2002695 – Instructions are incorrect of rule ocp4-moderate-routes-protected-by-tls

Bug 2002695 - Instructions are incorrect of rule ocp4-moderate-routes-protected-by-tls

Summary: Instructions are incorrect of rule ocp4-moderate-routes-protected-by-tls

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Vincent Shen
QA Contact:	Prashant Dhamdhere
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-09-09 14:09 UTC by Prashant Dhamdhere
Modified:	2022-04-20 09:59 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: The ocp4-moderate-routes-protected-by-tls rule incorrectly checked TLS settings that resulted in the rule failing the check even if the connection was secure using TLS Consequence: The rule incorrectly reported failure Fix: Re-run the scan using updated content Result: The check will properly evaluate TLS settings that are consistent with the networking guidance and profile recommendations
Clone Of:
Environment:
Last Closed:	2022-04-18 07:54:00 UTC
Target Upstream Version:
Embargoed:
Flags:	wenshen: needinfo- wenshen: needinfo- wenshen: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2022:1148	0	None	None	None	2022-04-18 07:54:10 UTC

Description Prashant Dhamdhere 2021-09-09 14:09:12 UTC

Description of problem:

[1] The rule instruction says Make sure that every route object has either 
Disable or Redirect in the .spec.tls.insecureEdgeTerminationPolicy setting.

````
$ oc get checkresult ocp4-moderate-routes-protected-by-tls -o=jsonpath={.instructions}
Run the following command to retrieve the compliancesuites in the system:
$ oc get routes --all-namespaces
Make sure that every route object has either Disable or Redirect
in the .spec.tls.insecureEdgeTerminationPolicy setting.
````

Setting Redirect help to clients to redirect the connection on the secure port 
but as per the below document, the TLS connection will be enabled if the route 
object has either edge, passthrough & reencrypt in .spec.tls.termination setting
without Redirect in .spec.tls.insecureEdgeTerminationPolicy

https://docs.openshift.com/container-platform/4.8/rest_api/network_apis/route-route-openshift-io-v1.html

The rule get fails if the Redirect is not in the .spec.tls.insecureEdgeTerminationPolicy 
setting even if the route configure with TLS setting/connection

Example: 

$ oc get route -A
NAMESPACE                  NAME                HOST/PORT                                                                             PATH   SERVICES            PORT    TERMINATION            WILDCARD
openshift-authentication   oauth-openshift     oauth-openshift.apps.pdhamdhe909.qe.devcluster.openshift.com                                 oauth-openshift     6443    passthrough/Redirect   None
openshift-console          console             console-openshift-console.apps.pdhamdhe909.qe.devcluster.openshift.com                       console             https   reencrypt/Redirect     None
openshift-console          downloads           downloads-openshift-console.apps.pdhamdhe909.qe.devcluster.openshift.com                     downloads           http    edge/Redirect          None
openshift-ingress-canary   canary              canary-openshift-ingress-canary.apps.pdhamdhe909.qe.devcluster.openshift.com                 ingress-canary      8080    edge/Redirect          None
openshift-monitoring       alertmanager-main   alertmanager-main-openshift-monitoring.apps.pdhamdhe909.qe.devcluster.openshift.com          alertmanager-main   web     reencrypt/Redirect     None
openshift-monitoring       grafana             grafana-openshift-monitoring.apps.pdhamdhe909.qe.devcluster.openshift.com                    grafana             https   reencrypt/Redirect     None
openshift-monitoring       prometheus-k8s      prometheus-k8s-openshift-monitoring.apps.pdhamdhe909.qe.devcluster.openshift.com             prometheus-k8s      web     reencrypt/Redirect     None
openshift-monitoring       thanos-querier      thanos-querier-openshift-monitoring.apps.pdhamdhe909.qe.devcluster.openshift.com             thanos-querier      web     reencrypt/Redirect     None
test1                      edge-route          edge-route-test1.apps.pdhamdhe909.qe.devcluster.openshift.com                                service-unsecure    http    edge                   None

[1] With Redirect, the clients are getting redirect to secure connection like below

$ curl -Ik http://downloads-openshift-console.apps.pdhamdhe909.qe.devcluster.openshift.com/
HTTP/1.1 302 Found
content-length: 0
location: https://downloads-openshift-console.apps.pdhamdhe909.qe.devcluster.openshift.com/
cache-control: no-cache

$ curl -Ik https://downloads-openshift-console.apps.pdhamdhe909.qe.devcluster.openshift.com/
HTTP/1.0 200 OK
server: SimpleHTTP/0.6 Python/3.6.8
date: Thu, 09 Sep 2021 11:15:03 GMT
content-type: text/html
content-length: 971
last-modified: Thu, 09 Sep 2021 03:57:24 GMT
set-cookie: a663438294fbd72a8e16964e97c8ecde=b657ff0a33428313a9eedb2271ef9630; path=/; HttpOnly; Secure; SameSite=None
cache-control: private
connection: keep-alive

[2] Withour Redirect, the clients are still able to access the secure connection.

$ curl -ik https://edge-route-test1.apps.pdhamdhe909.qe.devcluster.openshift.com
HTTP/1.1 200 OK
server: nginx/1.18.0
date: Thu, 09 Sep 2021 10:33:47 GMT
content-type: text/html
content-length: 46
last-modified: Thu, 09 Sep 2021 09:23:38 GMT
etag: "6139d29a-2e"
accept-ranges: bytes
set-cookie: 107964a78b7597c70e48b0b7fec4711e=6ef89cce12de4a6753a62e2e95f048d7; path=/; HttpOnly; Secure; SameSite=None
cache-control: private

Hello-OpenShift web-server-rc-5hczh http-8080

[2] Also the Disable is not valid setting for .spec.tls.insecureEdgeTerminationPolicy, if we
try to set Disable then it reports:

routes.route.openshift.io "edge-route" was not valid:
* spec.tls.insecureEdgeTerminationPolicy: Invalid value: "Disable": invalid value for InsecureEdgeTerminationPolicy option, acceptable values are None, Allow, Redirect, or empty

https://docs.openshift.com/container-platform/4.8/networking/routes/secured-routes.html
At the bottom of the page it mentioned : Optional insecureEdgeTerminationPolicy. The only valid values are None, Redirect, or empty for disabled.


Version-Release number of selected component (if applicable):
4.9.0-0.nightly-2021-09-08-233235 + compliance-operator.v0.1.39

How reproducible:
Always

Steps to Reproduce:

1. Install Compliance Operator 
2. Create secure edge route with TLS without setting Redirect in insecureEdgeTerminationPolicy
3. Create the ScanSettingBinding object
$ oc create -f - << EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: my-ssb-r
profiles:
  - name: ocp4-moderate
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1
EOF
4. Check rule status and it fails
$ oc get checkresult ocp4-moderate-routes-protected-by-tls
5. Access the host using curl and it reports 200 OK for secure connection
$ curl -Ik https://edge-route-test1.apps.pdhamdhe909.qe.devcluster.openshift.com


Actual results:
 
The rule instruction are incorrect and the rule gets fails even if the routes use the secure TLS connection.

Expected results:

The rule instruction needs to be updated as per the rule behaviour and it should look for edge, passthrough 
& reencrypt TLS termination setting instead of only Redirect. Also need to remove Disable setting from the
rule instruction, that is not correct.

Comment 1 Jakub Hrozek 2021-09-13 12:01:10 UTC

Seems like a legit bug, reviewed+

Comment 2 Jakub Hrozek 2021-10-13 12:32:37 UTC

Planned for the upcoming sprint.

Comment 3 Jakub Hrozek 2021-10-28 12:10:40 UTC

Replanned for the following sprint due to capacity

Comment 5 Mithilesh Kaur Bagga 2021-12-21 16:47:19 UTC

Hello Team,

There are multiple queries are coming from the CU, Can you please guide me for the same?

1. CU is having a cluster with 4.8.17 and using openshift-logging, so he needs to update the entire cluster with 4.8.24 or only openshift-logging? Can you please guide the channel from where he can get updates for 4.8.24?

2. As we know that our core component has an insight operator which is used by telemetry. In that case, does only the logging operator needs to update, or is entire cluster upgrades required?

Question 1: Is this really a mandatory requirement to upgrade the cluster to 4.8.24?

Question 2: If yes, where is this documented. (Remark: If Verbund has to upgrade during system lock-down, they need to have formal proof from the vendor that this is a mandatory requirement!)

Logging has been upgraded to 5.2.4-17 on the 14th Dec.

Question 3: Please confirm that if openshift-logging operator upgrade is a sufficient upgrade to fix the log4j-issue?

Question 4: ACS still shows vulnerabilities on logging. Why?

- What documentation has these details listed about the fixes? as our RHSA documentation [0]: https://access.redhat.com/errata/RHSA-2021:5127
say the SA is for 5.2.4, but does not specify what exact version under 5.2.4
as when I personally install the operator, I see 5.2.4-17 as the version.

- What is the difference between a "stable" channel in Elasticsearch Operator
which CU sees and has 5.2.2-21 version and "stable-5.2" channel and what he needs to subscribe to have the patches for CVEs.

Comment 6 Mithilesh Kaur Bagga 2021-12-21 16:49:18 UTC

Hello Team,

Sorry wrong BZ update was posted.

Comment 11 Vincent Shen 2022-02-05 09:18:05 UTC

The doc here should be updated as well in addition to rule's instruction: https://docs.openshift.com/container-platform/4.9/rest_api/network_apis/route-route-openshift-io-v1.html

The current correct definition should be either None or Redirect: https://github.com/openshift/api/blob/31ffd77a8f025c73b5d19b390af353f9775e7ef1/route/v1/types.go#L270

Comment 12 Vincent Shen 2022-02-07 22:30:24 UTC

PR Fixes: https://github.com/ComplianceAsCode/content/pull/8176

Comment 13 Jakub Hrozek 2022-02-11 12:26:48 UTC

(In reply to Vincent Shen from comment #11)
> The doc here should be updated as well in addition to rule's instruction:
> https://docs.openshift.com/container-platform/4.9/rest_api/network_apis/
> route-route-openshift-io-v1.html
> 

I think we need a docs bug for that.

Comment 14 Vincent Shen 2022-02-14 06:37:20 UTC

I will create one for it.

Comment 15 Vincent Shen 2022-02-14 06:49:35 UTC

(In reply to Jakub Hrozek from comment #13)
> (In reply to Vincent Shen from comment #11)
> > The doc here should be updated as well in addition to rule's instruction:
> > https://docs.openshift.com/container-platform/4.9/rest_api/network_apis/
> > route-route-openshift-io-v1.html
> > 
> 
> I think we need a docs bug for that.

A doc bug has been filled: https://bugzilla.redhat.com/show_bug.cgi?id=2054073

Comment 21 Prashant Dhamdhere 2022-03-31 06:03:38 UTC

[Bug Verification]

Looks good. The compliance scan verifies that the every route object has either None or Redirect
in the .spec.tls.insecureEdgeTerminationPolicy setting. The rule reports fails status if it finds
insecureEdgeTerminationPolicy setting empty.

Verified On:
4.10.0-0.nightly-2022-03-29-163038 + compliance-operator.v0.1.49

$ oc project openshift-compliance
Now using project "openshift-compliance" on server "https://api.sdn-pdhamdhe31.qe.devcluster.openshift.com:6443".

$ oc get csv
NAME                               DISPLAY                            VERSION     REPLACES   PHASE
compliance-operator.v0.1.49        Compliance Operator                0.1.49                 Succeeded
elasticsearch-operator.5.4.0-127   OpenShift Elasticsearch Operator   5.4.0-127              Succeeded

$ oc get pods
NAME                                              READY   STATUS    RESTARTS        AGE
compliance-operator-9bf58698f-g7w9d               1/1     Running   1 (6m23s ago)   7m3s
ocp4-openshift-compliance-pp-59cd7665d6-w5czh     1/1     Running   0               5m46s
rhcos4-openshift-compliance-pp-5c85d4d5c8-8xtk6   1/1     Running   0               5m46s


$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-moderate
> profiles:
>   - name: ocp4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default 
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-moderate created

$ oc get suite -w
NAME              PHASE       RESULT
my-ssb-moderate   LAUNCHING   NOT-AVAILABLE
my-ssb-moderate   RUNNING     NOT-AVAILABLE
my-ssb-moderate   AGGREGATING   NOT-AVAILABLE
my-ssb-moderate   DONE          NON-COMPLIANT
my-ssb-moderate   DONE          NON-COMPLIANT

$ oc get pods 
NAME                                              READY   STATUS      RESTARTS      AGE
aggregator-pod-ocp4-moderate                      0/1     Completed   0             41m
compliance-operator-9bf58698f-g7w9d               1/1     Running     1 (49m ago)   49m
ocp4-moderate-api-checks-pod                      0/2     Completed   0             42m
ocp4-openshift-compliance-pp-59cd7665d6-w5czh     1/1     Running     0             48m
rhcos4-openshift-compliance-pp-5c85d4d5c8-8xtk6   1/1     Running     0             48m

$ oc get checkresult ocp4-moderate-routes-protected-by-tls
NAME                                    STATUS   SEVERITY
ocp4-moderate-routes-protected-by-tls   PASS     medium

$ oc get checkresult ocp4-moderate-routes-protected-by-tls -o=jsonpath={.instructions}
Run the following command to retrieve the compliancesuites in the system:
$ oc get routes --all-namespaces
Make sure that every route object has either None or Redirect
in the .spec.tls.insecureEdgeTerminationPolicy setting.

$ oc get routes --all-namespaces
NAMESPACE                  NAME                HOST/PORT                                                                                PATH   SERVICES            PORT    TERMINATION            WILDCARD
openshift-authentication   oauth-openshift     oauth-openshift.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                                 oauth-openshift     6443    passthrough/Redirect   None
openshift-console          console             console-openshift-console.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                       console             https   reencrypt/Redirect     None
openshift-console          downloads           downloads-openshift-console.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                     downloads           http    edge/Redirect          None
openshift-ingress-canary   canary              canary-openshift-ingress-canary.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                 ingress-canary      8080    edge/Redirect          None
openshift-monitoring       alertmanager-main   alertmanager-main-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com   /api   alertmanager-main   web     reencrypt/Redirect     None
openshift-monitoring       grafana             grafana-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                    grafana             https   reencrypt/Redirect     None
openshift-monitoring       prometheus-k8s      prometheus-k8s-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com             prometheus-k8s      web     reencrypt/Redirect     None
openshift-monitoring       thanos-querier      thanos-querier-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com      /api   thanos-querier      web     reencrypt/Redirect     None


$ oc create ns test1
namespace/test1 created

$ cat web-server-rc.yaml 
apiVersion: v1
kind: List
items:
- apiVersion: v1
  kind: ReplicationController
  metadata:
    labels:
      name: web-server-rc
    name: web-server-rc
  spec:
    replicas: 1
    template:
      metadata:
        labels:
          name: web-server-rc
      spec:
        containers:
        - image: quay.io/openshifttest/nginx-alpine@sha256:5d3f3372288b8a93fc9fc7747925df2328c24db41e4b4226126c3af293c5ad88
          name: nginx
- apiVersion: v1
  kind: Service
  metadata:
    labels:
      name: service-secure
    name: service-secure
  spec:
    ports:
    - name: https
      port: 27443
      protocol: TCP
      targetPort: 8443
    selector:
      name: web-server-rc
- apiVersion: v1
  kind: Service
  metadata:
    labels:
      name: service-unsecure
    name: service-unsecure
  spec:
    ports:
    - name: http
      port: 27017
      protocol: TCP
      targetPort: 8080
    selector:
      name: web-server-rc
- apiVersion: route.openshift.io/v1
  kind: Route
  metadata:
    name: edge-route
  spec:
      to:
          kind: Service
          name: service-unsecure
      tls:
          termination: edge
          key: "----- -----\n"
          certificate: "----- -----\n"
          caCertificate: "----- -----"


$ oc create -f web-server-rc.yaml -ntest1
replicationcontroller/web-server-rc created
service/service-secure created
service/service-unsecure created
route.route.openshift.io/edge-route created


$ oc get all -ntest1
NAME                      READY   STATUS    RESTARTS   AGE
pod/web-server-rc-k2zmq   1/1     Running   0          13s

NAME                                  DESIRED   CURRENT   READY   AGE
replicationcontroller/web-server-rc   1         1         1       13s

NAME                       TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)     AGE
service/service-secure     ClusterIP   172.30.51.254   <none>        27443/TCP   13s
service/service-unsecure   ClusterIP   172.30.120.26   <none>        27017/TCP   13s

NAME                                  HOST/PORT                                                          PATH   SERVICES           PORT    TERMINATION   WILDCARD
route.route.openshift.io/edge-route   edge-route-test1.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com          service-unsecure   <all>   edge          None


$ oc get routes --all-namespaces
NAMESPACE                  NAME                HOST/PORT                                                                                PATH   SERVICES            PORT    TERMINATION            WILDCARD
openshift-authentication   oauth-openshift     oauth-openshift.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                                 oauth-openshift     6443    passthrough/Redirect   None
openshift-console          console             console-openshift-console.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                       console             https   reencrypt/Redirect     None
openshift-console          downloads           downloads-openshift-console.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                     downloads           http    edge/Redirect          None
openshift-ingress-canary   canary              canary-openshift-ingress-canary.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                 ingress-canary      8080    edge/Redirect          None
openshift-monitoring       alertmanager-main   alertmanager-main-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com   /api   alertmanager-main   web     reencrypt/Redirect     None
openshift-monitoring       grafana             grafana-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                    grafana             https   reencrypt/Redirect     None
openshift-monitoring       prometheus-k8s      prometheus-k8s-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com             prometheus-k8s      web     reencrypt/Redirect     None
openshift-monitoring       thanos-querier      thanos-querier-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com      /api   thanos-querier      web     reencrypt/Redirect     None
test1                      edge-route          edge-route-test1.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                                service-unsecure    <all>   edge                   None


$ oc-compliance rerun-now compliancesuite/my-ssb-moderate -nopenshift-compliance
Rerunning scans from 'my-ssb-moderate': ocp4-moderate
Re-running scan 'openshift-compliance/ocp4-moderate'


$ oc get suite -w
NAME              PHASE       RESULT
my-ssb-moderate   LAUNCHING   NOT-AVAILABLE
my-ssb-moderate   RUNNING     NOT-AVAILABLE
my-ssb-moderate   AGGREGATING   NOT-AVAILABLE
my-ssb-moderate   DONE          NON-COMPLIANT
my-ssb-moderate   DONE          NON-COMPLIANT

$ oc get scan
NAME            PHASE   RESULT
ocp4-moderate   DONE    NON-COMPLIANT


$ oc get checkresult ocp4-moderate-routes-protected-by-tls
NAME                                    STATUS   SEVERITY
ocp4-moderate-routes-protected-by-tls   FAIL     medium


$ oc edit route.route.openshift.io/edge-route -ntest1
route.route.openshift.io/edge-route edited


$ oc get route.route.openshift.io/edge-route -oyaml -ntest1 |grep insecureEdgeTerminationPolicy
    insecureEdgeTerminationPolicy: None


$ oc get routes --all-namespaces
NAMESPACE                  NAME                HOST/PORT                                                                                PATH   SERVICES            PORT    TERMINATION            WILDCARD
openshift-authentication   oauth-openshift     oauth-openshift.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                                 oauth-openshift     6443    passthrough/Redirect   None
openshift-console          console             console-openshift-console.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                       console             https   reencrypt/Redirect     None
openshift-console          downloads           downloads-openshift-console.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                     downloads           http    edge/Redirect          None
openshift-ingress-canary   canary              canary-openshift-ingress-canary.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                 ingress-canary      8080    edge/Redirect          None
openshift-monitoring       alertmanager-main   alertmanager-main-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com   /api   alertmanager-main   web     reencrypt/Redirect     None
openshift-monitoring       grafana             grafana-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                    grafana             https   reencrypt/Redirect     None
openshift-monitoring       prometheus-k8s      prometheus-k8s-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com             prometheus-k8s      web     reencrypt/Redirect     None
openshift-monitoring       thanos-querier      thanos-querier-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com      /api   thanos-querier      web     reencrypt/Redirect     None
test1                      edge-route          edge-route-test1.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                                service-unsecure    <all>   edge/None              None

$ oc-compliance rerun-now compliancesuite/my-ssb-moderate -nopenshift-compliance
Rerunning scans from 'my-ssb-moderate': ocp4-moderate
Re-running scan 'openshift-compliance/ocp4-moderate'

$ oc get suite -w
NAME              PHASE     RESULT
my-ssb-moderate   RUNNING   NOT-AVAILABLE
my-ssb-moderate   AGGREGATING   NOT-AVAILABLE
my-ssb-moderate   DONE          NON-COMPLIANT
my-ssb-moderate   DONE          NON-COMPLIANT

$ oc get checkresult ocp4-moderate-routes-protected-by-tls
NAME                                    STATUS   SEVERITY
ocp4-moderate-routes-protected-by-tls   PASS     medium

$ oc get pods
NAME                                              READY   STATUS      RESTARTS      AGE
aggregator-pod-ocp4-moderate                      0/1     Completed   0             18m
compliance-operator-9bf58698f-g7w9d               1/1     Running     1 (77m ago)   78m
ocp4-moderate-api-checks-pod                      0/2     Completed   0             18m
ocp4-openshift-compliance-pp-59cd7665d6-w5czh     1/1     Running     0             77m
rhcos4-openshift-compliance-pp-5c85d4d5c8-8xtk6   1/1     Running     0             77m


$ oc edit route.route.openshift.io/edge-route -ntest1 
route.route.openshift.io/edge-route edited

$ oc get route.route.openshift.io/edge-route -oyaml -ntest1 |grep insecureEdgeTerminationPolicy
    insecureEdgeTerminationPolicy: Allow

$ oc-compliance rerun-now compliancesuite/my-ssb-moderate -nopenshift-compliance
Rerunning scans from 'my-ssb-moderate': ocp4-moderate
Re-running scan 'openshift-compliance/ocp4-moderate'

$ oc get suite -w
NAME              PHASE     RESULT
my-ssb-moderate   RUNNING   NOT-AVAILABLE
my-ssb-moderate   AGGREGATING   NOT-AVAILABLE
my-ssb-moderate   DONE          NON-COMPLIANT
my-ssb-moderate   DONE          NON-COMPLIANT

$ oc get scan
NAME            PHASE   RESULT
ocp4-moderate   DONE    NON-COMPLIANT


$ oc get routes --all-namespaces
NAMESPACE                  NAME                HOST/PORT                                                                                PATH   SERVICES            PORT    TERMINATION            WILDCARD
openshift-authentication   oauth-openshift     oauth-openshift.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                                 oauth-openshift     6443    passthrough/Redirect   None
openshift-console          console             console-openshift-console.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                       console             https   reencrypt/Redirect     None
openshift-console          downloads           downloads-openshift-console.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                     downloads           http    edge/Redirect          None
openshift-ingress-canary   canary              canary-openshift-ingress-canary.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                 ingress-canary      8080    edge/Redirect          None
openshift-monitoring       alertmanager-main   alertmanager-main-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com   /api   alertmanager-main   web     reencrypt/Redirect     None
openshift-monitoring       grafana             grafana-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                    grafana             https   reencrypt/Redirect     None
openshift-monitoring       prometheus-k8s      prometheus-k8s-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com             prometheus-k8s      web     reencrypt/Redirect     None
openshift-monitoring       thanos-querier      thanos-querier-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com      /api   thanos-querier      web     reencrypt/Redirect     None
test1                      edge-route          edge-route-test1.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                                service-unsecure    <all>   edge/Allow             None


$ oc get checkresult ocp4-moderate-routes-protected-by-tls
NAME                                    STATUS   SEVERITY
ocp4-moderate-routes-protected-by-tls   FAIL     medium


$ oc get pods
NAME                                              READY   STATUS      RESTARTS      AGE
aggregator-pod-ocp4-moderate                      0/1     Completed   0             3m5s
compliance-operator-9bf58698f-g7w9d               1/1     Running     1 (98m ago)   99m
ocp4-moderate-api-checks-pod                      0/2     Completed   0             3m35s
ocp4-openshift-compliance-pp-59cd7665d6-w5czh     1/1     Running     0             97m
rhcos4-openshift-compliance-pp-5c85d4d5c8-8xtk6   1/1     Running     0             97m


$ oc edit route.route.openshift.io/edge-route -ntest1 
route.route.openshift.io/edge-route edited


$ oc get route.route.openshift.io/edge-route -oyaml -ntest1 |grep insecureEdgeTerminationPolicy
    insecureEdgeTerminationPolicy: Redirect


$ oc-compliance rerun-now compliancesuite/my-ssb-moderate -nopenshift-compliance
Rerunning scans from 'my-ssb-moderate': ocp4-moderate
Re-running scan 'openshift-compliance/ocp4-moderate'

$ oc get suite -w
NAME              PHASE       RESULT
my-ssb-moderate   LAUNCHING   NOT-AVAILABLE
my-ssb-moderate   RUNNING     NOT-AVAILABLE
my-ssb-moderate   AGGREGATING   NOT-AVAILABLE
my-ssb-moderate   DONE          NON-COMPLIANT
my-ssb-moderate   DONE          NON-COMPLIANT


$  get checkresult ocp4-moderate-routes-protected-by-tls
NAME                                    STATUS   SEVERITY
ocp4-moderate-routes-protected-by-tls   PASS     medium


$ oc get routes --all-namespaces
NAMESPACE                  NAME                HOST/PORT                                                                                PATH   SERVICES            PORT    TERMINATION            WILDCARD
openshift-authentication   oauth-openshift     oauth-openshift.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                                 oauth-openshift     6443    passthrough/Redirect   None
openshift-console          console             console-openshift-console.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                       console             https   reencrypt/Redirect     None
openshift-console          downloads           downloads-openshift-console.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                     downloads           http    edge/Redirect          None
openshift-ingress-canary   canary              canary-openshift-ingress-canary.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                 ingress-canary      8080    edge/Redirect          None
openshift-monitoring       alertmanager-main   alertmanager-main-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com   /api   alertmanager-main   web     reencrypt/Redirect     None
openshift-monitoring       grafana             grafana-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                    grafana             https   reencrypt/Redirect     None
openshift-monitoring       prometheus-k8s      prometheus-k8s-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com             prometheus-k8s      web     reencrypt/Redirect     None
openshift-monitoring       thanos-querier      thanos-querier-openshift-monitoring.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com      /api   thanos-querier      web     reencrypt/Redirect     None
test1                      edge-route          edge-route-test1.apps.sdn-pdhamdhe31.qe.devcluster.openshift.com                                service-unsecure    <all>   edge/Redirect          None


$ oc get pods
NAME                                              READY   STATUS      RESTARTS       AGE
aggregator-pod-ocp4-moderate                      0/1     Completed   0              10m
compliance-operator-9bf58698f-g7w9d               1/1     Running     1 (114m ago)   115m
ocp4-moderate-api-checks-pod                      0/2     Completed   0              10m
ocp4-openshift-compliance-pp-59cd7665d6-w5czh     1/1     Running     0              113m
rhcos4-openshift-compliance-pp-5c85d4d5c8-8xtk6   1/1     Running     0              113m

Comment 23 errata-xmlrpc 2022-04-18 07:54:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1148

Note You need to log in before you can comment on or make changes to this bug.