content
content copied to clipboard
ComplianceAsCode
OCP4: Look at rendered-config-xyz when checking FIPS, consolidate two rules
Description:
We used to have two rules that were checking for the cluster being installed in FIPS mode, one was checking for an MC called 99-master-fips and was used in the NIST profiles only.
The other rule was looking for both ^[0-9]{2}-worker$ and ^[0-9]{2}-master$
and was used in PCI-DSS only.
Rationale:
This is all confusing, let's consolidate on one rule that checks the rendered configs for both master and worker pools. This allow us to use a single rule regardless of the installation method and also support UPI installations where the manifests can have a custom name: https://docs.openshift.com/container-platform/4.10/installing/install_config/installing-customizing.html
Related: rhbz#2111095
Start a new ephemeral environment with changes proposed in this pull request:
ocp4 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
note: please don't merge the PR before it is confirmed by the reporter in https://bugzilla.redhat.com/show_bug.cgi?id=2111095
I /think/ it should fix their issue but I'm not 100% sure.
This datastream diff is auto generated by the check Compare DS/Generate Diff
Click here to see the full diff
xccdf_org.ssgproject.content_rule_fips_mode_enabled is missing in new datastream.
OCIL for rule 'xccdf_org.ssgproject.content_rule_fips_mode_enabled_on_all_nodes' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
Run the following command to retrieve if the FIPS flag is enabled:
-$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|map(.spec.fips == true)'
+$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true)'
Make sure that the result is an array of 'true' values.
Is it the case that FIPS mode is not enabled on all nodes (control plane and workers)?
OCIL for rule 'xccdf_org.ssgproject.content_rule_luks_enabled_on_all_nodes' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
Run the following command to retrieve if the LUKS object is configured:
-$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|map(.spec.config.storage.luks[0].clevis != null)'
+$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)'
Make sure that the result is an array of 'true' values.
Is it the case that LUKS encryption is not enabled on worker nodes?
OCIL for rule 'xccdf_org.ssgproject.content_rule_machine_volume_encrypted' differs:
--- old datastream
+++ new datastream
@@ -16,10 +16,10 @@
with $ oc get machineset --all-namespaces -o yaml
If not, run the following command to retrieve if the FIPS flag is enabled:
-$ oc get machineconfig -o json | jq '. | [select(.items[].metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|[.[].items[].spec.fips]'
+$ oc get machineconfig -o json | jq '. | [select(.items[].metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true)'
Make sure that the result is an array of 'true' values.
Then, run this next command to retrieve if LUKS encryption is enabled:
-$ oc get machineconfig -o json | jq '. | [select(.items[].metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|map(.spec.config.storage.luks[0].clevis != null)'
+$ oc get machineconfig -o json | jq '. | [select(.items[].metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)'
The result must also be an array of 'true' values.
Is it the case that FIPS mode is not enabled on worker nodes?
hmm, looks like I need to adjust the unit tests anyway. Interested in e2e tests in the meantime.
OK, the e2e tests seem to be mostly good, so I'm going to fix up the unit tests and resubmit.
Code Climate has analyzed commit 2e825093 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 42.7% (0.0% change).
View more on Code Climate.
![codeclimate[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
@Vincent056 @mrogers950 @lbragstad PTAL, the two remaining test failures are "expected" because we don't have any bash remediations.
wouldn't this check all rendered rendered-master-* and rendered-worker-*? since MCO doesn't delete the old rendered machine config
I just realized this has to be enabled during the install time, so all rendered machine configs should have it.