Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3017

The instructions for rule ocp4-kubelet-configure-tls-cipher-suites needs to be updated Compliance Operator

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • None
    • 4.12.0
    • Compliance Operator
    • None
    • Low
    • None
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: The instructions for ocp4-kubelet-configure-tls-cipher-suites provided an query to help audit the rule in question, but the instructions were incomplete.

      Consequence: The user would get an incomplete set of information, and needed to refine the query manaully.

      Fix: Upgrade the compliance operator, which includes updated content with a correct query.

      Results: The query provided in ocp4-kubelet-configure-tls-cipher-suites will return the actual results to perform the audit steps.
      Show
      Cause: The instructions for ocp4-kubelet-configure-tls-cipher-suites provided an query to help audit the rule in question, but the instructions were incomplete. Consequence: The user would get an incomplete set of information, and needed to refine the query manaully. Fix: Upgrade the compliance operator, which includes updated content with a correct query. Results: The query provided in ocp4-kubelet-configure-tls-cipher-suites will return the actual results to perform the audit steps.
    • Bug Fix

      Description of problem:

      The instructions for rule ocp4-kubelet-configure-tls-cipher-suites needs to be updated.
      With the command in the instructions, a user could not get tlsCipherSuites as expected.

      $ oc get rule ocp4-kubelet-configure-tls-cipher-suites -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
Verify that the set of ciphers contains only the following:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

      for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [

      Version-Release number of selected component (if applicable):

      4.12.0-0.nightly-2022-10-25-210451 + compliance-operator.v0.1.57

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install Compliance Operator
      2. Try to get tlsCipherSuite following the instructions for rule ocp4-kubelet-configure-tls-cipher-suites

       

      Actual results:

      With the commands in the instructions,  a user could NOT get tlsCipherSuites:

      for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [
  "tlsCipherSuites": [

       

       

      Expected results:

      The command to get tlsCipherSuites should be

       

      for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsCipherSuites';done

       

      for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsCipherSuites';done
[
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]
[
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]
[
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]
[
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]
[
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]

       

      Additional info:

       

              lbragsta@redhat.com Lance Bragstad
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: