-
Bug
-
Resolution: Done-Errata
-
Undefined
-
None
-
4.14
-
Low
-
No
-
False
-
Description of problem:
accessTokenInactivityTimeoutSeconds used in oauthclient-inactivity-timeout is immutable The rule depends on all Timeouts being set, however the defaults console, openshift-browser-client, openshift-challenging-client, openshift-cli-client rely on OAuth/cluster spec.tokenConfig.accessTokenInactivityTimeout to be set instead.
Version-Release number of selected component (if applicable):
4.14, 4.15
How reproducible:
Each time
Steps to Reproduce:
1. Install the Compliance Operator
2. Setup OCP4 DISA STIG
3. Run the scan
4. Check ocp4-disa-stig-oauthclient-inactivity-timeout
It won't pass, and the remediation steps won't fix as the oauthclient field it depends on is immuttable.
Actual results:
FAIL
Expected results:
PASS with remediation steps in OAuth Cluster
Additional info:
oc explain OAuthClient.accessTokenInactivityTimeoutSeconds GROUP: oauth.openshift.io KIND: OAuthClient VERSION: v1FIELD: accessTokenInactivityTimeoutSeconds <integer>DESCRIPTION: AccessTokenInactivityTimeoutSeconds overrides the default token inactivity .... WARNING: existing tokens' timeout will not be affected (lowered) by changing this value
- links to
-
RHBA-2024:138712
OpenShift Compliance Operator 1.6.0
- mentioned on
