Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Minor
Fix Version/s: None
Affects Version/s: 4.12.0
Component/s: Compliance Operator
Labels:
None

Severity:
Low
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Cause: The instructions for ocp4-kubelet-configure-tls-cipher-suites provided an query to help audit the rule in question, but the instructions were incomplete.

Consequence: The user would get an incomplete set of information, and needed to refine the query manaully.

Fix: Upgrade the compliance operator, which includes updated content with a correct query.

Results: The query provided in ocp4-kubelet-configure-tls-cipher-suites will return the actual results to perform the audit steps.

Show
Cause: The instructions for ocp4-kubelet-configure-tls-cipher-suites provided an query to help audit the rule in question, but the instructions were incomplete. Consequence: The user would get an incomplete set of information, and needed to refine the query manaully. Fix: Upgrade the compliance operator, which includes updated content with a correct query. Results: The query provided in ocp4-kubelet-configure-tls-cipher-suites will return the actual results to perform the audit steps.
Release Note Type:
Bug Fix
Target Version:

4.13.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

The instructions for rule ocp4-kubelet-configure-tls-cipher-suites needs to be updated.
With the command in the instructions, a user could not get tlsCipherSuites as expected.

$ oc get rule ocp4-kubelet-configure-tls-cipher-suites -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
Verify that the set of ciphers contains only the following:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

$  for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [

Version-Release number of selected component (if applicable):

4.12.0-0.nightly-2022-10-25-210451 + compliance-operator.v0.1.57

How reproducible:

Always

Steps to Reproduce:

Install Compliance Operator
Try to get tlsCipherSuite following the instructions for rule ocp4-kubelet-configure-tls-cipher-suites

Actual results:

With the commands in the instructions, a user could NOT get tlsCipherSuites:

$  for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [

Expected results:

The command to get tlsCipherSuites should be

for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsCipherSuites';done

$  for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsCipherSuites';done
[
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]
[
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]
[
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]
[
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]
[
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]

Additional info:

Attachments

Issue Links

links to

pull request

mentioned on

Merge request - Updated 2 upstream sources

Merge request - Updated US source to: 812f14d Add sanity tests for controleval.py

Activity

People

Assignee:: Lance Bragstad

Reporter:: Xiaojie Yuan

QA Contact:: Xiaojie Yuan

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022/11/01 12:12 PM

Updated:: 2023/03/30 5:05 PM

Resolved:: 2023/02/22 8:42 AM