Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18573

Compliance rule ocp4-scheduler-port-is-zero does not exist in any profile to perform the scan

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • None
    • 4.12
    • Compliance Operator
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • No
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Issue:

      Compliance rule `ocp4-scheduler-port-is-zero` does not exists in any profile to perform the scan

      Description:

      ~~~
      $ oc get rules -n openshift-compliance ocp4-scheduler-port-is-zero -o yaml
      apiVersion: compliance.openshift.io/v1alpha1
      checkType: Platform
      description: The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication
      or encryption. As such it should only be bound to a localhost interface, to minimize
      the cluster's attack surface.
      id: xccdf_org.ssgproject.content_rule_scheduler_port_is_zero
      instructions: |-
      Run the following command:
      oc get -nopenshift-kube-scheduler cm kube-scheduler-pod -ojson | jq -r '.data["pod.yaml"]' | jq -r '.spec.containers[] | select(.name == "kube-scheduler")' | jq -r '.args' | grep \\-
      -port
      The output should return --port=0.
      kind: Rule
      metadata:
      labels:
      compliance.openshift.io/profile-bundle: ocp4
      name: ocp4-scheduler-port-is-zero
      namespace: openshift-compliance
      ownerReferences:

      • apiVersion: compliance.openshift.io/v1alpha1
        blockOwnerDeletion: true
        controller: true
        kind: ProfileBundle
        name: ocp4
        uid: 42a7a6e3-9aa3-465e-aff9-5fa13bdbd19f
        resourceVersion: "19475822"
        uid: e060a6f2-8d04-4d42-b834-fa517011f5ef
        rationale: In OpenShift 4, The Kubernetes Scheduler operator manages and updates the
        Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes
        metrics via metrics service. The metrics are collected from the Kubernetes Scheduler
        operator. Profiling data is sent to healthzPort, the port of the localhost healthz
        endpoint. Changing this value may disrupt components that monitor the kubelet health.
        severity: medium
        title: Ensure that the port parameter is zero

      ~~~

      ~~~
      $ oc describe -n openshift-compliance profiles.compliance | grep -i "ocp4-scheduler-port-is-zero" <=Reports NO Profile
      ~~~

      Actions Required:

      • Why the rule doesn't exist in any compliance profile?
      • In the customer's environment, this rule is Failing. The customer wants to know what is the impact of adding this. Changing this value may disrupt components that monitor the kubelet health. Can you please specify which components will be affected by changing --port=0 and what actions to restore those monitoring components after changing the port number?

              lbragsta@redhat.com Lance Bragstad
              sasakshi@redhat.com Sakshi sakshi
              None
              None
              Xiaojie Yuan Xiaojie Yuan
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: