content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

CMP-3566: Ensure a CLF exists and check for secure URLs

Open yuumasato opened this issue 2 months ago • 10 comments

Description:

  • Add an unfiltered yamlpath to check for existence of ClusterLogForwarders.
  • Copy the existing check and add the check for CLF existence

Rationale:

  • The cluster can be configured with log forwarders that are by default secure and use TLS, for example the AzureMonitor log forwarder. They don't have an URL key.

  • The existing check only checks the url of CLF that have it. If a CLF doesn't have it, we don't check it.

  • Problem is that we cannot differentiate between non-existent CLF, and CLF without url key. So we need to add a check for CLF existence.

  • Fixes https://issues.redhat.com/browse/CMP-3566

yuumasato avatar Oct 21 '25 19:10 yuumasato

verification pass. More details seen from the Jira ticket https://issues.redhat.com/browse/CMP-3566

  1. Create a clusterlogforwarder with azMinitor;
  2. Create two ssb: one with downstream ocp4-stig, the other one with upstream-ocp4-stig
  3. Check the test result: % oc get ccr | grep audit-log-forwarding-uses-tls ocp4-stig-audit-log-forwarding-uses-tls FAIL medium upstream-ocp4-stig-audit-log-forwarding-uses-tls PASS medium

xiaojiey avatar Oct 22 '25 04:10 xiaojiey

/packit retest-failed

ggbecker avatar Oct 22 '25 14:10 ggbecker

Maybe the same fix should be done for the old api too? I'm looking into that

yuumasato avatar Oct 23 '25 18:10 yuumasato

Maybe the same fix should be done for the old api too? I'm looking into that

Given that support for Logging Operator 5.x is ending soon: https://access.redhat.com/support/policy/updates/openshift_operators

And that version 6.x only use observability API: https://docs.redhat.com/pt-br/documentation/red_hat_openshift_logging/6.0/html-single/upgrading_logging/index#changes-in-logging-6_upgrading-to-logging-6

I'll not update the old logging rule.

yuumasato avatar Oct 27 '25 13:10 yuumasato

I'll not update the old logging rule.

@xiaojiey @Anna-Koudelkova Are you okay with this?

yuumasato avatar Oct 27 '25 13:10 yuumasato

I'll not update the old logging rule.

@xiaojiey @Anna-Koudelkova Are you okay with this? With the current approach, he rule works when azminitor/lokistack configured in the clusterlogforwarder. The biggest issue with the current approach is: if no clusterlogforwarder configured at all, the rule will PASS. I think with this scenario it should return FAIL. However, I tried with at_least_one_exists, it doesn't work, neither. When azminitor/lokistack configured in the clusterlogforwarder, the rule always FAIL. Honestly speaking, I don't have good solution for this issue.

xiaojiey avatar Oct 27 '25 14:10 xiaojiey

verification FAIL for the unsecure url udp://rsyslog.e2e-test-vector-syslog-cnrqt.svc:514:

  1. No CLF(clusterlogforwarder) exists - rule FAIL
  2. CLF with unsecure url udp://rsyslog.e2e-test-vector-syslog-cnrqt.svc:514 - rule should FAIL, but return PASS. It is the same test result when using a url with "http" prefix.
% oc get -n openshift-logging clusterlogforwarders                                                                                         
NAME        AGE
clf-60699   38m
% oc get clusterlogforwarders.observability.openshift.io -n openshift-logging clf-60699 -o=jsonpath={.spec.outputs} | jq -r
[
  {
    "name": "rsyslog",
    "syslog": {
      "rfc": "RFC3164",
      "url": "udp://rsyslog.e2e-test-vector-syslog-lmv5k.svc:514"
    },
    "type": "syslog"
  }
]
% oc get ccr -n openshift-compliance| grep audit-log-forwarding-uses-tls
ocp4-stig-audit-log-forwarding-uses-tls                         FAIL     medium
upstream-ocp4-stig-audit-log-forwarding-uses-tls                PASS     medium
  1. CLF with secure url - rule PASS
  2. CLF with azminitor - rule PASS
  3. CLF with lokistack - rule PASS

xiaojiey avatar Oct 28 '25 04:10 xiaojiey

@yuumasato: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 90732449563fb88fd3ecefd862ad70b3740c2740 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Nov 04 '25 23:11 openshift-ci[bot]

/packit retest-failed

rhmdnd avatar Nov 04 '25 23:11 rhmdnd

Verification fail. For the latest commit, all scenarios work except the scenario when CLF using azureMonitor/loki

  1. No CLF exists - return FAIL, should FAIL
  2. CLF with unsecure url - return FAIL, should FAIL
  3. CLF with secure url - return PASS, should PASS
  4. CLF with azminitor - return FAIL, should PASS
  5. CLF with lokistack - return FAIL, should PASS

xiaojiey avatar Nov 05 '25 13:11 xiaojiey