diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml
index 280a90bc835..0a053c21227 100644
--- a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml
+++ b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml
@@ -33,8 +33,7 @@ rationale: |-
identifiers:
cce@ocp4: CCE-84080-1
-platforms:
- - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted
+platform: not ocp4-on-hypershift-hosted
severity: high
diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/rule.yml
deleted file mode 100644
index 13ef525a7bd..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/rule.yml
+++ /dev/null
@@ -1,62 +0,0 @@
-documentation_complete: true
-
-
-title: 'Configure the kubelet Certificate File for the API Server'
-
-description: |-
- To enable certificate based kubelet authentication,
- edit the config configmap in the openshift-kube-apiserver
- namespace and set the below parameter in the config.yaml key if
- it is not already configured:
-
- "apiServerArguments":{
- ...
- "kubelet-client-certificate":"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt",
- ...
- }
-
-
- Note that this particular rule is only valid for OCP releases up to and
- including 4.8
-
-
-rationale: |-
- By default the API Server does not authenticate itself to the kubelet's
- HTTPS endpoints. Requests from the API Server are treated anonymously.
- Configuring certificate-based kubelet authentication ensures that the
- API Server authenticates itself to kubelets when submitting requests.
-
-identifiers:
- cce@ocp4: CCE-85890-2
-
-platforms:
- - (ocp4.6 or ocp4.7 or ocp4.8) and not ocp4-on-hypershift-hosted
-
-severity: high
-
-references:
- cis@ocp4: 1.2.5
- nist: CM-6,CM-6(1),SC-8,SC-8(1)
-
-ocil_clause: 'kubelet-client-certificate is not set as appropriate in apiServerArguments:'
-
-ocil: |-
- Run the following command:
- $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
- The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt
-
-warnings:
-- general: |-
- {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-kube-apiserver/configmaps/config") | indent(4) }}}
-
-template:
- name: yamlfile_value
- vars:
- ocp_data: "true"
- entity_check: "all"
- filepath: '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'
- yamlpath: '.data["config.yaml"]'
- values:
- - value: '"kubelet-client-certificate":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"\]'
- type: "string"
- operation: "pattern match"
diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.10.yml b/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.10.yml
deleted file mode 100644
index 26875d6e9f6..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.10.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: NOT-APPLICABLE
-
diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.6.yml b/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.6.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.6.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.7.yml b/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.7.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.7.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.8.yml b/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.8.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.8.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.9.yml b/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.9.yml
deleted file mode 100644
index 26875d6e9f6..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/4.9.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: NOT-APPLICABLE
-
diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/e2e.yml b/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/e2e.yml
deleted file mode 100644
index 8878bb5724a..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_cert_pre_4_9/tests/ocp4/e2e.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-default_result: NOT-APPLICABLE
diff --git a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml
index 1368e60be59..54421c207e3 100644
--- a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml
+++ b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml
@@ -33,8 +33,7 @@ rationale: |-
identifiers:
cce@ocp4: CCE-83591-8
-platforms:
- - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted
+platform: not ocp4-on-hypershift-hosted
severity: high
diff --git a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/rule.yml
deleted file mode 100644
index 8ebfe087b4a..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/rule.yml
+++ /dev/null
@@ -1,62 +0,0 @@
-documentation_complete: true
-
-
-title: 'Configure the kubelet Certificate Key for the API Server'
-
-description: |-
- To enable certificate based kubelet authentication,
- edit the config configmap in the openshift-kube-apiserver
- namespace and set the below parameter in the config.yaml key if
- it is not already configured:
-
- "apiServerArguments":{
- ...
- "kubelet-client-key":"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key",
- ...
- }
-
-
- Note that this particular rule is only valid for OCP releases up to and
- including 4.8
-
-
-rationale: |-
- By default the API Server does not authenticate itself to the kubelet's
- HTTPS endpoints. Requests from the API Server are treated anonymously.
- Configuring certificate-based kubelet authentication ensures that the
- API Server authenticates itself to kubelets when submitting requests.
-
-identifiers:
- cce@ocp4: CCE-90794-9
-
-platforms:
- - (ocp4.6 or ocp4.7 or ocp4.8) and not ocp4-on-hypershift-hosted
-
-severity: high
-
-references:
- cis@ocp4: 1.2.5
- nist: CM-6,CM-6(1),SC-8,SC-8(1)
-
-ocil_clause: 'kubelet-client-key is not set as appropriate in apiServerArguments:'
-
-ocil: |-
- Run the following command:
- $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
- The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key
-
-warnings:
-- general: |-
- {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-kube-apiserver/configmaps/config") | indent(4) }}}
-
-template:
- name: yamlfile_value
- vars:
- ocp_data: "true"
- entity_check: "all"
- filepath: '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'
- yamlpath: '.data["config.yaml"]'
- values:
- - value: '"kubelet-client-key":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"\]'
- type: "string"
- operation: "pattern match"
diff --git a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.10.yml b/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.10.yml
deleted file mode 100644
index 26875d6e9f6..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.10.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: NOT-APPLICABLE
-
diff --git a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.6.yml b/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.6.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.6.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.7.yml b/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.7.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.7.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.8.yml b/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.8.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.8.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.9.yml b/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.9.yml
deleted file mode 100644
index 26875d6e9f6..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/4.9.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: NOT-APPLICABLE
-
diff --git a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/e2e.yml b/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/e2e.yml
deleted file mode 100644
index 8878bb5724a..00000000000
--- a/applications/openshift/api-server/api_server_kubelet_client_key_pre_4_9/tests/ocp4/e2e.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-default_result: NOT-APPLICABLE
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml
index 60d1df2ef0f..98cc7255b14 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml
@@ -26,8 +26,7 @@ severity: medium
identifiers:
cce@ocp4: CCE-83396-2
-platforms:
- - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted
+platform: not ocp4-on-hypershift-hosted
references:
cis@ocp4: 4.2.9
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/rule.yml
deleted file mode 100644
index 12204d7ab48..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/rule.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-documentation_complete: true
-
-
-title: 'Ensure That The kubelet Client Certificate Is Correctly Set'
-
-description: |-
- To ensure the kubelet TLS client certificate is configured, edit the
- kubelet configuration file /etc/kubernetes/kubelet.conf
- and configure the kubelet certificate file.
- tlsCertFile: /path/to/TLS/cert.key
-
- Note that this particular rule is only valid for OCP releases up to and
- including 4.8
-
-
-rationale: |-
- Without cryptographic integrity protections, information can be
- altered by unauthorized users without detection.
-
-severity: medium
-
-identifiers:
- cce@ocp4: CCE-90615-6
-
-platforms:
- - ocp4.6 or ocp4.7 or ocp4.8
-
-references:
- cis@ocp4: 4.2.10
- nist: SC-8,SC-8(1),SC-8(2)
-
-ocil_clause: 'the kubelet certificate is not configured'
-
-ocil: |-
- Run the following command on the kubelet node(s):
- $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
- Verify that a client certificate is configured.
-
-warnings:
- - general: |-
- {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-kube-apiserver/configmaps/config") | indent(8) }}}
-
-template:
- name: yamlfile_value
- vars:
- ocp_data: "true"
- filepath: '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'
- yamlpath: ".data['config.yaml']"
- values:
- - value: '"kubelet-client-certificate":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"\]'
- operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.10.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.10.yml
deleted file mode 100644
index 26875d6e9f6..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.10.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: NOT-APPLICABLE
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.6.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.6.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.6.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.7.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.7.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.7.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.8.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.8.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.8.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.9.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.9.yml
deleted file mode 100644
index 26875d6e9f6..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/4.9.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: NOT-APPLICABLE
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/e2e.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/e2e.yml
deleted file mode 100644
index 8878bb5724a..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cert_pre_4_9/tests/ocp4/e2e.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-default_result: NOT-APPLICABLE
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
index 863d320117c..550b52d0428 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
@@ -26,8 +26,7 @@ severity: medium
identifiers:
cce@ocp4: CCE-90614-9
-platforms:
- - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16 or ocp4.17) and not ocp4-on-hypershift-hosted
+platform: not ocp4-on-hypershift-hosted
references:
cis@ocp4: 4.2.9
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/rule.yml
deleted file mode 100644
index c5d6ecee312..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/rule.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-documentation_complete: true
-
-
-title: 'Ensure That The kubelet Server Key Is Correctly Set'
-
-description: |-
- To ensure the kubelet TLS private server key certificate is configured, edit the
- kubelet configuration file /etc/kubernetes/kubelet.conf
- and configure the kubelet private key file.
- tlsPrivateKeyFile: /path/to/TLS/private.key
-
- Note that this particular rule is only valid for OCP releases up to and
- including 4.8
-
-
-rationale: |-
- Without cryptographic integrity protections, information can be
- altered by unauthorized users without detection.
-
-severity: medium
-
-identifiers:
- cce@ocp4: CCE-90542-2
-
-platforms:
- - ocp4.6 or ocp4.7 or ocp4.8
-
-references:
- cis@ocp4: 4.2.10
- nist: SC-8,SC-8(1),SC-8(2)
-
-ocil_clause: 'the kubelet server key certificate is not configured'
-
-ocil: |-
- Run the following command on the kubelet node(s):
- $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
- Verify that a client certificate is configured.
-
-warnings:
- - general: |-
- {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-kube-apiserver/configmaps/config") | indent(8) }}}
-
-template:
- name: yamlfile_value
- vars:
- ocp_data: "true"
- filepath: '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'
- yamlpath: ".data['config.yaml']"
- values:
- - value: '"kubelet-client-key":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"\]'
- operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.10.yml b/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.10.yml
deleted file mode 100644
index 26875d6e9f6..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.10.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: NOT-APPLICABLE
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.6.yml b/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.6.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.6.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.7.yml b/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.7.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.7.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.8.yml b/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.8.yml
deleted file mode 100644
index a700773455b..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.8.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: PASS
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.9.yml b/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.9.yml
deleted file mode 100644
index 26875d6e9f6..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/4.9.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: NOT-APPLICABLE
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/e2e.yml b/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/e2e.yml
deleted file mode 100644
index 8878bb5724a..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_key_pre_4_9/tests/ocp4/e2e.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-default_result: NOT-APPLICABLE
diff --git a/controls/cis_ocp_1_4_0/section-1.yml b/controls/cis_ocp_1_4_0/section-1.yml
index fda6632b510..51e157e312b 100644
--- a/controls/cis_ocp_1_4_0/section-1.yml
+++ b/controls/cis_ocp_1_4_0/section-1.yml
@@ -222,9 +222,7 @@ controls:
status: automated
rules:
- api_server_kubelet_client_cert
- - api_server_kubelet_client_cert_pre_4_9
- api_server_kubelet_client_key
- - api_server_kubelet_client_key_pre_4_9
levels: [ level_1, ]
- id: 1.2.6
title: Verify that the kubelet certificate authority is set as appropriate
diff --git a/controls/nist_ocp4.yml b/controls/nist_ocp4.yml
index fc591a7867f..eb192889f6d 100644
--- a/controls/nist_ocp4.yml
+++ b/controls/nist_ocp4.yml
@@ -4943,7 +4943,6 @@ controls:
- general_configure_imagepolicywebhook
- file_permissions_etcd_data_files
- api_server_kubelet_client_cert
- - api_server_kubelet_client_cert_pre_4_9
- file_owner_etcd_data_files
- file_permissions_etcd_member
- file_groupowner_scheduler_kubeconfig
@@ -4954,7 +4953,6 @@ controls:
- scc_limit_container_allowed_capabilities
- file_owner_multus_conf
- api_server_kubelet_client_key
- - api_server_kubelet_client_key_pre_4_9
- api_server_basic_auth
- api_server_etcd_cert
- file_permissions_scheduler
@@ -5160,7 +5158,6 @@ controls:
- general_configure_imagepolicywebhook
- file_permissions_etcd_data_files
- api_server_kubelet_client_cert
- - api_server_kubelet_client_cert_pre_4_9
- file_owner_etcd_data_files
- file_permissions_etcd_member
- file_groupowner_scheduler_kubeconfig
@@ -5170,7 +5167,6 @@ controls:
- scc_limit_container_allowed_capabilities
- file_owner_multus_conf
- api_server_kubelet_client_key
- - api_server_kubelet_client_key_pre_4_9
- api_server_basic_auth
- api_server_etcd_cert
- file_permissions_scheduler
@@ -13878,7 +13874,6 @@ controls:
- api_server_kubelet_certificate_authority
- etcd_auto_tls
- api_server_kubelet_client_cert
- - api_server_kubelet_client_cert_pre_4_9
- kubelet_configure_tls_key
- etcd_peer_client_cert_auth
- controller_secure_port
@@ -13887,9 +13882,7 @@ controls:
- api_server_openshift_https_serving_cert
- api_server_etcd_key
- kubelet_configure_tls_cert
- - kubelet_configure_tls_cert_pre_4_9
- api_server_kubelet_client_key
- - api_server_kubelet_client_key_pre_4_9
- api_server_tls_security_profile
- ingress_controller_tls_security_profile
- kubelet_configure_tls_min_version
@@ -13934,7 +13927,6 @@ controls:
- api_server_kubelet_certificate_authority
- etcd_auto_tls
- api_server_kubelet_client_cert
- - api_server_kubelet_client_cert_pre_4_9
- kubelet_configure_tls_key
- etcd_peer_client_cert_auth
- controller_secure_port
@@ -13943,9 +13935,7 @@ controls:
- api_server_openshift_https_serving_cert
- api_server_etcd_key
- kubelet_configure_tls_cert
- - kubelet_configure_tls_cert_pre_4_9
- api_server_kubelet_client_key
- - api_server_kubelet_client_key_pre_4_9
- api_server_tls_security_profile
- ingress_controller_tls_security_profile
- kubelet_configure_tls_min_version
@@ -13986,7 +13976,6 @@ controls:
- api_server_tls_cert
- routes_protected_by_tls
- kubelet_configure_tls_cert
- - kubelet_configure_tls_cert_pre_4_9
- id: SC-8(3)
status: pending
notes: |-
diff --git a/controls/pcidss_ocp4.yml b/controls/pcidss_ocp4.yml
index 521ad6196bf..b8b9434bbfe 100644
--- a/controls/pcidss_ocp4.yml
+++ b/controls/pcidss_ocp4.yml
@@ -463,9 +463,7 @@ controls:
- etcd_peer_client_cert_auth
- etcd_peer_key_file
- kubelet_configure_tls_cert
- - kubelet_configure_tls_cert_pre_4_9
- kubelet_configure_tls_key
- - kubelet_configure_tls_key_pre_4_9
- id: Req-2.2.4
title: 2.2.4 Configure system security parameters to prevent misuse.
levels:
@@ -534,9 +532,7 @@ controls:
- etcd_peer_client_cert_auth
- etcd_peer_key_file
- kubelet_configure_tls_cert
- - kubelet_configure_tls_cert_pre_4_9
- kubelet_configure_tls_key
- - kubelet_configure_tls_key_pre_4_9
- ocp_no_ldap_insecure
- id: Req-2.4
diff --git a/controls/srg_ctr/SRG-APP-000441-CTR-001090.yml b/controls/srg_ctr/SRG-APP-000441-CTR-001090.yml
index 5447524f00d..e3e54813471 100644
--- a/controls/srg_ctr/SRG-APP-000441-CTR-001090.yml
+++ b/controls/srg_ctr/SRG-APP-000441-CTR-001090.yml
@@ -12,9 +12,7 @@ controls:
- etcd_peer_cert_file
- etcd_peer_key_file
- kubelet_configure_tls_cert
- - kubelet_configure_tls_cert_pre_4_9
- kubelet_configure_tls_key
- - kubelet_configure_tls_key_pre_4_9
- routes_protected_by_tls
status: inherently met
status_justification: |-
diff --git a/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml b/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml
index 7b5d85ddd8f..11aaf7f602c 100644
--- a/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml
+++ b/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml
@@ -33,9 +33,7 @@ controls:
- api_server_insecure_port
- api_server_kubelet_certificate_authority
- api_server_kubelet_client_cert
- - api_server_kubelet_client_cert_pre_4_9
- api_server_kubelet_client_key
- - api_server_kubelet_client_key_pre_4_9
- api_server_no_adm_ctrl_plugins_disabled
- api_server_oauth_https_serving_cert
- api_server_openshift_https_serving_cert
diff --git a/products/ocp4/profiles/stig-v1r1.profile b/products/ocp4/profiles/stig-v1r1.profile
index 37ef22e8e5c..39175d03be6 100644
--- a/products/ocp4/profiles/stig-v1r1.profile
+++ b/products/ocp4/profiles/stig-v1r1.profile
@@ -58,9 +58,7 @@ selections:
- api_server_insecure_port
- api_server_kubelet_certificate_authority
- api_server_kubelet_client_cert
- - api_server_kubelet_client_cert_pre_4_9
- api_server_kubelet_client_key
- - api_server_kubelet_client_key_pre_4_9
- api_server_no_adm_ctrl_plugins_disabled
- api_server_oauth_https_serving_cert
- api_server_openshift_https_serving_cert
diff --git a/tests/assertions/ocp4/ocp4-cis-4.18.yml b/tests/assertions/ocp4/ocp4-cis-4.18.yml
index f58d1853a49..a7df9859282 100644
--- a/tests/assertions/ocp4/ocp4-cis-4.18.yml
+++ b/tests/assertions/ocp4/ocp4-cis-4.18.yml
@@ -111,7 +111,7 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-cis-api-server-tls-cipher-suites:
- default_result: PASS
+ default_result: FAIL
result_after_remediation: PASS
e2e-cis-api-server-tls-private-key:
default_result: PASS
diff --git a/tests/assertions/ocp4/ocp4-high-4.18.yml b/tests/assertions/ocp4/ocp4-high-4.18.yml
index b29cda0e4d3..15dd71060f3 100644
--- a/tests/assertions/ocp4/ocp4-high-4.18.yml
+++ b/tests/assertions/ocp4/ocp4-high-4.18.yml
@@ -126,7 +126,7 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-high-api-server-tls-cipher-suites:
- default_result: PASS
+ default_result: FAIL
result_after_remediation: PASS
e2e-high-api-server-tls-private-key:
default_result: PASS
diff --git a/tests/assertions/ocp4/ocp4-moderate-4.18.yml b/tests/assertions/ocp4/ocp4-moderate-4.18.yml
index 39ee9bf1612..68db51154eb 100644
--- a/tests/assertions/ocp4/ocp4-moderate-4.18.yml
+++ b/tests/assertions/ocp4/ocp4-moderate-4.18.yml
@@ -123,7 +123,7 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-moderate-api-server-tls-cipher-suites:
- default_result: PASS
+ default_result: FAIL
result_after_remediation: PASS
e2e-moderate-api-server-tls-private-key:
default_result: PASS
diff --git a/tests/assertions/ocp4/ocp4-pci-dss-4-0-4.18.yml b/tests/assertions/ocp4/ocp4-pci-dss-4-0-4.18.yml
index 72fafc5298d..e1a9e3109e3 100644
--- a/tests/assertions/ocp4/ocp4-pci-dss-4-0-4.18.yml
+++ b/tests/assertions/ocp4/ocp4-pci-dss-4-0-4.18.yml
@@ -111,7 +111,7 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-tls-cipher-suites:
- default_result: PASS
+ default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-4-0-api-server-tls-private-key:
default_result: PASS
diff --git a/tests/assertions/ocp4/ocp4-pci-dss-4.18.yml b/tests/assertions/ocp4/ocp4-pci-dss-4.18.yml
index 0c640dc549b..bbe075c1e2e 100644
--- a/tests/assertions/ocp4/ocp4-pci-dss-4.18.yml
+++ b/tests/assertions/ocp4/ocp4-pci-dss-4.18.yml
@@ -111,7 +111,7 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-pci-dss-api-server-tls-cipher-suites:
- default_result: PASS
+ default_result: FAIL
result_after_remediation: PASS
e2e-pci-dss-api-server-tls-private-key:
default_result: PASS
diff --git a/tests/assertions/ocp4/ocp4-stig-4.18.yml b/tests/assertions/ocp4/ocp4-stig-4.18.yml
index 99b66a28e27..ffd4faa34d6 100644
--- a/tests/assertions/ocp4/ocp4-stig-4.18.yml
+++ b/tests/assertions/ocp4/ocp4-stig-4.18.yml
@@ -114,7 +114,7 @@ rule_results:
default_result: PASS
result_after_remediation: PASS
e2e-stig-api-server-tls-cipher-suites:
- default_result: PASS
+ default_result: FAIL
result_after_remediation: PASS
e2e-stig-api-server-tls-security-profile:
default_result: PASS