content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

To fix CMP-2548

Open rutvik23 opened this issue 1 year ago • 6 comments

Description:

This rule controller_rotate_kubelet_server_certs is no longer valid as it still checking for feature-gate parameter which does not exist in any supported versions of OpenShift 4.

$ ./oc get ccr | grep cert | grep -i fail

ocp4-high-controller-rotate-kubelet-server-certs FAIL medium

Reproducible in Compliance Operator v1.4.0 & OpenShift v4.14.z

Rationale:

  • Fixes #CMP-2548
  • The existing rules like kubelet_enable_cert_rotation, kubelet_enable_server_cert_rotation already satisfy this check.

Review Hints:

  • Another rule that rely on feature-gate parameter which does not exist, was disabled recently through CMP-2331

rutvik23 avatar May 20 '24 11:05 rutvik23

Hi @rutvik23. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci[bot] avatar May 20 '24 11:05 openshift-ci[bot]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar May 20 '24 11:05 github-actions[bot]

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:12008 This image was built from commit: 3beb2f63b482b4f02930512ccdbef7d707ed4076

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12008

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12008 make deploy-local

github-actions[bot] avatar May 20 '24 11:05 github-actions[bot]

/ok-to-test

yuumasato avatar May 22 '24 11:05 yuumasato

/test 4.13-e2e-aws-ocp4-moderate /test 4.14-e2e-aws-ocp4-moderate /test 4.15-e2e-aws-ocp4-moderate /test 4.16-e2e-aws-ocp4-moderate /test e2e-aws-ocp4-moderate

yuumasato avatar May 22 '24 11:05 yuumasato

/hold for test

xiaojiey avatar May 27 '24 05:05 xiaojiey

Verification passed with 4.16.0-0.nightly-2024-05-23-173505 + https://github.com/ComplianceAsCode/compliance-operator code + PR https://github.com/ComplianceAsCode/content/pull/12008 code

$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml     VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     ghcr.io/complianceascode/k8scontent:12008    ssg-ocp4-ds.xml     VALID
upstream-rhcos4   ghcr.io/complianceascode/k8scontent:12008    ssg-rhcos4-ds.xml   VALID

$ oc get rule upstream-ocp4-controller-rotate-kubelet-server-certs -ojsonpath={.instructions}
RotateKubeletServerCertificate is no longer a valid check, instead an user should run below commands and confirm the rotation settings are enabled as default.
$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
The output should return true
      Is it the case that <tt>serverTLSBootstrap</tt> argument is set to <tt>false</tt> in the 

$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
true
true
true
true
true
true
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
  "rotateCertificates": true,
  "rotateCertificates": true,
  "rotateCertificates": true,
  "rotateCertificates": true,
  "rotateCertificates": true,
  "rotateCertificates": true,

BhargaviGudi avatar May 27 '24 14:05 BhargaviGudi

/unhold

BhargaviGudi avatar May 27 '24 14:05 BhargaviGudi

/hold for test

xiaojiey avatar May 29 '24 06:05 xiaojiey

Verification passed with 4.16.0-0.nightly-2024-06-14-130320 + https://github.com/ComplianceAsCode/compliance-operator code + PR https://github.com/ComplianceAsCode/content/pull/12008 code

  1. Install CO
$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml     VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     ghcr.io/complianceascode/k8scontent:12008    ssg-ocp4-ds.xml     VALID
upstream-rhcos4   ghcr.io/complianceascode/k8scontent:12008    ssg-rhcos4-ds.xml   VALID
  1. Verify rule controller-rotate-kubelet-server-certs does not exists
$ oc get rule | grep controller-rotate-kubelet-server-certs | grep upstream
$ 
$ oc compliance bind -N test -S default-auto-apply profile/upstream-ocp4-high
Creating ScanSettingBinding test
$ oc get scan
NAME                 PHASE   RESULT
upstream-ocp4-high   DONE    NON-COMPLIANT
$ oc get ccr | grep controller-rotate-kubelet-server-certs
$

BhargaviGudi avatar Jun 18 '24 07:06 BhargaviGudi

/unhold

BhargaviGudi avatar Jun 18 '24 07:06 BhargaviGudi

/hold for test

xiaojiey avatar Jun 21 '24 02:06 xiaojiey

/test 4.12-e2e-aws-ocp4-high /test 4.13-e2e-aws-ocp4-high /test 4.14-e2e-aws-ocp4-high /test 4.15-e2e-aws-ocp4-high /test 4.16-e2e-aws-ocp4-high /test e2e-aws-ocp4-high

yuumasato avatar Jun 24 '24 10:06 yuumasato

Code Climate has analyzed commit 3beb2f63 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

qlty-cloud-legacy[bot] avatar Jun 24 '24 16:06 qlty-cloud-legacy[bot]

/retest

yuumasato avatar Jun 24 '24 17:06 yuumasato

/test 4.12-e2e-aws-ocp4-high /test 4.13-e2e-aws-ocp4-high /test 4.14-e2e-aws-ocp4-high /test 4.15-e2e-aws-ocp4-high /test 4.16-e2e-aws-ocp4-high /test e2e-aws-ocp4-high

yuumasato avatar Jun 24 '24 17:06 yuumasato

Skipping the ansible hardening tests.

yuumasato avatar Jun 25 '24 10:06 yuumasato

@xiaojiey Apologies. I just noticed the hold for merge label. Let me know if you run into any issues with this PR..

yuumasato avatar Jun 25 '24 10:06 yuumasato