content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

OCP4: deprecating two api_server rules

Open Vincent056 opened this issue 1 year ago • 10 comments

This pr removes api_server_insecure_port and api_server_api_priority_gate_enabled from any of the OCP profiles because we no longer support those applicable OCP versions.

Vincent056 avatar Mar 26 '24 18:03 Vincent056

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar Mar 26 '24 18:03 github-actions[bot]

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:11758 This image was built from commit: f4bcb76deb68ec3ca06a072e1530e0d441243b79

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11758

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11758 make deploy-local

github-actions[bot] avatar Mar 26 '24 18:03 github-actions[bot]

/test

rhmdnd avatar Mar 26 '24 19:03 rhmdnd

@rhmdnd: The /test command needs one or more targets. The following commands are available to trigger required jobs:

  • /test 4.13-e2e-aws-ocp4-cis
  • /test 4.13-e2e-aws-ocp4-cis-node
  • /test 4.13-e2e-aws-ocp4-e8
  • /test 4.13-e2e-aws-ocp4-high
  • /test 4.13-e2e-aws-ocp4-high-node
  • /test 4.13-e2e-aws-ocp4-moderate
  • /test 4.13-e2e-aws-ocp4-moderate-node
  • /test 4.13-e2e-aws-ocp4-pci-dss
  • /test 4.13-e2e-aws-ocp4-pci-dss-node
  • /test 4.13-e2e-aws-ocp4-stig
  • /test 4.13-e2e-aws-ocp4-stig-node
  • /test 4.13-e2e-aws-rhcos4-e8
  • /test 4.13-e2e-aws-rhcos4-high
  • /test 4.13-e2e-aws-rhcos4-moderate
  • /test 4.13-e2e-aws-rhcos4-stig
  • /test 4.13-images
  • /test 4.14-images
  • /test 4.15-e2e-aws-ocp4-cis
  • /test 4.15-e2e-aws-ocp4-cis-node
  • /test 4.15-e2e-aws-ocp4-e8
  • /test 4.15-e2e-aws-ocp4-high
  • /test 4.15-e2e-aws-ocp4-high-node
  • /test 4.15-e2e-aws-ocp4-moderate
  • /test 4.15-e2e-aws-ocp4-moderate-node
  • /test 4.15-e2e-aws-ocp4-pci-dss
  • /test 4.15-e2e-aws-ocp4-pci-dss-node
  • /test 4.15-e2e-aws-ocp4-stig
  • /test 4.15-e2e-aws-ocp4-stig-node
  • /test 4.15-e2e-aws-rhcos4-e8
  • /test 4.15-e2e-aws-rhcos4-high
  • /test 4.15-e2e-aws-rhcos4-moderate
  • /test 4.15-e2e-aws-rhcos4-stig
  • /test 4.15-images
  • /test 4.16-e2e-aws-ocp4-cis
  • /test 4.16-e2e-aws-ocp4-cis-node
  • /test 4.16-e2e-aws-ocp4-e8
  • /test 4.16-e2e-aws-ocp4-high
  • /test 4.16-e2e-aws-ocp4-high-node
  • /test 4.16-e2e-aws-ocp4-moderate
  • /test 4.16-e2e-aws-ocp4-moderate-node
  • /test 4.16-e2e-aws-ocp4-pci-dss
  • /test 4.16-e2e-aws-ocp4-pci-dss-node
  • /test 4.16-e2e-aws-ocp4-stig
  • /test 4.16-e2e-aws-ocp4-stig-node
  • /test 4.16-e2e-aws-rhcos4-e8
  • /test 4.16-e2e-aws-rhcos4-high
  • /test 4.16-e2e-aws-rhcos4-moderate
  • /test 4.16-e2e-aws-rhcos4-stig
  • /test 4.16-images
  • /test e2e-aws-ocp4-cis
  • /test e2e-aws-ocp4-cis-node
  • /test e2e-aws-ocp4-e8
  • /test e2e-aws-ocp4-high
  • /test e2e-aws-ocp4-high-node
  • /test e2e-aws-ocp4-moderate
  • /test e2e-aws-ocp4-moderate-node
  • /test e2e-aws-ocp4-pci-dss
  • /test e2e-aws-ocp4-pci-dss-node
  • /test e2e-aws-ocp4-stig
  • /test e2e-aws-ocp4-stig-node
  • /test e2e-aws-rhcos4-e8
  • /test e2e-aws-rhcos4-high
  • /test e2e-aws-rhcos4-moderate
  • /test e2e-aws-rhcos4-stig
  • /test images

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-ComplianceAsCode-content-master-4.13-images
  • pull-ci-ComplianceAsCode-content-master-4.14-images
  • pull-ci-ComplianceAsCode-content-master-4.15-images
  • pull-ci-ComplianceAsCode-content-master-4.16-images
  • pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Mar 26 '24 19:03 openshift-ci[bot]

Thanks for confirming @yuumasato. @Vincent056 - apologies for preemptively suggesting we revert the STIG rule association.

This should be all we need, in addition to what's already proposed:

diff --git a/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml b/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml
index 7b5d85ddd8..916f315783 100644
--- a/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml
+++ b/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml
@@ -17,7 +17,6 @@ controls:
   - api_server_admission_control_plugin_service_account
   - api_server_anonymous_auth
   - api_server_api_priority_flowschema_catch_all
-  - api_server_api_priority_gate_enabled
   - api_server_audit_log_maxbackup
   - api_server_audit_log_maxsize
   - api_server_audit_log_path
@@ -30,7 +29,6 @@ controls:
   - api_server_etcd_key
   - api_server_https_for_kubelet_conn
   - api_server_insecure_bind_address
-  - api_server_insecure_port
   - api_server_kubelet_certificate_authority
   - api_server_kubelet_client_cert
   - api_server_kubelet_client_cert_pre_4_9

rhmdnd avatar Apr 22 '24 16:04 rhmdnd

/hold for test

xiaojiey avatar Apr 26 '24 11:04 xiaojiey

@Vincent056 Seems the annotations also need to be updated.

##1. rule upstream-ocp4-api-server-api-priority-gate-enabled
% oc get rule upstream-ocp4-api-server-api-priority-gate-enabled -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4582qs",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig,upstream-ocp4-stig-v1r1",
  "compliance.openshift.io/rule": "api-server-api-priority-gate-enabled",
  "control.compliance.openshift.io/CIS-OCP": "1.2.9",
  "control.compliance.openshift.io/NERC-CIP": "CIP-003-8 R6;CIP-004-6 R3;CIP-007-3 R6.1",
  "control.compliance.openshift.io/NIST-800-53": "CM-6;CM-6(1)",
  "control.compliance.openshift.io/PCI-DSS": "Req-2.2",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,1.2.9",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,CIS-OCP"
}
% oc get profile ocp4-cis -o yaml | grep api-server-api-priority-gate-enabled
- ocp4-api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-cis -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-api-priority-gate-enabled
- upstream-ocp4-api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-nerc-cip -o yaml | grep api-server-api-priority-gate-enabled
###2. rule upstream-ocp4-api-server-insecure-port
% oc get rule upstream-ocp4-api-server-insecure-port -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4582qs",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig,upstream-ocp4-stig-v1r1",
  "compliance.openshift.io/rule": "api-server-insecure-port",
  "control.compliance.openshift.io/CIS-OCP": "1.2.17",
  "control.compliance.openshift.io/NERC-CIP": "CIP-003-8 R6;CIP-004-6 R3;CIP-007-3 R6.1",
  "control.compliance.openshift.io/NIST-800-53": "CM-6;CM-6(1)",
  "control.compliance.openshift.io/PCI-DSS": "Req-2.2;Req-2.3",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,Req-2.3,1.2.17",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,CIS-OCP"
}
% oc get profile ocp4-cis -o yaml | grep api-server-insecure-port                      
- ocp4-api-server-insecure-port
% oc get profile upstream-ocp4-cis -o yaml | grep api-server-insecure-port
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-insecure-port
- upstream-ocp4-api-server-insecure-port
% oc get profile upstream-ocp4-nerc-cip -o yaml | grep pi-server-insecure-port             
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-insecure-port

xiaojiey avatar May 09 '24 13:05 xiaojiey

@Vincent056 Per the test result, the control.compliance.openshift.io/PCI-DSS and policies.open-cluster-management.io/standards for rule upstream-ocp4-api-server-api-priority-gate-enabled should also be removed. Besides, could you please also update status in OCPBUGS-34982? Thanks.

% oc get rule upstream-ocp4-api-server-insecure-port -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4957mp",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig-v1r1,upstream-ocp4-stig",
  "compliance.openshift.io/rule": "api-server-insecure-port"
}
xiyuan@xiyuan-mac extended % oc get rule upstream-ocp4-api-server-api-priority-gate-enabled -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4957mp",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig,upstream-ocp4-stig-v1r1",
  "compliance.openshift.io/rule": "api-server-api-priority-gate-enabled",
  "control.compliance.openshift.io/PCI-DSS": "Req-2.2",
  "policies.open-cluster-management.io/controls": "Req-2.2",
  "policies.open-cluster-management.io/standards": "PCI-DSS"
}

% oc get profile upstream-ocp4-cis  -o yaml | grep api-server-insecure-port
% oc get profile upstream-ocp4-cis  -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-insecure-port            
% oc get profile upstream-ocp4-cis-1-4 -o yaml | grep api-server-insecure-port
% oc get profile upstream-ocp4-cis-1-4 -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-api-priority-gate-enabled
- upstream-ocp4-api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-insecure-port            
- upstream-ocp4-api-server-insecure-port

xiaojiey avatar Jun 11 '24 03:06 xiaojiey

@Vincent056 I think you need to rebase this PR. More profiles select these rules on latest master.

$ grep -r api_server_insecure_port api_server_api_priority_gate_enabled  controls/ products/ocp4/ products/rhcos4/
grep: api_server_api_priority_gate_enabled: No such file or directory
controls/srg_ctr/SRG-APP-000516-CTR-001325.yml:  - api_server_insecure_port
controls/cis_ocp_1_4_0/section-1.yml:        - api_server_insecure_port
controls/nist_ocp4.yml:  - api_server_insecure_port
controls/nist_ocp4.yml:  - api_server_insecure_port
controls/pcidss_4_ocp4.yml:        - api_server_insecure_port
controls/pcidss_ocp4.yml:    - api_server_insecure_port
products/ocp4/profiles/stig-v1r1.profile:    - api_server_insecure_port

grep -r  api_server_api_priority_gate_enabled  controls/ products/ocp4/ products/rhcos4/
controls/srg_ctr/SRG-APP-000516-CTR-001325.yml:  - api_server_api_priority_gate_enabled
controls/cis_ocp_1_4_0/section-1.yml:        - api_server_api_priority_gate_enabled
controls/nist_ocp4.yml:  - api_server_api_priority_gate_enabled
controls/nist_ocp4.yml:  - api_server_api_priority_gate_enabled
products/ocp4/profiles/stig-v1r1.profile:    - api_server_api_priority_gate_enabled

yuumasato avatar Jun 11 '24 16:06 yuumasato

ping

jan-cerny avatar Aug 02 '24 05:08 jan-cerny

@Vincent056 Should the PCI-DSS control info get removed from the annotations? I didn't find the rule api-server-api-priority-gate-enabled in pci-dss profile.

% oc get rule upstream-ocp4-api-server-api-priority-gate-enabled -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4xqxc2",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig-v1r1,upstream-ocp4-stig",
  "compliance.openshift.io/rule": "api-server-api-priority-gate-enabled",
  "control.compliance.openshift.io/PCI-DSS": "Req-2.2",
  "control.compliance.openshift.io/STIG": "SRG-APP-000516-CTR-001325",
  "policies.open-cluster-management.io/controls": "Req-2.2,SRG-APP-000516-CTR-001325",
  "policies.open-cluster-management.io/standards": "PCI-DSS,STIG"
}
% oc get rule upstream-ocp4-api-server-insecure-port -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4xqxc2",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig,upstream-ocp4-stig-v1r1",
  "compliance.openshift.io/rule": "api-server-insecure-port",
  "control.compliance.openshift.io/STIG": "SRG-APP-000516-CTR-001325",
  "policies.open-cluster-management.io/controls": "SRG-APP-000516-CTR-001325",
  "policies.open-cluster-management.io/standards": "STIG"
}
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-api-priority-gate-enabled
- upstream-ocp4-api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-insecure-port 
- upstream-ocp4-api-server-insecure-port
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-insecure-port            
% oc get profile upstream-ocp4-cis-1-4 -o yaml | grep api-server-insecure-port
% oc get profile upstream-ocp4-cis-1-4 -o yaml | grep api-server-api-priority-gate-enabled
%

xiaojiey avatar Aug 12 '24 12:08 xiaojiey

Code Climate has analyzed commit f4bcb76d and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

qlty-cloud-legacy[bot] avatar Aug 14 '24 17:08 qlty-cloud-legacy[bot]

/retest

yuumasato avatar Aug 15 '24 09:08 yuumasato