Bug 2088752

Summary: Rules kubelet tls client certificate reported as FAIL result for Compliance Operator 1.49
Product: OpenShift Container Platform Reporter: Pamela Escorza <pescorza>
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED DUPLICATE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.8CC: jmittapa, lbragsta, mrogers, suprs, wenshen, xiyuan
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-20 12:37:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pamela Escorza 2022-05-20 12:14:15 UTC 
Description of problem:
The following rules :
 - ocp4-cis-api-server-kubelet-client-cert
 - ocp4-cis-api-server-kubelet-client-key
 - ocp4-cis-kubelet-configure-tls-cert
 - ocp4-cis-kubelet-configure-tls-key

is being reported as FAIL for Compliance Operator 1.49, (in version before the result was PASS) when the verification is the one expected:

**** api-server-kubelet-client-cert
Configure the kubelet Certificate File for the API Server
By default the API Server does not authenticate itself to the kublet's
HTTPS endpoints. Requests from the API Server are treated anonymously.
Configuring certificate-based kubelet authentication ensures that the
API Server authenticates itself to kubelets when submitting requests.
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt

... 
Checking in a fresh cluster:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
]



**** api-server-kubelet-client-key
Configure the kubelet Certificate Key for the API Server
By default the API Server does not authenticate itself to the kubelet's
HTTPS endpoints. Requests from the API Server are treated anonymously.
Configuring certificate-based kubelet authentication ensures that the
API Server authenticates itself to kubelets when submitting requests.
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key
or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key

...
Checking in a fresh cluster:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
]



**** kubelet-configure-tls-cert
Ensure That The kubelet Client Certificate Is Correctly Set
Without cryptographic integrity protections, information can be
altered by unauthorized users without detection.
Run the following command on the kubelet node(s):
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
Verify that a client certificate is configured.
...
Checking in a fresh cluster:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
]



**** kubelet-configure-tls-key
Ensure That The kubelet Server Key Is Correctly Set
Without cryptographic integrity protections, information can be
altered by unauthorized users without detection.
Run the following command on the kubelet node(s):
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
Verify that a client certificate is configured.
...
Checking in a fresh cluster:

$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
]




Version-Release number of selected component (if applicable):
Compliance Operator 1.49

How reproducible:
configure scan setting to review CIS Benchmark profiles in a fresh cluster and verify the rules results


Actual results:
$ oc get compliancecheckresults | grep -i fail | grep -E "api-server-kubelet|kubelet-configure-tls"
ocp4-cis-modified-api-server-kubelet-client-cert                               FAIL     high
ocp4-cis-modified-api-server-kubelet-client-key                                FAIL     high
ocp4-cis-modified-kubelet-configure-tls-cert                                   FAIL     medium
ocp4-cis-modified-kubelet-configure-tls-key                                    FAIL     medium


Expected results:
As in version before rules should be reported as PASS
Comment 1 Jakub Hrozek 2022-05-20 12:37:30 UTC 

*** This bug has been marked as a duplicate of bug 2079813 ***