Description of problem: The following rules : - ocp4-cis-api-server-kubelet-client-cert - ocp4-cis-api-server-kubelet-client-key - ocp4-cis-kubelet-configure-tls-cert - ocp4-cis-kubelet-configure-tls-key is being reported as FAIL for Compliance Operator 1.49, (in version before the result was PASS) when the verification is the one expected: **** api-server-kubelet-client-cert Configure the kubelet Certificate File for the API Server By default the API Server does not authenticate itself to the kublet's HTTPS endpoints. Requests from the API Server are treated anonymously. Configuring certificate-based kubelet authentication ensures that the API Server authenticates itself to kubelets when submitting requests. Run the following command: $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]' The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt ... Checking in a fresh cluster: $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]' [ "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt" ] **** api-server-kubelet-client-key Configure the kubelet Certificate Key for the API Server By default the API Server does not authenticate itself to the kubelet's HTTPS endpoints. Requests from the API Server are treated anonymously. Configuring certificate-based kubelet authentication ensures that the API Server authenticates itself to kubelets when submitting requests. Run the following command: $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]' The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key ... Checking in a fresh cluster: $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]' [ "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key" ] **** kubelet-configure-tls-cert Ensure That The kubelet Client Certificate Is Correctly Set Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Run the following command on the kubelet node(s): $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]' Verify that a client certificate is configured. ... Checking in a fresh cluster: $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]' [ "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt" ] **** kubelet-configure-tls-key Ensure That The kubelet Server Key Is Correctly Set Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Run the following command on the kubelet node(s): $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]' Verify that a client certificate is configured. ... Checking in a fresh cluster: $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]' [ "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key" ] Version-Release number of selected component (if applicable): Compliance Operator 1.49 How reproducible: configure scan setting to review CIS Benchmark profiles in a fresh cluster and verify the rules results Actual results: $ oc get compliancecheckresults | grep -i fail | grep -E "api-server-kubelet|kubelet-configure-tls" ocp4-cis-modified-api-server-kubelet-client-cert FAIL high ocp4-cis-modified-api-server-kubelet-client-key FAIL high ocp4-cis-modified-kubelet-configure-tls-cert FAIL medium ocp4-cis-modified-kubelet-configure-tls-key FAIL medium Expected results: As in version before rules should be reported as PASS
*** This bug has been marked as a duplicate of bug 2079813 ***