analyzed commit 30ce4eda and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 61.9% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
@yuumasato can we get this merged? I will happily rebase and resolve conflicts again, but having done this a couple of times now, I want a "will get merged shortly" commitment beforehand.
/lgtm
The operator is correctly using the replacement rule (ingress-controller-tls-cipher-suites). Steps taken:
- OCP 4.18 on AWS.
- Install CO 1.7.1.
- Create a profile bundle, upload it to Quay, and modify the profile bundle's custom image to point to this content image instead of the default one.
- Run the scan.
- Check the rule.
- Check the remediation.
- Apply the remediation.
- Verify remediation works.
