content
content copied to clipboard
ComplianceAsCode
OCPBUGS-42262: Update command to check the etcd encryption provider being used
Description:
- Description here. Replace this text. Don't use the italics format!
Rationale:
-
Rationale here. Replace this text. Don't use the italics format!
-
Fixes # Issue number here (e.g. #26) or remove this line if no issue exists.
Review Hints:
-
Review hints here. Replace this text. Don't use the italics format!
-
Use this optional section to give any relevant information which could help the reviewer to more quickly and assertively understand and test the changes.
-
Good examples are useful commands, if it is better to review all commits together or in a suggested sequence, any relevant discussion in other PRs or issues, etc.
Code Climate has analyzed commit 11e16a0d and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 61.9%.
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
For a standard ocp, it works:
% oc get rule upstream-ocp4-api-server-encryption-provider-cipher -o=jsonpath={.instructions}
OpenShift supports encryption of data at rest of etcd datastore, but it is
up to the customer to configure. The asecbc and aesgcm ciphers are
available for use within OpenShift. Keys are stored on the filesystem of
the master and automatically rotated. Run the following command to review
the Encrypted status condition for the OpenShift API server to verify that its
resources were successfully encrypted:
# encrypt the etcd datastore
$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}'
The output shows EncryptionCompleted upon successful encryption.
If the output shows EncryptionInProgress this means that encryption is still in
progress. Wait a few minutes and try again.
To display the encryption configured, run the following command:
$ oc get --raw /apis/config.openshift.io/v1/apiservers/cluster | jq '[.spec.encryption.type]'
If the output does not list aescbc or aesgcm, the encryption is not configured correctly.
Is it the case that <tt>aescbc</tt> or <tt>aesgcm</tt> is not configured as the encryption provider?%
% oc get --raw /apis/config.openshift.io/v1/apiservers/cluster | jq '[.spec.encryption.type]'
[
"aescbc"
]
It seems to be working for hypershift cluster as well:
$ oc get rule upstream-ocp4-api-server-encryption-provider-cipher -o=jsonpath={.instructions}
OpenShift supports encryption of data at rest of etcd datastore, but it is
up to the customer to configure. The asecbc and aesgcm ciphers are
available for use within OpenShift. Keys are stored on the filesystem of
the master and automatically rotated. Run the following command to review
the Encrypted status condition for the OpenShift API server to verify that its
resources were successfully encrypted:
\# encrypt the etcd datastore
$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}'
The output shows EncryptionCompleted upon successful encryption.
If the output shows EncryptionInProgress this means that encryption is still in
progress. Wait a few minutes and try again.
To display the encryption configured, run the following command:
$ oc get --raw /apis/config.openshift.io/v1/apiservers/cluster | jq '[.spec.encryption.type]'
If the output does not list aescbc or aesgcm, the encryption is not configured correctly.
Is it the case that <tt>aescbc</tt> or <tt>aesgcm</tt> is not configured as the encryption provider?
$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}'
True
EncryptionCompleted
All resources encrypted: routes.route.openshift.io
$ oc get --raw /apis/config.openshift.io/v1/apiservers/cluster | jq '[.spec.encryption.type]'
[
"aesgcm"
]
@xiaojiey: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/e2e-aws-openshift-platform-compliance | c90a082024056bcaaa6a6a0437d11c874f214b84 | link | true | /test e2e-aws-openshift-platform-compliance |
| ci/prow/e2e-aws-openshift-node-compliance | c90a082024056bcaaa6a6a0437d11c874f214b84 | link | true | /test e2e-aws-openshift-node-compliance |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
