-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
-
4.15.z, 4.17.0, 4.16.z
-
Low
-
No
-
False
-
Description of problem:
The PR https://github.com/ComplianceAsCode/content/pull/11758 removes some rules from cis-1-4, nist and pci-dss profiles, which is working as expected. However, the annotations for the rules not get updated as they are showing the wrong control standards. Details seen from below:
##1. rule upstream-ocp4-api-server-api-priority-gate-enabled
% oc get rule upstream-ocp4-api-server-api-priority-gate-enabled -o=jsonpath={.metadata.annotations} | jq -r
{
"compliance.openshift.io/image-digest": "pb-upstream-ocp4582qs",
"compliance.openshift.io/profiles": "upstream-ocp4-stig,upstream-ocp4-stig-v1r1",
"compliance.openshift.io/rule": "api-server-api-priority-gate-enabled",
"control.compliance.openshift.io/CIS-OCP": "1.2.9",
"control.compliance.openshift.io/NERC-CIP": "CIP-003-8 R6;CIP-004-6 R3;CIP-007-3 R6.1",
"control.compliance.openshift.io/NIST-800-53": "CM-6;CM-6(1)",
"control.compliance.openshift.io/PCI-DSS": "Req-2.2",
"policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,1.2.9",
"policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,CIS-OCP"
}
% oc get profile ocp4-cis -o yaml | grep api-server-api-priority-gate-enabled
- ocp4-api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-cis -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-api-priority-gate-enabled
- upstream-ocp4-api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-nerc-cip -o yaml | grep api-server-api-priority-gate-enabled
###2. rule upstream-ocp4-api-server-insecure-port
% oc get rule upstream-ocp4-api-server-insecure-port -o=jsonpath={.metadata.annotations} | jq -r
{
"compliance.openshift.io/image-digest": "pb-upstream-ocp4582qs",
"compliance.openshift.io/profiles": "upstream-ocp4-stig,upstream-ocp4-stig-v1r1",
"compliance.openshift.io/rule": "api-server-insecure-port",
"control.compliance.openshift.io/CIS-OCP": "1.2.17",
"control.compliance.openshift.io/NERC-CIP": "CIP-003-8 R6;CIP-004-6 R3;CIP-007-3 R6.1",
"control.compliance.openshift.io/NIST-800-53": "CM-6;CM-6(1)",
"control.compliance.openshift.io/PCI-DSS": "Req-2.2;Req-2.3",
"policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,Req-2.3,1.2.17",
"policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,CIS-OCP"
}
% oc get profile ocp4-cis -o yaml | grep api-server-insecure-port
- ocp4-api-server-insecure-port
% oc get profile upstream-ocp4-cis -o yaml | grep api-server-insecure-port
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-insecure-port
- upstream-ocp4-api-server-insecure-port
% oc get profile upstream-ocp4-nerc-cip -o yaml | grep pi-server-insecure-port
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-insecure-port
Version-Release number of selected component (if applicable):
https://github.com/ComplianceAsCode/content/pull/11758
How reproducible:
Always
Steps to Reproduce:
1. Install CO 2. Deploy ghcr.io/complianceascode/k8scontent:11758
Actual results:
The annotations for the rules not get updated as they are showing the wrong control standards.
Expected results:
The rules should remove the control info for PCI DSS, NIST
Additional info:
- links to
-
RHBA-2024:138712
OpenShift Compliance Operator 1.6.0