-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.13.0
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
No
-
None
-
None
-
CMP Sprint 68, CMP Sprint 69
-
2
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
api-server-encryption related rules should not fail when aesgcm encryption type was applied
Version-Release number of selected component (if applicable):
4.13.0-rc.2 + compliance-operator.v1.0.0-10
How reproducible:
Always
Steps to Reproduce:
1. Enable aesgcm encryption for apiserver: $ oc patch apiserver/cluster -p '{"spec":{"encryption": {"type":"aesgcm"}}}' --type merge apiserver.config.openshift.io/cluster patched 2. Install CO 3. Create a ssb: $ oc compliance bind -N test -S default-auto-apply profile/ocp4-cis
Actual results:
Api-server-encryption related rules should not fail when aesgcm encryption type was applied. And no auto remediations should be applied.
Expected results:
Api-server-encryption related rules will fail when aesgcm encryption type was applied. The auto remediations will be applied to update encryption type to aescbc
$ oc get apiserver cluster -o=jsonpath={.spec.encryption}
{"type":"aesgcm"}
oc get ccr | grep encryption
ocp4-cis-api-server-encryption-provider-cipher FAIL medium
ocp4-cis-api-server-encryption-provider-config FAIL medium
$ oc get cr
NAME STATE
ocp4-cis-api-server-encryption-provider-cipher Applied
ocp4-cis-api-server-encryption-provider-config Applied
$ oc get cr -o yaml
apiVersion: v1
items:
- apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
creationTimestamp: "2023-04-12T09:28:19Z"
generation: 2
labels:
compliance.openshift.io/scan-name: ocp4-cis
compliance.openshift.io/suite: test
name: ocp4-cis-api-server-encryption-provider-cipher
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: ocp4-cis-api-server-encryption-provider-cipher
uid: d067df4d-1531-4554-9ce3-dddbcd3144b0
resourceVersion: "339798"
uid: 3018429b-489b-44fc-8a09-bf8c1650891d
spec:
apply: true
current:
object:
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
spec:
encryption:
type: aescbc
outdated: {}
type: Configuration
status:
applicationState: Applied
- apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceRemediation
metadata:
creationTimestamp: "2023-04-12T09:28:28Z"
generation: 2
labels:
compliance.openshift.io/scan-name: ocp4-cis
compliance.openshift.io/suite: test
name: ocp4-cis-api-server-encryption-provider-config
namespace: openshift-compliance
ownerReferences:
- apiVersion: compliance.openshift.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: ComplianceCheckResult
name: ocp4-cis-api-server-encryption-provider-config
uid: 31efc95a-0a83-4aed-997e-6404ad8a08c4
resourceVersion: "339805"
uid: 52d90525-fda4-47a8-bb53-8d1296999301
spec:
apply: true
current:
object:
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
spec:
encryption:
type: aescbc
outdated: {}
type: Configuration
status:
applicationState: Applied
kind: List
metadata:
resourceVersion: ""
Additional info:
It is only applicable to ocp 4.13 and 4.13+
- links to
-
RHBA-2023:4245
OpenShift Compliance Operator enhancement update