content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

check for makeIPTablesUtilChains does not reflect benchmark and product description

Open tmishina opened this issue 2 years ago • 2 comments

Description of problem:

  • Rule kubelet_enable_iptables_util_chains of openshift (link) checks existence of .makeIPTablesUtilChains and its value should be true 
template:
    name: yamlfile_value
    vars:
        filepath: {{{ kubeletconf_path }}}
        yamlpath: ".makeIPTablesUtilChains"
        values:
         - value: "true"
           operation: "equals"
  • However, CIS Benchmark spec and kubelet documentation say that the default value of .makeIPTablesUtilChains is true
  • According to the spec and the doc, it is better to check non-existence of .makeIPTablesUtilChains is false 
template:
    name: yamlfile_value
    vars:
        filepath: {{{ kubeletconf_path }}}
        check_existence: "none_exist"
        yamlpath: ".makeIPTablesUtilChains"
        values:
         - value: "false"
           operation: "equals"

Steps to Reproduce:

Run cis-node profile check on an OpenShift cluster which configuration (/etc/kubernetes/kubelet.conf) does not contain .makeIPTablesUtilChains.

Actual Results:

FAIL

Expected Results:

PASS

tmishina avatar Mar 29 '22 04:03 tmishina

I think it makes sense, but if we need to check if makeIPTablesUtilChains doesn't exist in other config files?

Vincent056 avatar Mar 29 '22 04:03 Vincent056

Hello, Wouldn't make sense instead of performing verification through file kubelet.conf, to identify the values from apiserver?

for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do  oc get --raw "/api/v1/nodes/${node}/proxy/configz" | jq -r '.kubeletconfig| .makeIPTablesUtilChains'; done

etcshad0vv avatar May 13 '22 07:05 etcshad0vv