diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml
index a9926333490..e81c48aefcb 100644
--- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml
+++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml
@@ -39,7 +39,7 @@ rationale: |-
severity: medium
-platform: not ocp4-on-hypershift-hosted
+platform: not ocp4-on-hypershift-hosted and (ocp4.12 or ocp4.13)
ocil_clause: |-
RotateKubeletServerCertificate argument is set to false in the
@@ -49,7 +49,7 @@ ocil: |-
To verify that RotateKubeletServerCertificate is configured correctly,
run the following command:
$ oc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data["config.yaml"]' | jq -r '.extendedArguments["feature-gates"]'
- The output should return RotateKubeletServerCertificate=true.
+ The output should return RotateKubeletServerCertificate=true
identifiers:
cce@ocp4: CCE-83730-2
@@ -58,11 +58,12 @@ warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}
- functionality: |-
- This recommendation only applies if you let kubelets get their
- certificates from the API Server. In case your certificates come from an
- outside Certificate Authority/tool (e.g. Vault) then you need to take care
- of rotation yourself
-
+ In OpenShift 4, the kubelet certification rotation is enabled by default.
+ Openshift v4 automatically generates a new kube-apiserver-to-kubelet-signer CA certificates at 292
+ days, removes old CA certificate after 365 days, and the kubelet-client, kubelet-server
+ certs are auto-rotated once every month. Hence, this rule is deprecated and not-applicable.
+ ref: https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/security_and_compliance/certificate-types-and-descriptions#purpose-5
+
references:
nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
nist: CM-6,CM-6(1),SC-8,SC-8(1)
diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.12.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.12.yml
new file mode 100644
index 00000000000..b49fd368b98
--- /dev/null
+++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.12.yml
@@ -0,0 +1,2 @@
+---
+default_result: PASS
diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.13.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.13.yml
new file mode 100644
index 00000000000..b49fd368b98
--- /dev/null
+++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.13.yml
@@ -0,0 +1,2 @@
+---
+default_result: PASS
diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/e2e.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/e2e.yml
index b49fd368b98..8878bb5724a 100644
--- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/e2e.yml
+++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/e2e.yml
@@ -1,2 +1,2 @@
---
-default_result: PASS
+default_result: NOT-APPLICABLE
diff --git a/tests/assertions/ocp4/ocp4-high-4.14.yml b/tests/assertions/ocp4/ocp4-high-4.14.yml
index dc9407ed83d..79f27d693d9 100644
--- a/tests/assertions/ocp4/ocp4-high-4.14.yml
+++ b/tests/assertions/ocp4/ocp4-high-4.14.yml
@@ -181,8 +181,8 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-high-controller-rotate-kubelet-server-certs:
- default_result: PASS
- result_after_remediation: PASS
+ default_result: NOT-APPLICABLE
+ result_after_remediation: NOT-APPLICABLE
e2e-high-controller-secure-port:
default_result: PASS
result_after_remediation: PASS
diff --git a/tests/assertions/ocp4/ocp4-high-4.15.yml b/tests/assertions/ocp4/ocp4-high-4.15.yml
index be7f4b640da..23e7ef5e310 100644
--- a/tests/assertions/ocp4/ocp4-high-4.15.yml
+++ b/tests/assertions/ocp4/ocp4-high-4.15.yml
@@ -185,8 +185,8 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-high-controller-rotate-kubelet-server-certs:
- default_result: PASS
- result_after_remediation: PASS
+ default_result: NOT-APPLICABLE
+ result_after_remediation: NOT-APPLICABLE
e2e-high-controller-secure-port:
default_result: PASS
result_after_remediation: PASS
diff --git a/tests/assertions/ocp4/ocp4-high-4.16.yml b/tests/assertions/ocp4/ocp4-high-4.16.yml
index be7f4b640da..23e7ef5e310 100644
--- a/tests/assertions/ocp4/ocp4-high-4.16.yml
+++ b/tests/assertions/ocp4/ocp4-high-4.16.yml
@@ -185,8 +185,8 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-high-controller-rotate-kubelet-server-certs:
- default_result: PASS
- result_after_remediation: PASS
+ default_result: NOT-APPLICABLE
+ result_after_remediation: NOT-APPLICABLE
e2e-high-controller-secure-port:
default_result: PASS
result_after_remediation: PASS
diff --git a/tests/assertions/ocp4/ocp4-moderate-4.14.yml b/tests/assertions/ocp4/ocp4-moderate-4.14.yml
index c23d2e5e8ba..12bff0d98da 100644
--- a/tests/assertions/ocp4/ocp4-moderate-4.14.yml
+++ b/tests/assertions/ocp4/ocp4-moderate-4.14.yml
@@ -179,8 +179,8 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-moderate-controller-rotate-kubelet-server-certs:
- default_result: PASS
- result_after_remediation: PASS
+ default_result: NOT-APPLICABLE
+ result_after_remediation: NOT-APPLICABLE
e2e-moderate-controller-secure-port:
default_result: PASS
result_after_remediation: PASS
diff --git a/tests/assertions/ocp4/ocp4-moderate-4.15.yml b/tests/assertions/ocp4/ocp4-moderate-4.15.yml
index 098fbffcc6c..aa440cbb0c1 100644
--- a/tests/assertions/ocp4/ocp4-moderate-4.15.yml
+++ b/tests/assertions/ocp4/ocp4-moderate-4.15.yml
@@ -176,8 +176,8 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-moderate-controller-rotate-kubelet-server-certs:
- default_result: PASS
- result_after_remediation: PASS
+ default_result: NOT-APPLICABLE
+ result_after_remediation: NOT-APPLICABLE
e2e-moderate-controller-secure-port:
default_result: PASS
result_after_remediation: PASS
diff --git a/tests/assertions/ocp4/ocp4-moderate-4.16.yml b/tests/assertions/ocp4/ocp4-moderate-4.16.yml
index c23d2e5e8ba..12bff0d98da 100644
--- a/tests/assertions/ocp4/ocp4-moderate-4.16.yml
+++ b/tests/assertions/ocp4/ocp4-moderate-4.16.yml
@@ -179,8 +179,8 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-moderate-controller-rotate-kubelet-server-certs:
- default_result: PASS
- result_after_remediation: PASS
+ default_result: NOT-APPLICABLE
+ result_after_remediation: NOT-APPLICABLE
e2e-moderate-controller-secure-port:
default_result: PASS
result_after_remediation: PASS
diff --git a/tests/assertions/ocp4/ocp4-stig-4.14.yml b/tests/assertions/ocp4/ocp4-stig-4.14.yml
index 5fb0b1d2850..6d2362eaef2 100644
--- a/tests/assertions/ocp4/ocp4-stig-4.14.yml
+++ b/tests/assertions/ocp4/ocp4-stig-4.14.yml
@@ -158,8 +158,8 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-stig-controller-rotate-kubelet-server-certs:
- default_result: PASS
- result_after_remediation: PASS
+ default_result: NOT-APPLICABLE
+ result_after_remediation: NOT-APPLICABLE
e2e-stig-controller-secure-port:
default_result: PASS
result_after_remediation: PASS
diff --git a/tests/assertions/ocp4/ocp4-stig-4.15.yml b/tests/assertions/ocp4/ocp4-stig-4.15.yml
index 5fb0b1d2850..6d2362eaef2 100644
--- a/tests/assertions/ocp4/ocp4-stig-4.15.yml
+++ b/tests/assertions/ocp4/ocp4-stig-4.15.yml
@@ -158,8 +158,8 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-stig-controller-rotate-kubelet-server-certs:
- default_result: PASS
- result_after_remediation: PASS
+ default_result: NOT-APPLICABLE
+ result_after_remediation: NOT-APPLICABLE
e2e-stig-controller-secure-port:
default_result: PASS
result_after_remediation: PASS
diff --git a/tests/assertions/ocp4/ocp4-stig-4.16.yml b/tests/assertions/ocp4/ocp4-stig-4.16.yml
index 5fb0b1d2850..6d2362eaef2 100644
--- a/tests/assertions/ocp4/ocp4-stig-4.16.yml
+++ b/tests/assertions/ocp4/ocp4-stig-4.16.yml
@@ -158,8 +158,8 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-stig-controller-rotate-kubelet-server-certs:
- default_result: PASS
- result_after_remediation: PASS
+ default_result: NOT-APPLICABLE
+ result_after_remediation: NOT-APPLICABLE
e2e-stig-controller-secure-port:
default_result: PASS
result_after_remediation: PASS