-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.17.0
-
None
-
Low
-
None
-
False
-
Description of problem:
The instructions for rule ocp4-etcd-unique-ca are not accurate. For 417 and higher versions, the instruction doesn’t work. % oc get rule ocp4-etcd-unique-ca -o=jsonpath={.instructions} Run the following command: oc debug node/$NODE -- diff /host/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt /host/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/client-ca/ca-bundle.crt where $NODE is a master node. If you don't see diff output the differences, you might have a compromise and should isolate the cluster. OpenShift will use separate PKIs by default. Is it the case that The etcd CA certificate is not unique?% % oc debug node/xiyuan-417-23a-ljr2n-master-0 -- diff /host/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt /host/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/client-ca/ca-bundle.crt Temporary namespace openshift-debug-4kr8v is created for debugging node... Starting pod/xiyuan-417-23a-ljr2n-master-0-debug-jprt4 ... To use host binaries, run `chroot /host` diff: /host/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt: No such file or directory Removing debug pod ... Temporary namespace openshift-debug-4kr8v was removed. error: non-zero exit code from debug container
Version-Release number of selected component (if applicable):
4.17.0-0.nightly-2024-09-22-162519 + compliance-operator.v1.6.0
How reproducible:
Always
Steps to Reproduce:
1. Install compliance-operator.v1.6.0
2. Get the instructions for rule ocp4-etcd-unique-ca. And check whether the command in the instruction works or not.
% oc get rule ocp4-etcd-unique-ca -o=jsonpath={.instructions}
Actual results:
The command in the instructions will return error.
Expected results:
The command in the instructions should not return error.
Additional info: