Bug 2079813
Summary: | False positive in rules: ocp4-cis-api-server-kubelet-client-{cert|key} and ocp4-cis-kubelet-configure-tls-{cert|key} | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | German Parente <gparente> |
Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.8 | CC: | jhrozek, jritter, lbragsta, mbagga, mrogers, pescorza, senevi, shaising, suprs, sychen, wenshen, xiyuan |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: The compliance content for rule ocp4-cis-api-server-kubelet-client-cert, ocp4-cis-api-server-kubelet-client-key, ocp4-cis-kubelet-configure-tls-cert, ocp4-cis-kubelet-configure-tls-key failed to account for additional configuration file paths for API server TLS certs and keys.
Consequence: The rules would report failure, even though the certificates and keys were set properly.
Fix: Consume and use new compliance content shipped with 0.1.53.
Result: The rules now report accurately regardless of the certificate and key locations specified in the kubelet configuration file.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-07-14 12:40:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
German Parente
2022-04-28 10:03:20 UTC
More precisely, ocp4-cis-api-server-kubelet-client-cert FAIL high ocp4-cis-api-server-kubelet-client-key FAIL high ocp4-cis-kubelet-configure-tls-cert FAIL medium ocp4-cis-kubelet-configure-tls-key FAIL medium oc get compliancecheckresults.compliance.openshift.io ocp4-cis-api-server-kubelet-client-cert -o json | jq -r '.instructions' Running command: oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]' Result: [ "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt" ] oc get compliancecheckresults.compliance.openshift.io ocp4-cis-api-server-kubelet-client-key -o json | jq -r '.instructions' Running Command: oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"] Result: [ "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key" ] oc get compliancecheckresults.compliance.openshift.io ocp4-cis-kubelet-configure-tls-cert -o json | jq -r '.instructions' Running Command: oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]' Result: [ "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt" ] oc get compliancecheckresults.compliance.openshift.io ocp4-cis-kubelet-configure-tls-key -o json | jq -r '.instructions' Running Command: oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]' Result: [ "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key" ] It seems that the check was completely reworked recently and now doesn't use a check with a regex, but a variable instead. The variable has a single default value which is `/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt`. So I guess one quick workaround might be to set the variable through a tailoredProfile, see an example e.g. here: https://docs.openshift.com/container-platform/4.10/security/compliance_operator/compliance-operator-tailor.html The variables that are interesting are `ocp4-var-apiserver-kubelet-client-cert` and `ocp4-var-apiserver-tls-cert`. apiVersion: compliance.openshift.io/v1alpha1 kind: TailoredProfile metadata: name: cis-modified spec: extends: ocp4-cis description: CIS with customizations for 4.8 title: CIS modified setValues: - name: ocp4-var-apiserver-kubelet-client-cert rationale: Working around content issue on 4.8 value: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt - name: ocp4-var-apiserver-tls-cert rationale: Working around content issue on 4.8 value: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key (Sorry, running out of time today, so I didn't test this myself AT ALL, feel free to ask here on ping on Slack if this doesn't work for you) But more systematically, I wonder what can be done. Vincent, do you know if we have a way to set different default values for different OCP releases based on the CPE? Sorry for the late reply; I don't think we can set different default values for different OCP releases based on the CPE. It seems like they should use a tailored profile for this at the moment. *** Bug 2083839 has been marked as a duplicate of this bug. *** *** Bug 2088752 has been marked as a duplicate of this bug. *** I think the best way would be to create separate rules for the old releases. Quick update: I have the rules written, but there appears to be an issue with the per-release selector in CaC. Trying to find a fix.. (In reply to Jakub Hrozek from comment #7) > Quick update: I have the rules written, but there appears to be an issue > with the per-release selector in CaC. Trying to find a fix.. Filed an issue to have the profile selector fixed, as I don't understand that part of CaC: https://github.com/ComplianceAsCode/content/issues/8833 (In reply to Jakub Hrozek from comment #8) > (In reply to Jakub Hrozek from comment #7) > > Quick update: I have the rules written, but there appears to be an issue > > with the per-release selector in CaC. Trying to find a fix.. > > Filed an issue to have the profile selector fixed, as I don't understand > that part of CaC: https://github.com/ComplianceAsCode/content/issues/8833 Just an update because there are many cases..the CaC team said they'd take a look at the issue this week. There was a workaround suggested but it appears to help only somewhat. I got the workaround for the kubelet client cert configuration running by setting the following values in the TailoredProfile: spec: setValues: - name: ocp4-var-apiserver-kubelet-client-cert rationale: Working around content issue on 4.8 value: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt - name: ocp4-var-apiserver-kubelet-client-key rationale: Working around content issue on 4.8 value: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key This is the configuration of Jakub, but on my configuration (compliance operator v0.1.49 on OCP 4.8.36) the key for the client key is ocp4-var-apiserver-kubelet-client-key rather than ocp4-var-apiserver-tls-cert. Merged upstream in https://github.com/ComplianceAsCode/content/commit/79fcb5b2f1fbfeee0e9fcf6678fb4081e55612b9 will be fixed in the next CO/content release. Verification pass with 4.11.0-0.nightly-2022-06-30-005428 + latest CO code:
# oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
> name: my-ssb-r
> profiles:
> - name: ocp4-cis
> kind: Profile
> apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
> name: default
> kind: ScanSetting
> apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
# oc get suite -w
NAME PHASE RESULT
my-ssb-r AGGREGATING NOT-AVAILABLE
my-ssb-r DONE NON-COMPLIANT
my-ssb-r DONE NON-COMPLIANT
# oc get ccr| grep api-server-kubelet-client
ocp4-cis-api-server-kubelet-client-cert PASS high
ocp4-cis-api-server-kubelet-client-key PASS high
# oc get ccr| grep kubelet-configure-tls
ocp4-cis-kubelet-configure-tls-cert PASS medium
ocp4-cis-kubelet-configure-tls-key PASS medium
# oc get ccr ocp4-cis-api-server-kubelet-client-cert -o=jsonpath={.instructions}
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt
# oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
[
"/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt"
]
# oc get ccr ocp4-cis-api-server-kubelet-client-key -o=jsonpath={.instructions}
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key
or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key
# oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
[
"/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key"
]
# oc get ccr ocp4-cis-kubelet-configure-tls-cert -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
Verify that a client certificate is configured.[
# oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
[
"/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt"
]
# oc get ccr ocp4-cis-kubelet-configure-tls-key -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
Verify that a client certificate is configured.
# oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
[
"/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key"
]
Verification pass with compliance-operator.v0.1.53 + OCP payload 4.11.0-rc.1 and compliance-operator.v0.1.53 + OCP payload 4.8.46 1. with 4.11.0-rc.1: $ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: test > profiles: > - apiGroup: compliance.openshift.io/v1alpha1 > kind: TailoredProfile > name: test > settingsRef: > apiGroup: compliance.openshift.io/v1alpha1 > kind: ScanSetting > name: default > EOF scansettingbinding.compliance.openshift.io/test created ]$ oc get suite -w NAME PHASE RESULT test LAUNCHING NOT-AVAILABLE test RUNNING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test DONE COMPLIANT test DONE COMPLIANT ^C$ oc get ccr NAME STATUS SEVERITY test-api-server-kubelet-client-cert PASS high test-api-server-kubelet-client-key PASS high $ oc get ccr test-api-server-kubelet-client-cert -o=jsonpath={.instructions} Run the following command: $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]' The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt[xiyuan@MiWiFi-RA69-srv func]$ $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]' [ "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt" ] $ oc get ccr test-api-server-kubelet-client-key -o=jsonpath={.instructions} Run the following command: $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]' The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key[xiyuan@MiWiFi-RA69-srv func]$ $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]' [ "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key" ] 2. With 4.8.46 + compliance-operator.v0.1.53: $ oc get ip NAME CSV APPROVAL APPROVED install-qd4mq compliance-operator.v0.1.53 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.53 Compliance Operator 0.1.53 Succeeded elasticsearch-operator.5.2.12 OpenShift Elasticsearch Operator 5.2.12 Succeeded $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.46 True False 6h3m Cluster version is 4.8.46 $ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: TailoredProfile > metadata: > name: test > namespace: openshift-compliance > spec: > description: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout > title: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout > enableRules: > - name: ocp4-api-server-kubelet-client-cert > rationale: platform > - name: ocp4-api-server-kubelet-client-cert-pre-4-9 > rationale: platform > - name: ocp4-api-server-kubelet-client-key > rationale: platform > - name: ocp4-api-server-kubelet-client-key-pre-4-9 > rationale: platform > EOF tailoredprofile.compliance.openshift.io/test created $ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: test > profiles: > - apiGroup: compliance.openshift.io/v1alpha1 > kind: TailoredProfile > name: test > settingsRef: > apiGroup: compliance.openshift.io/v1alpha1 > kind: ScanSetting > name: default > EOF scansettingbinding.compliance.openshift.io/test created $ oc get suite -w NAME PHASE RESULT test RUNNING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test DONE COMPLIANT test DONE COMPLIANT ^C$ oc get ccr NAME STATUS SEVERITY test-api-server-kubelet-client-cert-pre-4-9 PASS high test-api-server-kubelet-client-key-pre-4-9 PASS high $ oc get ccr test-api-server-kubelet-client-cert-pre-4-9 -o=jsonpath={.instructions} Run the following command: $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]' The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]' [ "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt" ] $oc get ccr test-api-server-kubelet-client-key-pre-4-9 -o=jsonpath={.instructions} Run the following command: $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]' The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key[xiyuan@MiWiFi-RA69-srv upg]$ $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]' [ "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key" ] Sorry, wrong operation, should be VERIFIED status. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5537 |