To fix CMP-2548

[rutvik23]

Description:

This rule controller_rotate_kubelet_server_certs is no longer valid as it still checking for feature-gate parameter which does not exist in any supported versions of OpenShift 4.

$ ./oc get ccr | grep cert | grep -i fail

ocp4-high-controller-rotate-kubelet-server-certs FAIL medium

Reproducible in Compliance Operator v1.4.0 & OpenShift v4.14.z

Rationale:

• Fixes #CMP-2548
• The existing rules like kubelet_enable_cert_rotation, kubelet_enable_server_cert_rotation already satisfy this check.

Review Hints:

• Another rule that rely on feature-gate parameter which does not exist, was disabled recently through CMP-2331

[openshift-ci]

Hi @rutvik23. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12008
This image was built from commit: 3beb2f6

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12008

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12008 make deploy-local

[yuumasato]

/ok-to-test

[yuumasato]

/test 4.13-e2e-aws-ocp4-moderate
/test 4.14-e2e-aws-ocp4-moderate
/test 4.15-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate
/test e2e-aws-ocp4-moderate

[xiaojiey]

/hold for test

[BhargaviGudi]

Verification passed with 4.16.0-0.nightly-2024-05-23-173505 + https://github.com/ComplianceAsCode/compliance-operator code + PR #12008 code

$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml     VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     ghcr.io/complianceascode/k8scontent:12008    ssg-ocp4-ds.xml     VALID
upstream-rhcos4   ghcr.io/complianceascode/k8scontent:12008    ssg-rhcos4-ds.xml   VALID

$ oc get rule upstream-ocp4-controller-rotate-kubelet-server-certs -ojsonpath={.instructions}
RotateKubeletServerCertificate is no longer a valid check, instead an user should run below commands and confirm the rotation settings are enabled as default.
$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
The output should return true
      Is it the case that <tt>serverTLSBootstrap</tt> argument is set to <tt>false</tt> in the 

$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
true
true
true
true
true
true
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
  "rotateCertificates": true,
  "rotateCertificates": true,
  "rotateCertificates": true,
  "rotateCertificates": true,
  "rotateCertificates": true,
  "rotateCertificates": true,

[BhargaviGudi]

/unhold

[xiaojiey]

/hold for test

[yuumasato]

Let's unselect the rule so that no profile uses this rule anymore.

grep -r controller_rotate_kubelet_server_certs controls/ products/
controls/srg_ctr/SRG-APP-000516-CTR-001325.yml:  - controller_rotate_kubelet_server_certs
controls/nist_ocp4.yml:  - controller_rotate_kubelet_server_certs
controls/nist_ocp4.yml:  - controller_rotate_kubelet_server_certs
controls/nist_ocp4.yml:  - controller_rotate_kubelet_server_certs
controls/nist_ocp4.yml:  - controller_rotate_kubelet_server_certs
products/ocp4/profiles/stig-v1r1.profile:    - controller_rotate_kubelet_server_certs

And let's add a general warning noting that this rule is deprecated.
Example warning in the rule:https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/auditing/auditd_configure_rules/audit_rules_etc_passwd_openat/rule.yml#L37
Inspiration for warning text: https://github.com/ComplianceAsCode/content/blob/master/shared/macros/10-warning.jinja#L30

[BhargaviGudi]

Verification passed with 4.16.0-0.nightly-2024-06-14-130320 + https://github.com/ComplianceAsCode/compliance-operator code + PR #12008 code

1. Install CO

$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml     VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     ghcr.io/complianceascode/k8scontent:12008    ssg-ocp4-ds.xml     VALID
upstream-rhcos4   ghcr.io/complianceascode/k8scontent:12008    ssg-rhcos4-ds.xml   VALID

2. Verify rule controller-rotate-kubelet-server-certs does not exists

$ oc get rule | grep controller-rotate-kubelet-server-certs | grep upstream
$ 
$ oc compliance bind -N test -S default-auto-apply profile/upstream-ocp4-high
Creating ScanSettingBinding test
$ oc get scan
NAME                 PHASE   RESULT
upstream-ocp4-high   DONE    NON-COMPLIANT
$ oc get ccr | grep controller-rotate-kubelet-server-certs
$

[BhargaviGudi]

/unhold

[yuumasato]

From what I understand, what makes this rule fails is that feature-gates doesn't list RotateKubeletServerCertificate=true any more. At some point OCP stopped listing it and this rule became not applicable.

And for the rule to result in NOT APPLICABLE the platform needs to be updated.
For example:
platform: not ocp4-on-hypershift-hosted and (ocp4.10 or ocp4.11)

I tried checking which versions have RotateKubeletServerCertificate listed in feature-gates but my clusters installs are failing... I can try getting the list of versions tomorrow.

[yuumasato]

Hi, @rutvik23 sorry for the back and forth.

The RotateKubeletServerCertificate=true featture gate is available on 4.12, 4.13:

$ oc version
Client Version: 4.14.1
Kustomize Version: v5.0.1
Server Version: 4.12.0-0.nightly-2024-06-20-082732
Kubernetes Version: v1.25.16+306a47e

$ oc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data["config.yaml"]' | jq -r '.extendedArguments["feature-gates"]'                                                                                                                                        
[
  "APIPriorityAndFairness=true",
  "RotateKubeletServerCertificate=true",
  "DownwardAPIHugePages=true",
  "CSIMigrationAzureFile=false",
  "CSIMigrationvSphere=false"
]

So I think the rule should be available and working for these versions.
keep the rule selected in the profiles. The following changes should be undone:

• controls/nist_ocp4.yml
• controls/srg_ctr/SRG-APP-000516-CTR-001325.yml
• products/ocp4/profiles/stig-v1r1.profile

To make the rules not applicable on 4.13 and 4.14:
platform: not ocp4-on-hypershift-hosted and (ocp4.12 or ocp4.13)

Then override the e2e test results for 4.12 and 4.13. Copy the e2e.yml and name it 4.12.yml and 4.13.yml.
For inspiration: https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/worker/file_permissions_proxy_kubeconfig/tests/ocp4/4.12.yml

[xiaojiey]

/hold for test

[yuumasato]

/test 4.12-e2e-aws-ocp4-high
/test 4.13-e2e-aws-ocp4-high
/test 4.14-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high
/test e2e-aws-ocp4-high

[yuumasato]

@rutvik23 Sorry, looks like the e2e assertions need to be changed here too:

https://github.com/ComplianceAsCode/content/blob/master/tests/assertions/ocp4/ocp4-stig-4.16.yml
https://github.com/ComplianceAsCode/content/blob/master/tests/assertions/ocp4/ocp4-stig-4.15.yml
https://github.com/ComplianceAsCode/content/blob/master/tests/assertions/ocp4/ocp4-stig-4.14.yml
https://github.com/ComplianceAsCode/content/blob/master/tests/assertions/ocp4/ocp4-moderate-4.16.yml
https://github.com/ComplianceAsCode/content/blob/master/tests/assertions/ocp4/ocp4-moderate-4.15.yml
https://github.com/ComplianceAsCode/content/blob/master/tests/assertions/ocp4/ocp4-moderate-4.14.yml
https://github.com/ComplianceAsCode/content/blob/master/tests/assertions/ocp4/ocp4-high-4.16.yml
https://github.com/ComplianceAsCode/content/blob/master/tests/assertions/ocp4/ocp4-high-4.15.yml
https://github.com/ComplianceAsCode/content/blob/master/tests/assertions/ocp4/ocp4-high-4.14.yml

default_result: NOT-APPLICABLE

[codeclimate]

Code Climate has analyzed commit 3beb2f6 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[yuumasato]

/retest

[yuumasato]

/test 4.12-e2e-aws-ocp4-high
/test 4.13-e2e-aws-ocp4-high
/test 4.14-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high
/test e2e-aws-ocp4-high

[yuumasato]

Thank you @rutvik23

[yuumasato]

Skipping the ansible hardening tests.

[yuumasato]

@xiaojiey Apologies. I just noticed the hold for merge label.
Let me know if you run into any issues with this PR..