Bug 2088752 - Rules kubelet tls client certificate reported as FAIL result for Compliance Operator 1.49
Summary: Rules kubelet tls client certificate reported as FAIL result for Compliance ...
Keywords:
Status: CLOSED DUPLICATE of bug 2079813
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.8
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
: ---
Assignee: Jakub Hrozek
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-20 12:14 UTC by Pamela Escorza
Modified: 2022-05-20 12:37 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-20 12:37:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Pamela Escorza 2022-05-20 12:14:15 UTC
Description of problem:
The following rules :
 - ocp4-cis-api-server-kubelet-client-cert
 - ocp4-cis-api-server-kubelet-client-key
 - ocp4-cis-kubelet-configure-tls-cert
 - ocp4-cis-kubelet-configure-tls-key

is being reported as FAIL for Compliance Operator 1.49, (in version before the result was PASS) when the verification is the one expected:

**** api-server-kubelet-client-cert
Configure the kubelet Certificate File for the API Server
By default the API Server does not authenticate itself to the kublet's
HTTPS endpoints. Requests from the API Server are treated anonymously.
Configuring certificate-based kubelet authentication ensures that the
API Server authenticates itself to kubelets when submitting requests.
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt

... 
Checking in a fresh cluster:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
]



**** api-server-kubelet-client-key
Configure the kubelet Certificate Key for the API Server
By default the API Server does not authenticate itself to the kubelet's
HTTPS endpoints. Requests from the API Server are treated anonymously.
Configuring certificate-based kubelet authentication ensures that the
API Server authenticates itself to kubelets when submitting requests.
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key
or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key

...
Checking in a fresh cluster:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
]



**** kubelet-configure-tls-cert
Ensure That The kubelet Client Certificate Is Correctly Set
Without cryptographic integrity protections, information can be
altered by unauthorized users without detection.
Run the following command on the kubelet node(s):
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
Verify that a client certificate is configured.
...
Checking in a fresh cluster:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
]



**** kubelet-configure-tls-key
Ensure That The kubelet Server Key Is Correctly Set
Without cryptographic integrity protections, information can be
altered by unauthorized users without detection.
Run the following command on the kubelet node(s):
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
Verify that a client certificate is configured.
...
Checking in a fresh cluster:

$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
]




Version-Release number of selected component (if applicable):
Compliance Operator 1.49

How reproducible:
configure scan setting to review CIS Benchmark profiles in a fresh cluster and verify the rules results


Actual results:
$ oc get compliancecheckresults | grep -i fail | grep -E "api-server-kubelet|kubelet-configure-tls"
ocp4-cis-modified-api-server-kubelet-client-cert                               FAIL     high
ocp4-cis-modified-api-server-kubelet-client-key                                FAIL     high
ocp4-cis-modified-kubelet-configure-tls-cert                                   FAIL     medium
ocp4-cis-modified-kubelet-configure-tls-key                                    FAIL     medium


Expected results:
As in version before rules should be reported as PASS

Comment 1 Jakub Hrozek 2022-05-20 12:37:30 UTC

*** This bug has been marked as a duplicate of bug 2079813 ***


Note You need to log in before you can comment on or make changes to this bug.