Details
-
Bug
-
Resolution: Done
-
Normal
-
None
-
4.12
-
None
-
Moderate
-
False
-
Description
Description of problem:
The instructions for rule ocp4-machine-volume-encrypted is not correct.
To to retrieve if the FIPS flag is enabled, should use:
$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true)' [ true, true, true, true ]
To retrieve if LUKS encryption is enabled, should use:
$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)' [ true, true, true, true ]
Version-Release number of selected component (if applicable):
4.12.0-0.nightly-2022-09-26-111919 + compliance-operator.v0.1.55
How reproducible:
always
Steps to Reproduce:
Install compliance-operator.v0.1.55.
2. Check the instructions for rule ocp4-machine-volume-encrypted:
$ oc get rule ocp4-machine-volume-encrypted -o=jsonpath={.instructions}
Actual results:
With commands in the instructions, a user could not get the FIPS and LUKS encryption status correctly(on a fips enabled and LUKS encryption enabled cluster):
$ oc get machineconfig -o json | jq '. | [select(.items[].metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true)'
[
false,
false,
false,
false
]
$ oc get machineconfig -o json | jq '. | [select(.items[].metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)'
[
false,
false,
false,
false
]
Expected results:
To to retrieve if the FIPS flag is enabled, should use:
$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true)'
[
true,
true,
true,
true
]
To retrieve if LUKS encryption is enabled, should use:
$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)'
[
true,
true,
true,
true
]
Additional info:
$ oc get rule ocp4-machine-volume-encrypted -o=jsonpath={.instructions}
Run the following command to see if EBS encryption is enabled:
$ oc get machineset --all-namespaces -o json | jq '[.items[] | .spec.template.spec.providerSpec.value.blockDevices[0].ebs.encrypted] | map(. == true)'
Make sure that the result is an array of 'true' values.Run the following command to retrieve if the GCP disk encryption is enabled:
$ oc get machineset --all-namespaces -o json | jq '[.items[] | select(.spec.template.spec.providerSpec.value.disks[0].encryptionKey.kmsKey.name != null) | .metadata.name]'
Make sure that the result is an array MachineSet names. These MachineSets
have references to the GCP's KMS key names, which can be inspected by going through them
with $ oc get machineset --all-namespaces -o yamlRun the following command to retrieve if the Azure disk encryption is enabled:
$ oc get machineset --all-namespaces -o json | jq '[.items[] | select(.spec.template.spec.providerSpec.value.osDisk.managedDisk.diskEncryptionSet.id != null) | .metadata.name]}'
Make sure that the result is an array of machineset names where
disk encryption is enabled.
This can be inspected by going through them
with $ oc get machineset --all-namespaces -o yamlIf not, run the following command to retrieve if the FIPS flag is enabled:
$ oc get machineconfig -o json | jq '. | [select(.items[].metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true)'
Make sure that the result is an array of 'true' values.
Then, run this next command to retrieve if LUKS encryption is enabled:
$ oc get machineconfig -o json | jq '. | [select(.items[].metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)'
