Bug 2079813 - False positive in rules: ocp4-cis-api-server-kubelet-client-{cert|key} and ocp4-cis-kubelet-configure-tls-{cert|key}
Summary: False positive in rules: ocp4-cis-api-server-kubelet-client-{cert|key} and oc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Jakub Hrozek
QA Contact:
URL:
Whiteboard:
: 2083839 2088752 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-28 10:03 UTC by German Parente
Modified: 2022-07-14 12:41 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The compliance content for rule ocp4-cis-api-server-kubelet-client-cert, ocp4-cis-api-server-kubelet-client-key, ocp4-cis-kubelet-configure-tls-cert, ocp4-cis-kubelet-configure-tls-key failed to account for additional configuration file paths for API server TLS certs and keys. Consequence: The rules would report failure, even though the certificates and keys were set properly. Fix: Consume and use new compliance content shipped with 0.1.53. Result: The rules now report accurately regardless of the certificate and key locations specified in the kubelet configuration file.
Clone Of:
Environment:
Last Closed: 2022-07-14 12:40:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ComplianceAsCode content pull 8890 0 None open OCP4: Add compat rules for checking API server and kubelet TLS certs and keys on OCP releases <= 4.8 2022-06-03 14:25:21 UTC
Red Hat Product Errata RHBA-2022:5537 0 None None None 2022-07-14 12:41:05 UTC

Description German Parente 2022-04-28 10:03:20 UTC 
Description of problem:

it seems that after introduction of: 

https://github.com/ComplianceAsCode/content/pull/7152

the rules:

ocp4-cis-api-server-kubelet-client-cert
ocp4-cis-api-server-kubelet-client-key
ocp4-cis-kubelet-configure-tls-cert
ocp4-cis-kubelet-configure-tls-key

are failing in clusters where we have the old path:

static-pod-resources instead of static-pod-certs
Comment 1 German Parente 2022-04-28 10:05:37 UTC 
More precisely,

ocp4-cis-api-server-kubelet-client-cert FAIL high
ocp4-cis-api-server-kubelet-client-key FAIL high
ocp4-cis-kubelet-configure-tls-cert FAIL medium
ocp4-cis-kubelet-configure-tls-key FAIL medium

oc get compliancecheckresults.compliance.openshift.io ocp4-cis-api-server-kubelet-client-cert -o json | jq -r '.instructions'

Running command:
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'

Result:
[
"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
]



oc get compliancecheckresults.compliance.openshift.io ocp4-cis-api-server-kubelet-client-key -o json | jq -r '.instructions'

Running Command:
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]

Result:
[
"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
]


oc get compliancecheckresults.compliance.openshift.io ocp4-cis-kubelet-configure-tls-cert -o json | jq -r '.instructions'

Running Command:
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'

Result:
[
"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
]


oc get compliancecheckresults.compliance.openshift.io ocp4-cis-kubelet-configure-tls-key -o json | jq -r '.instructions'

Running Command:
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'

Result:
[
"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
]
Comment 2 Jakub Hrozek 2022-04-29 12:46:34 UTC 
It seems that the check was completely reworked recently and now doesn't use a check with a regex, but a variable instead. The variable has a single default value which is `/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt`.
So I guess one quick workaround might be to set the variable through a tailoredProfile, see an example e.g. here: https://docs.openshift.com/container-platform/4.10/security/compliance_operator/compliance-operator-tailor.html

The variables that are interesting are `ocp4-var-apiserver-kubelet-client-cert` and `ocp4-var-apiserver-tls-cert`. 

apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: cis-modified
spec:
  extends: ocp4-cis
  description: CIS with customizations for 4.8
  title: CIS modified
  setValues:
  - name: ocp4-var-apiserver-kubelet-client-cert
    rationale: Working around content issue on 4.8
    value: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
  - name: ocp4-var-apiserver-tls-cert
    rationale: Working around content issue on 4.8
    value: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key

(Sorry, running out of time today, so I didn't test this myself AT ALL, feel free to ask here on ping on Slack if this doesn't work for you)


But more systematically, I wonder what can be done.

Vincent, do you know if we have a way to set different default values for different OCP releases based on the CPE?
Comment 3 Vincent Shen 2022-05-10 15:44:55 UTC 
Sorry for the late reply; I don't think we can set different default values for different OCP releases based on the CPE. It seems like they should use a tailored profile for this at the moment.
Comment 4 Jakub Hrozek 2022-05-20 12:36:11 UTC 
*** Bug 2083839 has been marked as a duplicate of this bug. ***
Comment 5 Jakub Hrozek 2022-05-20 12:37:30 UTC 
*** Bug 2088752 has been marked as a duplicate of this bug. ***
Comment 6 Jakub Hrozek 2022-05-20 12:47:44 UTC 
I think the best way would be to create separate rules for the old releases.
Comment 7 Jakub Hrozek 2022-05-23 20:43:10 UTC 
Quick update: I have the rules written, but there appears to be an issue with the per-release selector in CaC. Trying to find a fix..
Comment 8 Jakub Hrozek 2022-05-25 10:45:02 UTC 
(In reply to Jakub Hrozek from comment #7)
> Quick update: I have the rules written, but there appears to be an issue
> with the per-release selector in CaC. Trying to find a fix..

Filed an issue to have the profile selector fixed, as I don't understand that part of CaC: https://github.com/ComplianceAsCode/content/issues/8833
Comment 9 Jakub Hrozek 2022-05-31 18:47:02 UTC 
(In reply to Jakub Hrozek from comment #8)
> (In reply to Jakub Hrozek from comment #7)
> > Quick update: I have the rules written, but there appears to be an issue
> > with the per-release selector in CaC. Trying to find a fix..
> 
> Filed an issue to have the profile selector fixed, as I don't understand
> that part of CaC: https://github.com/ComplianceAsCode/content/issues/8833

Just an update because there are many cases..the CaC team said they'd take a look at the issue this week. There was a workaround suggested but it appears to help only somewhat.
Comment 10 Juerg Ritter 2022-06-01 14:08:25 UTC 
I got the workaround for the kubelet client cert configuration running by setting the following values in the TailoredProfile:

spec: 
  setValues:
    - name: ocp4-var-apiserver-kubelet-client-cert
      rationale: Working around content issue on 4.8
      value: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
    - name: ocp4-var-apiserver-kubelet-client-key
      rationale: Working around content issue on 4.8
      value: /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key


This is the configuration of Jakub, but on my configuration (compliance operator v0.1.49 on OCP 4.8.36) the key for the client key is ocp4-var-apiserver-kubelet-client-key rather than ocp4-var-apiserver-tls-cert.
Comment 11 Jakub Hrozek 2022-06-03 14:24:53 UTC 
PR: https://github.com/ComplianceAsCode/content/pull/8890
Comment 12 Jakub Hrozek 2022-06-07 07:57:51 UTC 
Merged upstream in https://github.com/ComplianceAsCode/content/commit/79fcb5b2f1fbfeee0e9fcf6678fb4081e55612b9 will be fixed in the next CO/content release.
Comment 14 xiyuan 2022-07-01 10:54:52 UTC 
Verification pass with 4.11.0-0.nightly-2022-06-30-005428 + latest CO code:
# oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
# oc get suite -w
NAME       PHASE         RESULT
my-ssb-r   AGGREGATING   NOT-AVAILABLE
my-ssb-r   DONE          NON-COMPLIANT
my-ssb-r   DONE          NON-COMPLIANT
# oc get ccr| grep api-server-kubelet-client
ocp4-cis-api-server-kubelet-client-cert                            PASS     high
ocp4-cis-api-server-kubelet-client-key                             PASS     high
# oc get ccr| grep kubelet-configure-tls
ocp4-cis-kubelet-configure-tls-cert                                PASS     medium
ocp4-cis-kubelet-configure-tls-key                                 PASS     medium

# oc get ccr ocp4-cis-api-server-kubelet-client-cert -o=jsonpath={.instructions}
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt
#  oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
[
  "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt"
]


# oc get ccr ocp4-cis-api-server-kubelet-client-key  -o=jsonpath={.instructions}
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key
or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key
# oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
[
  "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key"
]

# oc get ccr ocp4-cis-kubelet-configure-tls-cert  -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
Verify that a client certificate is configured.[

# oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
[
  "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt"
]


# oc get ccr ocp4-cis-kubelet-configure-tls-key  -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
Verify that a client certificate is configured.

# oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
[
  "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key"
]
Comment 17 xiyuan 2022-07-08 08:41:24 UTC 
Verification pass with compliance-operator.v0.1.53 + OCP payload 4.11.0-rc.1 and compliance-operator.v0.1.53 + OCP payload 4.8.46
1. with 4.11.0-rc.1:
$ oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: test
> profiles:
>   - apiGroup: compliance.openshift.io/v1alpha1
>     kind: TailoredProfile
>     name: test
> settingsRef:
>   apiGroup: compliance.openshift.io/v1alpha1
>   kind: ScanSetting
>   name: default
> EOF
scansettingbinding.compliance.openshift.io/test created
]$ oc get suite -w
NAME   PHASE       RESULT
test   LAUNCHING   NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          COMPLIANT
test   DONE          COMPLIANT
^C$ oc get ccr
NAME                                  STATUS   SEVERITY
test-api-server-kubelet-client-cert   PASS     high
test-api-server-kubelet-client-key    PASS     high
$ oc get ccr test-api-server-kubelet-client-cert -o=jsonpath={.instructions}
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt[xiyuan@MiWiFi-RA69-srv func]$ 

$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
[
  "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt"
]

$ oc get ccr test-api-server-kubelet-client-key -o=jsonpath={.instructions}
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key
or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key[xiyuan@MiWiFi-RA69-srv func]$ 

$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
[
  "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key"
]

2. With 4.8.46 + compliance-operator.v0.1.53:
$ oc get ip
NAME            CSV                           APPROVAL    APPROVED
install-qd4mq   compliance-operator.v0.1.53   Automatic   true
$ oc get csv
NAME                            DISPLAY                            VERSION   REPLACES   PHASE
compliance-operator.v0.1.53     Compliance Operator                0.1.53               Succeeded
elasticsearch-operator.5.2.12   OpenShift Elasticsearch Operator   5.2.12               Succeeded
$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.46    True        False         6h3m    Cluster version is 4.8.46
$ oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: TailoredProfile
> metadata:
>   name: test
>   namespace: openshift-compliance
> spec:                                         
>   description: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout
>   title: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout
>   enableRules:
>     - name: ocp4-api-server-kubelet-client-cert
>       rationale: platform
>     - name: ocp4-api-server-kubelet-client-cert-pre-4-9
>       rationale: platform
>     - name: ocp4-api-server-kubelet-client-key
>       rationale: platform
>     - name: ocp4-api-server-kubelet-client-key-pre-4-9
>       rationale: platform
> EOF

tailoredprofile.compliance.openshift.io/test created
$ oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: test
> profiles:
>   - apiGroup: compliance.openshift.io/v1alpha1
>     kind: TailoredProfile
>     name: test
> settingsRef:
>   apiGroup: compliance.openshift.io/v1alpha1
>   kind: ScanSetting
>   name: default
> EOF

scansettingbinding.compliance.openshift.io/test created
$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          COMPLIANT
test   DONE          COMPLIANT
^C$ oc get ccr
NAME                                          STATUS   SEVERITY
test-api-server-kubelet-client-cert-pre-4-9   PASS     high
test-api-server-kubelet-client-key-pre-4-9    PASS     high

$ oc get ccr test-api-server-kubelet-client-cert-pre-4-9 -o=jsonpath={.instructions}
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt

$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
]

$oc get ccr test-api-server-kubelet-client-key-pre-4-9 -o=jsonpath={.instructions}
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key[xiyuan@MiWiFi-RA69-srv upg]$ 

$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
]
Comment 18 xiyuan 2022-07-08 08:44:39 UTC 
Sorry, wrong operation, should be VERIFIED status.
Comment 20 errata-xmlrpc 2022-07-14 12:40:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5537
Note You need to log in before you can comment on or make changes to this bug.