-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
-
4.17.0
-
None
-
Moderate
-
No
-
1
-
CMP Sprint 86, CMP Sprint 87, CMP Sprint 88
-
3
-
False
-
Description of problem:
Per https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/etcd/etcd_unique_ca/rule.yml#L40C36-L40C115, it will check the path /host/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt on the node. However, the path doesn't exists on node: % oc debug node/ip-10-0-28-255.us-east-2.compute.internal Starting pod/ip-10-0-28-255us-east-2computeinternal-debug-mkvp8 ... To use host binaries, run `chroot /host` Pod IP: 10.0.28.255 If you don't see a command prompt, try pressing enter. sh-5.1# ls /host/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt ls: cannot access '/host/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt': No such file or directory sh-5.1# ls /host/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/ etcd-all-bundles etcd-scripts restore-etcd-pod sh-5.1# exit exit Removing debug pod ...
Version-Release number of selected component (if applicable):
4.17.0-0.nightly-2024-06-13-010514 + cov1.5.0
How reproducible:
Always
Steps to Reproduce:
1. Install CO 2. Create a ssb$ oc compliance bind -N test profile/ocp4-cis-node
Actual results:
The rule ocp4-etcd-unique-ca gets FAIL by default for 4.17 payload. Details seen from the description % oc get ccr | grep etcd-unique-ca ocp4-cis-node-master-etcd-unique-ca FAIL medium
Expected results:
The rule ocp4-etcd-unique-ca gets PASS by default
Additional info:
The issue is for 4.17 only. It doesn't exists for other releases.
- links to
-
RHBA-2024:138712
OpenShift Compliance Operator 1.6.0
- mentioned on
