xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_cis

Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4

with profile CIS Red Hat OpenShift Container Platform 4 Benchmark
This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V0.3, currently unreleased. This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content. Note that this part of the profile is meant to run on the Platform that Red Hat OpenShift Container Platform 4 runs on top of. This profile is applicable to OpenShift versions 4.6 and greater.

The ComplianceAsCode Project
https://www.open-scap.org/security-policies/scap-security-guide

This guide presents a catalog of security-relevant configuration settings for Red Hat OpenShift Container Platform 4. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The NIST National Checklist Program (NCP), which provides required settings for the United States Government, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation target	ocp4-cis-api-checks-pod
Benchmark URL	/content/ssg-ocp4-ds.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_OCP-4
Benchmark version	0.1.57
Profile ID	xccdf_org.ssgproject.content_profile_cis
Started at	2021-07-20T05:20:59+00:00
Finished at	2021-07-20T05:21:00+00:00
Performed by
Test system	cpe:/a:redhat:openscap:1.3.4

CPE Platforms

cpe:/a:redhat:openshift_container_platform:4.1
cpe:/a:redhat:openshift_container_platform:4.7
cpe:/o:redhat:openshift_container_platform_node:4
cpe:/a:redhat:openshift_container_platform:4.6
cpe:/a:redhat:openshift_container_platform:4.8
cpe:/a:redhat:openshift_container_platform:4.9
cpe:/a:redhat:openshift_container_platform:4.10

Addresses

IPv4 127.0.0.1
IPv4 10.130.0.19
IPv6 0:0:0:0:0:0:0:1
IPv6 fe80:0:0:0:858:aff:fe82:13
MAC 00:00:00:00:00:00
MAC 0A:58:0A:82:00:13

Compliance and Scoring

The target system did not satisfy the conditions of 4 rules! Please review rule results and consider applying remediation.

Rule results

61 passed

4 failed

28 other

Severity of failed rules

0 other

0 low

4 medium

0 high

Score

Scoring system	Score	Maximum	Percent
urn:xccdf:scoring:default	89.285721	100.000000	89.29%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4 4x fail 28x notchecked
OpenShift Settings 4x fail 28x notchecked
OpenShift - Account and Access Control 2x notchecked
Restrict Automounting of Service Account Tokens	medium	notchecked
Ensure Usage of Unique Service Accounts	medium	notchecked
OpenShift - Kubernetes - Scheduler Settings
Ensure that the bind-address parameter is not used	medium	pass
OpenShift Secrets Management 2x notchecked
Consider external secret storage	medium	notchecked
Do Not Use Environment Variables with Secrets	medium	notchecked
OpenShift Kube API Server 3x fail 2x notchecked
Configure the Client Certificate Authority for the API Server	medium	pass
Configure the API Server Minimum Request Timeout	medium	pass
Ensure that the Admission Control Plugin AlwaysPullImages is not set	high	pass
Ensure that the bindAddress is set to a relevant secure port	low	pass
Configure the Service Account Public Key for the API Server	medium	pass
Ensure all admission control plugins are enabled	medium	pass
Ensure that Audit Log Forwarding Is Enabled	medium	fail
Use Strong Cryptographic Ciphers on the API Server	medium	pass
Ensure authorization-mode RBAC is configured	medium	pass
Configure the Certificate for the API Server	medium	pass
Ensure that the --kubelet-https argument is set to true	medium	pass
Configure Kubernetes API Server Maximum Audit Log Size	medium	pass
Configure the kubelet Certificate File for the API Server	high	pass
Disable basic-auth-file for the API Server	medium	pass
Enable the NodeRestriction Admission Control Plugin	medium	pass
The authorization-mode cannot be AlwaysAllow	medium	pass
Ensure that the service-account-lookup argument is set to true	medium	pass
Ensure authorization-mode Node is configured	medium	pass
Disable Use of the Insecure Bind Address	medium	pass
Enable the APIPriorityAndFairness feature gate	medium	pass
Configure the kubelet Certificate Authority for the API Server	high	pass
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used	medium	pass
Configure the Encryption Provider Cipher	medium	fail
Profiling is protected by RBAC	medium	pass
Ensure that anonymous requests to the API Server are authorized	medium	pass
Ensure the openshift-oauth-apiserver service uses TLS	medium	notchecked
Configure the Certificate Key for the API Server	medium	pass
Configure the Audit Log Path	high	pass
Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)	medium	pass
Configure the Encryption Provider	medium	fail
Configure the Kubernetes API Server Maximum Retained Audit Logs	low	pass
Prevent Insecure Port Access	medium	pass
Configure the etcd Certificate for the API Server	medium	pass
Configure the kubelet Certificate Key for the API Server	high	pass
Disable Token-based Authentication	high	pass
Enable the ServiceAccount Admission Control Plugin	medium	pass
Configure OpenShift API Server Maximum Audit Log Size	medium	pass
Disable the AlwaysAdmit Admission Control Plugin	medium	pass
Enable the NamespaceLifecycle Admission Control Plugin	medium	pass
Configure the etcd Certificate Key for the API Server	medium	pass
Ensure the openshift-oauth-apiserver service uses TLS	medium	notchecked
Configure the OpenShift API Server Maximum Retained Audit Logs	low	pass
Configure the etcd Certificate Authority for the API Server	medium	pass
Enable the SecurityContextConstraint Admission Control Plugin	medium	pass
Ensure catch-all FlowSchema object for API Priority and Fairness Exists	medium	notapplicable
Security Context Constraints (SCC) 9x notchecked
Limit Access to the Host IPC Namespace	medium	notchecked
Limit Container Running As Root User	medium	notchecked
Drop Container Capabilities	medium	notchecked
Limit Access to the Host Process ID Namespace	medium	notchecked
Limit Access to the Host Network Namespace	medium	notchecked
Limit Containers Ability to Escalate Privileges	medium	notchecked
Limit Container Capabilities	medium	notchecked
Limit Privileged Container Use	medium	notchecked
Limit Use of the CAP_NET_RAW	medium	notchecked
Authentication
Configure An Identity Provider	medium	pass
OpenShift - Master Node Settings 1x fail 2x notchecked
Verify Group Who Owns The Worker Proxy Kubeconfig File	medium	notchecked
Verify Permissions on the Worker Proxy Kubeconfig File	medium	fail
Verify User Who Owns The Worker Proxy Kubeconfig File	medium	notchecked
OpenShift etcd Settings
Ensure That The etcd Key File Is Correctly Set	medium	pass
Ensure That The etcd Peer Client Certificate Is Correctly Set	medium	pass
Enable The Peer Client Certificate Authentication	medium	pass
Ensure That The etcd Peer Key File Is Correctly Set	medium	pass
Ensure That The etcd Client Certificate Is Correctly Set	medium	pass
Enable The Client Certificate Authentication	medium	pass
Disable etcd Peer Self-Signed Certificates	medium	pass
Disable etcd Self-Signed Certificates	medium	pass
OpenShift - General Security Practices 5x notchecked
Create administrative boundaries between resources using namespaces	medium	notchecked
Manage Image Provenance Using ImagePolicyWebhook	medium	notchecked
The default namespace should not be used	medium	notchecked
Apply Security Context to Your Pods and Containers	medium	notchecked
Ensure Seccomp Profile Pod Definitions	medium	notchecked
OpenShift API Server
Configure the Audit Log Path	high	pass
OpenShift Controller Settings
Ensure Controller secure-port argument is set	low	pass
Ensure that use-service-account-credentials is enabled	medium	pass
Ensure Controller insecure port argument is unset	low	pass
Configure the Service Account Certificate Authority Key for the Controller Manager	medium	pass
Configure the Service Account Private Key for the Controller Manager	medium	pass
Ensure that the RotateKubeletServerCertificate argument is set	medium	pass
Kubernetes Kubelet Settings
Ensure That The kubelet Client Certificate Is Correctly Set	medium	pass
kubelet - Disable the Read-Only Port	medium	pass
Ensure That The kubelet Server Key Is Correctly Set	medium	pass
OpenShift - Logging Settings
Ensure that the cluster's audit profile is properly set	medium	pass
Role-based Acess Control 4x notchecked
Minimize Wildcard Usage in Cluster and Local Roles	medium	notchecked
Limit Access to Kubernetes Secrets	medium	notchecked
Minimize Access to Pod Creation	medium	notchecked
Profiling is protected by RBAC	medium	pass
Ensure that the cluster-admin role is only used where required	medium	notchecked
Network Configuration and Firewalls 2x notchecked
Ensure that application Namespaces have Network Policies defined.	high	notchecked
Ensure that the CNI in use supports Network Policies	high	notchecked

Result Details

Restrict Automounting of Service Account Tokens

Rule ID	xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	References: 5.1.6, CM-6, CM-6(1)
Description	Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server. To ensure pods do not automatically mount tokens, set `automountServiceAccountToken` to `false`.
Rationale	Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster.
Evaluation messages info No candidate or applicable check found.

Ensure Usage of Unique Service Accounts

Rule ID	xccdf_org.ssgproject.content_rule_accounts_unique_service_account
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	References: 5.1.5, CM-6, CM-6(1)
Description	Using the `default` service account prevents accurate application rights review and audit tracing. Instead of `default`, create a new and unique service account with the following command: $ oc create sa service_account_name where service_account_name is the name of a service account that is needed in the project namespace.
Rationale	Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. This increases auditability of service account rights and access making it easier and more accurate to trace potential malicious behaviors to a specific service account and project.
Evaluation messages info No candidate or applicable check found.

Ensure that the bind-address parameter is not used

Rule ID	xccdf_org.ssgproject.content_rule_scheduler_no_bind_address
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-scheduler_no_bind_address:def:1
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83674-2 References: 1.4.2, CM-6, CM-6(1), SC-8, SC-8(1)
Description	The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface.
Rationale	In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to healthzPort, the port of the localhost healthz endpoint. Changing this value may disrupt components that monitor the kubelet health.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod' find only one object at path '.data["pod.yaml"]'. oval:ssg-test_scheduler_no_bind_address:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-scheduler/configmaps	kube-scheduler-pod	.data["pod.yaml"]	{"kind":"Pod","apiVersion":"v1","metadata":{"name":"openshift-kube-scheduler","namespace":"openshift-kube-scheduler","creationTimestamp":null,"labels":{"app":"openshift-kube-scheduler","revision":"REVISION","scheduler":"true"},"annotations":{"kubectl.kubernetes.io/default-logs-container":"kube-scheduler"}},"spec":{"volumes":[{"name":"resource-dir","hostPath":{"path":"/etc/kubernetes/static-pod-resources/kube-scheduler-pod-REVISION"}},{"name":"cert-dir","hostPath":{"path":"/etc/kubernetes/static-pod-resources/kube-scheduler-certs"}}],"initContainers":[{"name":"wait-for-host-port","image":"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0286a17f0671310c1610508127f4730aab5c30048f5fd5af88c0e439eaf5ac30","command":["/usr/bin/timeout","30","/bin/bash","-c"],"args":["echo -n \"Waiting for port :10259 and :10251 to be released.\"\nwhile [ -n \"$(ss -Htan '( sport = 10251 or sport = 10259 )')\" ]; do\n echo -n \".\"\n sleep 1\ndone\n"],"resources":{"requests":{"cpu":"15m","memory":"50Mi"}},"terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent"}],"containers":[{"name":"kube-scheduler","image":"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0286a17f0671310c1610508127f4730aab5c30048f5fd5af88c0e439eaf5ac30","command":["hyperkube","kube-scheduler"],"args":["--config=/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml","--cert-dir=/var/run/kubernetes","--port=0","--authentication-kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/scheduler-kubeconfig/kubeconfig","--authorization-kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/scheduler-kubeconfig/kubeconfig","--feature-gates=APIPriorityAndFairness=true,LegacyNodeRoleBehavior=false,NodeDisruptionExclusion=true,RemoveSelfLink=false,RotateKubeletServerCertificate=true,SCTPSupport=true,ServiceNodeExclusion=true,SupportPodPidsLimit=true","-v=2","--tls-cert-file=/etc/kubernetes/static-pod-resources/secrets/serving-cert/tls.crt","--tls-private-key-file=/etc/kubernetes/static-pod-resources/secrets/serving-cert/tls.key"],"ports":[{"containerPort":10259}],"resources":{"requests":{"cpu":"15m","memory":"50Mi"}},"volumeMounts":[{"name":"resource-dir","mountPath":"/etc/kubernetes/static-pod-resources"},{"name":"cert-dir","mountPath":"/etc/kubernetes/static-pod-certs"}],"livenessProbe":{"httpGet":{"path":"healthz","port":10259,"scheme":"HTTPS"},"initialDelaySeconds":45},"readinessProbe":{"httpGet":{"path":"healthz","port":10259,"scheme":"HTTPS"},"initialDelaySeconds":45},"terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent"},{"name":"kube-scheduler-cert-syncer","image":"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:68ed6ae84719afd9c0d17f918a0c09212700f039b39e9b60d96a0624da7cc7ff","command":["cluster-kube-scheduler-operator","cert-syncer"],"args":["--kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-scheduler-cert-syncer-kubeconfig/kubeconfig","--namespace=$(POD_NAMESPACE)","--destination-dir=/etc/kubernetes/static-pod-certs"],"env":[{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}],"resources":{"requests":{"cpu":"5m","memory":"50Mi"}},"volumeMounts":[{"name":"resource-dir","mountPath":"/etc/kubernetes/static-pod-resources"},{"name":"cert-dir","mountPath":"/etc/kubernetes/static-pod-certs"}],"terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent"},{"name":"kube-scheduler-recovery-controller","image":"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:68ed6ae84719afd9c0d17f918a0c09212700f039b39e9b60d96a0624da7cc7ff","command":["/bin/bash","-euxo","pipefail","-c"],"args":["timeout 3m /bin/bash -exuo pipefail -c 'while [ -n \"$(ss -Htanop \$ sport = 11443 \$)\" ]; do sleep 1; done'\n\nexec cluster-kube-scheduler-operator cert-recovery-controller --kubeconfig=/etc/kubernetes/static-pod-resources/configmaps/kube-scheduler-cert-syncer-kubeconfig/kubeconfig --namespace=${POD_NAMESPACE} --listen=0.0.0.0:11443 -v=2\n"],"env":[{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}],"resources":{"requests":{"cpu":"5m","memory":"50Mi"}},"volumeMounts":[{"name":"resource-dir","mountPath":"/etc/kubernetes/static-pod-resources"},{"name":"cert-dir","mountPath":"/etc/kubernetes/static-pod-certs"}],"terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent"}],"hostNetwork":true,"tolerations":[{"operator":"Exists"}],"priorityClassName":"system-node-critical"},"status":{}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod'). oval:ssg-test_file_for_scheduler_no_bind_address:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod	regular	1000650000	1000650000	5262	`rw-------`

Consider external secret storage

Rule ID	xccdf_org.ssgproject.content_rule_secrets_consider_external_storage
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	References: 5.4.2, CM-6, CM-6(1)
Description	Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets.
Rationale	Kubernetes supports secrets as first-class objects, but care needs to be taken to ensure that access to secrets is carefully limited. Using an external secrets provider can ease the management of access to secrets, especially where secrets are used across both Kubernetes and non-Kubernetes environments.
Evaluation messages info No candidate or applicable check found.

Do Not Use Environment Variables with Secrets

Rule ID	xccdf_org.ssgproject.content_rule_secrets_no_environment_variables
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	References: 5.4.1, CM-6, CM-6(1)
Description	Secrets should be mounted as data volumes instead of environment variables.
Rationale	Environment variables are subject and very susceptible to malicious hijacking methods by an adversary, as such, environment variables should never be used for secrets.
Evaluation messages info No candidate or applicable check found.

Configure the Client Certificate Authority for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_client_ca
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_client_ca:def:1
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84284-9 References: 1.2.31, SC-8, SC-8(1), SC-8(2)
Description	Certificates must be provided to fully setup TLS client certificate authentication. To ensure the API Server utilizes its own TLS certificates, the `clientCA` must be configured. Verify that `servingInfo` has the `clientCA` configured in the `openshift-kube-apiserver` `config` configmap to something similar to: "apiServerArguments": { ... "client-ca-file": [ "/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt" ], ...
Rationale	API Server communication contains sensitive parameters that should remain encrypted in transit. Configure the API Server to serve only HTTPS traffic. If `-clientCA` is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_client_ca:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_client_ca:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure the API Server Minimum Request Timeout

Rule ID	xccdf_org.ssgproject.content_rule_api_server_request_timeout
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_request_timeout:def:1
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	References: 1.2.26, CM-6, CM-6(1)
Description	The API server minimum request timeout defines the minimum number of seconds a handler must keep a request open before timing it out. To set this, edit the `openshift-kube-apiserver` configmap and set `min-request-timeout` under the `apiServerArguments` field: "apiServerArguments":{ ... "min-request-timeout":[ 3600 ], ...
Rationale	Setting global request timout allows extending the API Server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 1800 seconds which might not be suitable for some environments. Setting the limit too low may result in excessive timeouts, and a limit that is too large may exhaust the API Server resources making it prone to Denial-of-Service attack. It is recommended to set this limit as appropriate and change the default limit of 1800 seconds only if needed.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps/config` file.

OVAL test results details

Variable test to check XCCDF variable oval:ssg-test_api_server_request_timeout:tst:1 true

Following items have been found on the system:

Var ref	Value
oval:ssg-local_variable_api_server_request_timeout:var:1	3600

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_request_timeout:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure that the Admission Control Plugin AlwaysPullImages is not set

Rule ID	xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_AlwaysPullImages
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_admission_control_plugin_AlwaysPullImages:def:1
Time	2021-07-20T05:20:59+00:00
Severity	high
Identifiers and References	References: 1.2.12, CM-6, CM-6(1)
Description	The `AlwaysPullImages` admission control plugin should be disabled, since it can introduce new failure modes for control plane components if an image registry is unreachable.
Rationale	Setting admission control policy to AlwaysPullImages forces every new pod to pull the required images every time. In a multi-tenant cluster users can be assured that their private images can only be used by those who have the credentials to pull them. Without this admission control policy, once an image has been pulled to a node, any pod from any user can use it simply by knowing the image’s name, without any authorization check against the image ownership. When this plug-in is enabled, images are always pulled prior to starting containers, which means valid credentials are required. However, turning on this admission plugin can introduce new kinds of cluster failure modes. OpenShift 4 master and infrastructure components are deployed as pods. Enabling this feature can result in cases where loss of contact to an image registry can cause a redeployed infrastructure pod (oauth-server for example) to fail on an image pull for an image that is currently present on the node. We use PullIfNotPresent so that a loss of image registry access does not prevent the pod from starting. If it becomes PullAlways, then an image registry access outage can cause key infrastructure components to fail. The pull policy can be managed per container, using `imagePullPolicy`.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_admission_control_plugin_AlwaysPullImages:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_admission_control_plugin_AlwaysPullImages:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure that the bindAddress is set to a relevant secure port

Rule ID	xccdf_org.ssgproject.content_rule_api_server_bind_address
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_bind_address:def:1
Time	2021-07-20T05:20:59+00:00
Severity	low
Identifiers and References	Identifiers: CCE-83646-0 References: 1.2.20, CM-6, CM-6(1)
Description	The bindAddress is set by default to `0.0.0.0:6443`, and listening with TLS enabled.
Rationale	The OpenShift API server is served over HTTPS with authentication and authorization; the secure API endpoint is bound to `0.0.0.0:6443` by default. In OpenShift, the only supported way to access the API server pod is through the load balancer and then through the internal service. The value is set by the bindAddress argument under the servingInfo parameter.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_bind_address:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_bind_address:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure the Service Account Public Key for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_service_account_public_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_service_account_public_key:def:1
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83350-9 References: 1.2.28, CM-6, CM-6(1)
Description	To ensure the API Server utilizes its own key pair, edit the `openshift-kube-apiserver` configmap and set the `serviceAccountPublicKeyFiles` parameter to the public key file for service accounts: ... "serviceAccountPublicKeyFiles":[ "/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs" ], ...
Rationale	By default if no `service-account-key-file` is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens are rotated as needed, a separate public/private key pair should be used for signing service account tokens.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_service_account_public_key:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_service_account_public_key:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure all admission control plugins are enabled

Rule ID	xccdf_org.ssgproject.content_rule_api_server_no_adm_ctrl_plugins_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_no_adm_ctrl_plugins_disabled:def:1
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83799-7 References: 1.2.13, 1.2.14, 1.2.14, 1.2.15, 1.2.16, 1.2.17, CM-6, CM-6(1)
Description	To make sure none of them is explicitly disabled, run the following command: $ oc -n openshift-kube-apiserver get configmap config -o json \| jq -r '.data."config.yaml"' \| jq '.apiServerArguments."disable-admission-plugins"' and make sure the output is empty.
Rationale	Several hardening controls depend on certain API server admission plugins being enabled. Checking that no admission control plugins are disabled helps assert that all the critical admission control plugins are indeed enabled and providing the security benefits required.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_no_adm_ctrl_plugins_disabled:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_no_adm_ctrl_plugins_disabled:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure that Audit Log Forwarding Is Enabled

Rule ID	xccdf_org.ssgproject.content_rule_audit_log_forwarding_enabled
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_log_forwarding_enabled:def:1
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84076-9 References: 1.2.23, AC-2(12), AU-6, AU-6(1), AU-6(3), AU-9(2), SI-4(16), AU-4(1), AU-11, AU-7, AU-7(1)
Description	OpenShift audit works at the API server level, logging all requests coming to the server. Audit is on by default and the best practice is to ship audit logs off the cluster for retention. The cluster-logging-operator is able to do this with the ClusterLogForwarders resource. The forementioned resource can be configured to logs to different third party systems. For more information on this, please reference the official documentation: https://docs.openshift.com/container-platform/4.6/logging/cluster-logging-external.html
Rationale	Retaining logs ensures the ability to go back in time to investigate or correlate any events. Offloading audit logs from the cluster ensures that an attacker that has access to the cluster will not be able to tamper with the logs because of the logs being stored off-site.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance` API endpoint to the local `/kubernetes-api-resources/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance` file.

OVAL test results details

In the file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' find only one object at path 'spec.pipelines[:].inputRefs[:]'. oval:ssg-test_audit_log_forwarding_enabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_audit_log_forwarding_enabled:obj:1 of type yamlfilecontent_object

Filepath

Yamlpath

/kubernetes-api-resources

/kubernetes-api-resources/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance

spec.pipelines[:].inputRefs[:]

Find the file to be checked ('/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance'). oval:ssg-test_file_for_audit_log_forwarding_enabled:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_file_for_audit_log_forwarding_enabled:obj:1 of type file_object

Filepath

/kubernetes-api-resources

/kubernetes-api-resources/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance

Use Strong Cryptographic Ciphers on the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_tls_cipher_suites:def:1
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	References: 1.2.35
Description	To ensure that the API Server is configured to only use strong cryptographic ciphers, verify the `openshift-kube-apiserver` configmap contains the following set of ciphers, with no additions: "servingInfo":{ ... "cipherSuites": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", ], ...
Rationale	TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided. By default, OpenShift supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file. warning Once configured, API Server clients that cannot support modern cryptographic ciphers will not be able to make connections to the API server.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_tls_cipher_suites:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_tls_cipher_suites:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure authorization-mode RBAC is configured

Rule ID	xccdf_org.ssgproject.content_rule_api_server_auth_mode_rbac
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_auth_mode_rbac:def:1
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84102-3 References: 1.2.9, CM-6, CM-6(1)
Description	To ensure OpenShift restricts different identities to a defined set of operations they are allowed to perform, check that the API server's `authorization-mode` configuration option list containst RBAC.
Rationale	Role Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. Enabling RBAC is critical in regulating access to an OpenShift cluster as the RBAC rules specify, given a user, which operations can be executed over a set of namespaced or cluster-wide resources.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_auth_mode_rbac:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_auth_mode_rbac:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure the Certificate for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_tls_cert
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_tls_cert:def:1
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83779-9 References: 1.2.30, SC-8, SC-8(1), SC-8(2)
Description	To ensure the API Server utilizes its own TLS certificates, the `tls-cert-file` must be configured. Verify that the `apiServerArguments` section has the `tls-cert-file` configured in the `config` configmap in the `openshift-kube-apiserver` namespace similar to: "apiServerArguments":{ ... "tls-cert-file": [ "/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt" ], ... }
Rationale	API Server communication contains sensitive parameters that should remain encrypted in transit. Configure the API Server to serve only HTTPS traffic.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_tls_cert:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_tls_cert:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure that the --kubelet-https argument is set to true

Rule ID	xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_https_for_kubelet_conn:def:1
Time	2021-07-20T05:20:59+00:00
Severity	medium
Identifiers and References	References: 1.2.4, CM-6, CM-6(1), SC-8, SC-8(1)
Description	The kube-apiserver ensures https to the kubelet by default. The apiserver flag "--kubelet-https" is deprecated and should be either set to "true" or omitted from the argument list.
Rationale	Connections from the kube-apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_https_for_kubelet_conn:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_https_for_kubelet_conn:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure Kubernetes API Server Maximum Audit Log Size

Rule ID	xccdf_org.ssgproject.content_rule_api_server_audit_log_maxsize
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_audit_log_maxsize:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83607-2 References: 1.2.25, CM-6, CM-6(1)
Description	To rotate audit logs upon reaching a maximum size, edit the `openshift-kube-apiserver` configmap and set the `audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it to 100 MB: "apiServerArguments":{ ... "audit-log-maxsize": ["100"], ...
Rationale	OpenShift automatically rotates log files. Retaining old log files ensures that OpenShift Operators have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, there would be approximately 1 GB of log data available for use in analysis.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_audit_log_maxsize:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_audit_log_maxsize:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure the kubelet Certificate File for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_kubelet_client_cert:def:1
Time	2021-07-20T05:21:00+00:00
Severity	high
Identifiers and References	Identifiers: CCE-84080-1 References: 1.2.5, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To enable certificate based kubelet authentication, edit the `config` configmap in the `openshift-kube-apiserver` namespace and set the below parameter in the `config.yaml` key if it is not already configured: "apiServerArguments":{ ... "kubelet-client-certificate":"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt", ... }
Rationale	By default the API Server does not authenticate itself to the kublet's HTTPS endpoints. Requests from the API Server are treated anonymously. Configuring certificate-based kubelet authentication ensures that the API Server authenticates itself to kubelets when submitting requests.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_kubelet_client_cert:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_kubelet_client_cert:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Disable basic-auth-file for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_basic_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_basic_auth:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83936-5 References: 1.2.2, CM-6, CM-6(1)
Description	Basic Authentication should not be used for any reason. If needed, edit API Edit the `openshift-kube-apiserver` configmap and remove the `basic-auth-file` parameter: "apiServerArguments":{ ... "basic-auth-file":[ "/path/to/any/file" ], ... Alternate authentication mechanisms such as tokens and certificates will need to be used. Username and password for basic authentication will be disabled.
Rationale	Basic authentication uses plaintext credentials for authentication. Currently the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API Server. The Basic Authentication is currently supported for convenience and is not intended for production workloads.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_basic_auth:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_basic_auth:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Enable the NodeRestriction Admission Control Plugin

Rule ID	xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_NodeRestriction
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_admission_control_plugin_NodeRestriction:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83753-4 References: 1.2.17, CM-6, CM-6(1)
Description	To limit the `Node` and `Pod` objects that a kubelet could modify, ensure that the `NodeRestriction` plugin on kubelets is enabled in the api-server configuration by running the following command: $ oc -n openshift-kube-apiserver get configmap config -o json \| jq -r '.data."config.yaml"' \| jq '.apiServerArguments."enable-admission-plugins"'
Rationale	Using the `NodeRestriction` plugin ensures that the kubelet is restricted to the `Node` and `Pod` objects that it could modify as defined. Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_admission_control_plugin_NodeRestriction:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_admission_control_plugin_NodeRestriction:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

The authorization-mode cannot be AlwaysAllow

Rule ID	xccdf_org.ssgproject.content_rule_api_server_auth_mode_no_aa
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_auth_mode_no_aa:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84207-0 References: 1.2.7, CM-6, CM-6(1)
Description	Do not always authorize all requests.
Rationale	The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_auth_mode_no_aa:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_auth_mode_no_aa:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure that the service-account-lookup argument is set to true

Rule ID	xccdf_org.ssgproject.content_rule_api_server_service_account_lookup
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_service_account_lookup:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83370-7 References: 1.2.27, CM-6, CM-6(1)
Description	Validate service account before validating token.
Rationale	If `service-account-lookup` is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_service_account_lookup:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_service_account_lookup:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure authorization-mode Node is configured

Rule ID	xccdf_org.ssgproject.content_rule_api_server_auth_mode_node
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_auth_mode_node:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83889-6 References: 1.2.8, CM-6, CM-6(1)
Description	Restrict kubelet nodes to reading only objects associated with them.
Rationale	The Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_auth_mode_node:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_auth_mode_node:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Disable Use of the Insecure Bind Address

Rule ID	xccdf_org.ssgproject.content_rule_api_server_insecure_bind_address
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_insecure_bind_address:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83955-5 References: 1.2.18, CM-6, CM-6(1)
Description	OpenShift should not bind to non-loopback insecure addresses. Edit the `openshift-kube-apiserver` configmap and remove the `insecure-bind-address` if it exists: "apiServerArguments":{ ... "insecure-bind-address":[ "127.0.0.1" ], ...
Rationale	If the API Server is bound to an insecure address the installation would be susceptible to unauthented and unencrypted access to the master node(s). The API Server does not perform authentication checking for insecure binds and the traffic is generally not encrypted.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_insecure_bind_address:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_insecure_bind_address:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Enable the APIPriorityAndFairness feature gate

Rule ID	xccdf_org.ssgproject.content_rule_api_server_api_priority_gate_enabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_api_priority_gate_enabled:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83656-9 References: 1.2.10, CM-6, CM-6(1)
Description	To limit the rate at which the API Server accepts requests, make sure that the API Priority and Fairness feature is enabled. Using `APIPriorityAndFairness` feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. To enable the `APIPriorityAndFairness` feature gate, make sure that the `feature-gates` API server argument, typically set in the `config` configMap in the `openshift-kube-apiserver` namespace contains `APIPriorityAndFairness=true`.
Rationale	The `APIPriorityAndFairness` feature gate enables the use of the `FlowSchema` API objects which enforce a limit on the number of events that the API Server will accept in a given time slice In a large multi-tenant cluster, there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. It is recommended to limit the rate of events that the API Server will accept.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/operator.openshift.io/v1/kubeapiservers/cluster` API endpoint to the local `/kubernetes-api-resources/apis/operator.openshift.io/v1/kubeapiservers/cluster` file.

OVAL test results details

In the file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' find only one object at path '.spec.observedConfig.apiServerArguments["feature-gates"][:]'. oval:ssg-test_api_server_api_priority_gate_enabled:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/apis/operator.openshift.io/v1/kubeapiservers/cluster	/kubernetes-api-resources/apis/operator.openshift.io/v1/kubeapiservers	cluster	.spec.observedConfig.apiServerArguments["feature-gates"][:]	APIPriorityAndFairness=true RotateKubeletServerCertificate=true SupportPodPidsLimit=true NodeDisruptionExclusion=true ServiceNodeExclusion=true SCTPSupport=true LegacyNodeRoleBehavior=false RemoveSelfLink=false

Find the file to be checked ('/apis/operator.openshift.io/v1/kubeapiservers/cluster'). oval:ssg-test_file_for_api_server_api_priority_gate_enabled:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/apis/operator.openshift.io/v1/kubeapiservers/cluster	regular	1000650000	1000650000	9727	`rw-------`

Configure the kubelet Certificate Authority for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_kubelet_certificate_authority
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_kubelet_certificate_authority:def:1
Time	2021-07-20T05:21:00+00:00
Severity	high
Identifiers and References	Identifiers: CCE-84196-5 References: 1.2.6, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure OpenShift verifies kubelet certificates before establishing connections, follow the OpenShift documentation and setup the TLS connection between the API Server and kubelets. Edit the `openshift-kube-apiserver` configmap and set the below parameter if it is not already configured: "apiServerArguments":{ ... "kubelet-certificate-authority":"/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt", ...
Rationale	Connections from the API Server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet port-forwarding functionality. These connections terminate at the kubelet HTTPS endpoint. By default, the API Server does not verify the kubelet serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_kubelet_certificate_authority:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_kubelet_certificate_authority:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used

Rule ID	xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_SecurityContextDeny
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_admission_control_plugin_SecurityContextDeny:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83586-8 References: 1.2.13, CM-6, CM-6(1)
Description	Instead of using a customized SecurityContext for pods, a Pod Security Policy (PSP) or a SecurityContextConstraint should be used. These are cluster-level resources that control the actions that a pod can perform and what resource the pod may access. The `SecurityContextDeny` disallows folks from setting a pod's `securityContext` fields. Ensure that the list of admission controllers does not include SecurityContextDeny: $ oc -n openshift-kube-apiserver get configmap config -o json \| jq -r '.data."config.yaml"' \| jq '.apiServerArguments."enable-admission-plugins"'
Rationale	The `SecurityContextDeny` admission control plugin disallows setting any security options for your pods. `SecurityContextConstraints` allow you to enforce RBAC rules on who can set these options on the pods, and what they're allowed to set. Thus, using the `SecurityContextDeny` will deter you from enforcing granular permissions on your pods.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_admission_control_plugin_SecurityContextDeny:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_admission_control_plugin_SecurityContextDeny:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure the Encryption Provider Cipher

Rule ID	xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_encryption_provider_cipher:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 1.2.34, SC-28, SC-28(1)
Description	To ensure the correct cipher, set the encryption type `aescbc` in the `apiserver` object which configures the API server itself. spec: encryption: type: aescbc For more information, follow the relevant documentation.
Rationale	`aescbc` is currently the strongest encryption provider, it should be preferred over other providers.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/config.openshift.io/v1/apiservers/cluster` API endpoint to the local `/kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster` file.
Remediation script ⇲ `--- apiVersion: config.openshift.io/v1 kind: APIServer metadata: name: cluster spec: encryption: type: aescbc`

OVAL test results details

In the file '/apis/config.openshift.io/v1/apiservers/cluster' find only one object at path '.spec.encryption.type'. oval:ssg-test_api_server_encryption_provider_cipher:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_api_server_encryption_provider_cipher:obj:1 of type yamlfilecontent_object

Filepath

Yamlpath

/kubernetes-api-resources

/kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster

.spec.encryption.type

Find the file to be checked ('/apis/config.openshift.io/v1/apiservers/cluster'). oval:ssg-test_file_for_api_server_encryption_provider_cipher:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster	regular	1000650000	1000650000	869	`rw-------`

Profiling is protected by RBAC

Rule ID	xccdf_org.ssgproject.content_rule_api_server_profiling_protected_by_rbac
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_profiling_protected_by_rbac:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84212-0 References: 1.2.21, CM-6, CM-6(1)
Description	Ensure that the cluster-debugger cluster role includes the /metrics resource URL. This demonstrates that profiling is protected by RBAC, with a specific cluster role to allow access.
Rationale	Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to cluster-admin or cluster-debugger role. Profiling can not be disabled.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger` API endpoint to the local `/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger` file.

OVAL test results details

In the file '/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger' find only one object at path '.rules[0].nonResourceURLs[:]'. oval:ssg-test_api_server_profiling_protected_by_rbac:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger	/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterroles	cluster-debugger	.rules[0].nonResourceURLs[:]	/debug/pprof /debug/pprof/* /metrics

Find the file to be checked ('/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger'). oval:ssg-test_file_for_api_server_profiling_protected_by_rbac:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger	regular	1000650000	1000650000	773	`rw-------`

Ensure that anonymous requests to the API Server are authorized

Rule ID	xccdf_org.ssgproject.content_rule_api_server_anonymous_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_anonymous_auth:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 1.2.1, CM-6, CM-6(1)
Description	By default, anonymous access to the OpenShift API is enabled, but at the same time, all requests must be authorized. If no authentication mechanism is used, the request is assigned the `system:anonymous` virtual user and the `system:unauthenticated` virtual group. This allows the authorization layer to determin which requests, if any, is an anonymous user authorized to make. To verify the authorization rules for anonymous requests run the following: $ oc describe clusterrolebindings and inspect the bidnings of the `system:anonymous` virtual user and the `system:unauthenticated` virtual group. To test that an anonymous request is authorized to access the `readyz` endpoint, run: $ oc get --as="system:anonymous" --raw='/readyz?verbose' In contrast, a request to list all projects should not be authorized: $ oc get --as="system:anonymous" projects
Rationale	When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the API server. If you are using RBAC authorization, it is generally considered reasonable to allow anonymous access to the API Server for health checks and discovery purposes, and hence this recommendation is not scored. However, you should consider whether anonymous discovery is an acceptable risk for your purposes.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/rbac.authorization.k8s.io/v1/clusterrolebindings` API endpoint to the local `/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterrolebindings` file.

OVAL test results details

In the file '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings' find only one object at path '.items[:]['subjects'][:].name'. oval:ssg-test_api_server_anonymous_auth:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value	Value
/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterrolebindings	/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1	clusterrolebindings	.items[:]['subjects'][:].name	alertmanager-main	strimzi-cluster-operator	strimzi-cluster-operator	system:authenticated	cloud-credential-operator	system:masters	admin	system:cluster-admins system:admin	cluster-autoscaler	cluster-autoscaler-operator	cluster-baremetal-operator	cluster-monitoring-operator	cluster-node-tuning-operator	tuned	system:cluster-readers	cluster-samples-operator	cluster-samples-operator	system:authenticated	cluster-storage-operator	default	compliance-operator	api-resource-collector	console	system:authenticated	console-operator	console-operator	csi-snapshot-controller-operator	cluster-image-registry-operator	default	default	prometheus-k8s	grafana	system:authenticated	operator	operator	gather	gather	kube-apiserver system:kube-apiserver	kube-state-metrics	machine-api-controllers	machine-api-operator	machine-config-controller	machine-config-daemon	machine-config-server	marketplace-operator	metrics-daemon-sa	multus	multus	multus	network-diagnostics	node-exporter	olm-operator-serviceaccount	csi-snapshot-controller	dns	dns-operator	pruner	ingress-operator	router	ovn-kubernetes-controller	ovn-kubernetes-node	openshift-state-metrics	olm-operator-serviceaccount	postgres-operator	prometheus-adapter	prometheus-adapter	prometheus-k8s	prometheus-k8s	prometheus-operator	prometheus-k8s	registry	prometheus-adapter	prometheus-k8s	nfs-client-provisioner	system:authenticated system:unauthenticated	system:authenticated:oauth	apicurio-registry-operator	apicurio-registry-operator	kube-storage-version-migrator-sa	node-bootstrapper	system:nodes	system:authenticated	system:authenticated	system:authenticated	system:authenticated	attachdetach-controller	certificate-controller	clusterrole-aggregation-controller	cronjob-controller	daemon-set-controller	deployment-controller	disruption-controller	endpoint-controller	endpointslice-controller	endpointslicemirroring-controller	expand-controller	generic-garbage-collector	horizontal-pod-autoscaler horizontal-pod-autoscaler	job-controller	namespace-controller	node-controller	persistent-volume-binder	pod-garbage-collector	pv-protection-controller	pvc-protection-controller	replicaset-controller	replication-controller	resourcequota-controller	root-ca-cert-publisher	route-controller	service-account-controller	service-controller	statefulset-controller	ttl-controller	default-rolebindings-controller	system:authenticated	default-rolebindings-controller	default-rolebindings-controller	system:kube-controller-manager	kube-dns	system:kube-scheduler	system:masters	system:monitoring	system:master system:kube-apiserver system:node-admins	system:master system:node-admins	node-bootstrapper	system:kube-proxy	system:nodes	system:authenticated system:unauthenticated	build-config-change-controller	build-controller	cluster-quota-reconciliation-controller	default-rolebindings-controller	deployer-controller	deploymentconfig-controller	horizontal-pod-autoscaler	image-import-controller	image-trigger-controller	system:serviceaccount:openshift-kube-apiserver:check-endpoints	system:serviceaccount:openshift-kube-apiserver:check-endpoints	system:serviceaccount:openshift-kube-apiserver:check-endpoints	machine-approver-sa	namespace-security-allocation-controller	origin-namespace-controller	pv-recycler-controller	resourcequota-controller	service-ca	service-ingress-ip-controller	service-serving-cert-controller	serviceaccount-controller	serviceaccount-pull-secrets-controller	template-instance-controller	template-instance-controller	template-instance-finalizer-controller	template-instance-finalizer-controller	template-service-broker	unidling-controller	system:authenticated	cloud-provider	oauth-apiserver-sa	openshift-apiserver-sa	oauth-openshift	openshift-controller-manager-sa	ingress-to-route-controller	authentication-operator	openshift-kube-scheduler-operator	etcd-operator	kube-apiserver-operator	localhost-recovery-client	kube-controller-manager-operator	localhost-recovery-client	localhost-recovery-client	openshift-kube-scheduler-sa	kube-storage-version-migrator-operator	openshift-apiserver-operator	openshift-config-operator	openshift-controller-manager-operator	installer-sa	installer-sa	installer-sa	installer-sa	service-ca-operator	system:authenticated system:unauthenticated	openshift-controller-manager-sa	system:authenticated:oauth	system:authenticated system:unauthenticated	system:authenticated system:unauthenticated	system:nodes	system:serviceaccounts	system:kube-scheduler	system:authenticated system:unauthenticated	telemeter-client	telemeter-client	thanos-querier

Find the file to be checked ('/apis/rbac.authorization.k8s.io/v1/clusterrolebindings'). oval:ssg-test_file_for_api_server_anonymous_auth:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterrolebindings	regular	1000650000	1000650000	214095	`rw-------`

Ensure the openshift-oauth-apiserver service uses TLS

Rule ID	xccdf_org.ssgproject.content_rule_api_server_openshift_https_serving_cert
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 1.2.4, CM-6, CM-6(1), SC-8, SC-8(1)
Description	By default, the OpenShift API Server uses TLS. HTTPS should be used for connections between openshift-apiserver and kube-apiserver. OpenShift API server enables TLS automatically if a TLS key and a certificate are provided via the `serving-cert` secret in the `openshift-apiserver` namespace.
Rationale	Connections between the kube-apiserver and the extension openshift-apiserver could potentially carry sensitive data such as secrets and keys. It is important to use in-transit encryption for any communication between the kube-apiserver and the extension openshift-apiserver.
Evaluation messages info No candidate or applicable check found.

Configure the Certificate Key for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_tls_private_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_tls_private_key:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84282-3 References: 1.2.30, SC-8, SC-8(1), SC-8(2)
Description	To ensure the API Server utilizes its own TLS certificates, the `tls-private-key-file` must be configured. Verify that the `apiServerArguments` section has the `tls-private-key-file` configured in the `config` configmap in the `openshift-kube-apiserver` namespace similar to: "apiServerArguments":{ ... "tls-private-key-file": [ "/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key" ], ... }
Rationale	API Server communication contains sensitive parameters that should remain encrypted in transit. Configure the API Server to serve only HTTPS traffic.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_tls_private_key:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_tls_private_key:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure the Audit Log Path

Rule ID	xccdf_org.ssgproject.content_rule_api_server_audit_log_path
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_audit_log_path:def:1
Time	2021-07-20T05:21:00+00:00
Severity	high
Identifiers and References	Identifiers: CCE-84020-7 References: 1.2.22, CM-6, CM-6(1)
Description	To enable auditing on the Kubernetes API Server, the audit log path must be set. Edit the `openshift-kube-apiserver` configmap and set the `audit-log-path` to a suitable path and file where audit logs should be written. For example: "apiServerArguments":{ ... "audit-log-path":"/var/log/kube-apiserver/audit.log", ...
Rationale	Auditing of the Kubernetes API Server is not enabled by default. Auditing the API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by users, administrators, or other system components.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_audit_log_path:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_audit_log_path:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)

Rule ID	xccdf_org.ssgproject.content_rule_api_server_api_priority_v1alpha1_flowschema_catch_all
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_api_priority_v1alpha1_flowschema_catch_all:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84002-5 References: 1.2.10, CM-6, CM-6(1)
Description	Using `APIPriorityAndFairness` feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema `catch-all` should be available to make sure that every request gets some kind of classification. By default, the `catch-all` priority level only allows one concurrency share and does not queue requests. To inspect all the `FlowSchema` objects, run: oc get flowschema To inspect the well-known `catch-all` object, run the following: oc describe flowschema catch-all
Rationale	The `FlowSchema` API objects enforce a limit on the number of events that the API Server will accept in a given time slice In a large multi-tenant cluster, there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. It is recommended to limit the rate of events that the API Server will accept.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all` API endpoint to the local `/kubernetes-api-resources/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all` file. warning Note that this rule is only applicable in OpenShift Container Platform versions 4.7 and below.

OVAL test results details

In the file '/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all' find only one object at path '.spec.rules[0].subjects[:].group["name"]'. oval:ssg-test_api_server_api_priority_v1alpha1_flowschema_catch_all:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all	/kubernetes-api-resources/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas	catch-all	.spec.rules[0].subjects[:].group["name"]	system:unauthenticated system:authenticated

Find the file to be checked ('/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all'). oval:ssg-test_file_for_api_server_api_priority_v1alpha1_flowschema_catch_all:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all	regular	1000650000	1000650000	1927	`rw-------`

Configure the Encryption Provider

Rule ID	xccdf_org.ssgproject.content_rule_api_server_encryption_provider_config
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_encryption_provider_config:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83585-0 References: 1.2.33, SC-28, SC-28(1)
Description	To encrypt the etcd key-value store, set the encryption type `aescbc` in the `apiserver` object which configures the API server itself. spec: encryption: type: aescbc For more information, follow the relevant documentation.
Rationale	etcd is a highly available key-value store used by OpenShift deployments for persistent storage of all REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/config.openshift.io/v1/apiservers/cluster` API endpoint to the local `/kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster` file.
Remediation script ⇲ `--- apiVersion: config.openshift.io/v1 kind: APIServer metadata: name: cluster spec: encryption: type: aescbc`

OVAL test results details

In the file '/apis/config.openshift.io/v1/apiservers/cluster' find only one object at path '.spec.encryption.type'. oval:ssg-test_api_server_encryption_provider_config:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_api_server_encryption_provider_config:obj:1 of type yamlfilecontent_object

Filepath

Yamlpath

/kubernetes-api-resources

/kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster

.spec.encryption.type

Find the file to be checked ('/apis/config.openshift.io/v1/apiservers/cluster'). oval:ssg-test_file_for_api_server_encryption_provider_config:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster	regular	1000650000	1000650000	869	`rw-------`

Configure the Kubernetes API Server Maximum Retained Audit Logs

Rule ID	xccdf_org.ssgproject.content_rule_api_server_audit_log_maxbackup
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_audit_log_maxbackup:def:1
Time	2021-07-20T05:21:00+00:00
Severity	low
Identifiers and References	Identifiers: CCE-83739-3 References: 1.2.24, CM-6, CM-6(1)
Description	To configure how many rotations of audit logs are retained, edit the `openshift-kube-apiserver` configmap and set the `audit-log-maxbackup` parameter to `10` or to an organizationally appropriate value: "apiServerArguments":{ ... "audit-log-maxbackup": [10], ...
Rationale	OpenShift automatically rotates the log files. Retaining old log files ensures OpenShift Operators will have sufficient log data available for carrying out any investigation or correlation. For example, if the audit log size is set to 100 MB and the number of retained log files is set to 10, OpenShift Operators would have approximately 1 GB of log data to use during analysis.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_audit_log_maxbackup:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_audit_log_maxbackup:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Prevent Insecure Port Access

Rule ID	xccdf_org.ssgproject.content_rule_api_server_insecure_port
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_insecure_port:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83813-6 References: 1.2.19, CM-6, CM-6(1)
Description	By default, traffic for the OpenShift API server is served over HTTPS with authentication and authorization, and the secure API endpoint is bound to `0.0.0.0:8443`. To ensure that the insecure port configuration has not been enabled, the `insecure-port` parameter should be set to 0. Edit the `openshift-kube-apiserver` configmap and change the `insecure-port` value to 0: "apiServerArguments":{ ... "insecure-port":[ "1234" ], ...
Rationale	Configuring the API Server on an insecure port would allow unauthenticated and unencrypted access to your master node(s). It is assumed firewall rules will be configured to ensure this port is not reachable from outside the cluster, however as a defense in depth measure, OpenShift should not be configured to use insecure ports.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_insecure_port:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_insecure_port:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure the etcd Certificate for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_etcd_cert
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_etcd_cert:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83876-3 References: 1.2.29, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure etcd is configured to make use of TLS encryption for client communications, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify that `apiServerArguments` has the `etcd-certfile` configured in the `openshift-kube-apiserver` configmap to something similar to: ... "etcd-certfile": [ "/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt" ], ...
Rationale	etcd is a highly-available key-value store used by OpenShift deployments for persistent storage of all REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API Server to identify itself to the etcd server using a client certificate and key.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_etcd_cert:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_etcd_cert:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure the kubelet Certificate Key for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_kubelet_client_key:def:1
Time	2021-07-20T05:21:00+00:00
Severity	high
Identifiers and References	Identifiers: CCE-83591-8 References: 1.2.5, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To enable certificate based kubelet authentication, edit the `config` configmap in the `openshift-kube-apiserver` namespace and set the below parameter in the `config.yaml` key if it is not already configured: "apiServerArguments":{ ... "kubelet-client-key":"/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key", ... }
Rationale	By default the API Server does not authenticate itself to the kubelet's HTTPS endpoints. Requests from the API Server are treated anonymously. Configuring certificate-based kubelet authentication ensures that the API Server authenticates itself to kubelets when submitting requests.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_kubelet_client_key:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_kubelet_client_key:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Disable Token-based Authentication

Rule ID	xccdf_org.ssgproject.content_rule_api_server_token_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_token_auth:def:1
Time	2021-07-20T05:21:00+00:00
Severity	high
Identifiers and References	Identifiers: CCE-83481-2 References: 1.2.3, CM-6, CM-6(1)
Description	To ensure OpenShift does not accept token-based authentication, follow the OpenShift documentation and configure alternate mechanisms for authentication. Then, edit the API Server pod specification file Edit the `openshift-kube-apiserver` configmap and remove the `token-auth-file` parameter: "apiServerArguments":{ ... "token-auth-file":[ "/path/to/any/file" ], ...
Rationale	The token-based authentication utilizes static tokens to authenticate requests to the API Server. The tokens are stored in clear-text in a file on the API Server, and cannot be revoked or rotated without restarting the API Server.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_token_auth:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_token_auth:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Enable the ServiceAccount Admission Control Plugin

Rule ID	xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_ServiceAccount
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_admission_control_plugin_ServiceAccount:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83791-4 References: 1.2.14, CM-6, CM-6(1)
Description	To ensure `ServiceAccount` objects must be created and granted before pod creation is allowed, follow the documentation and create `ServiceAccount` objects as per your environment. Ensure that the plugin is enabled in the api-server configuration: $ oc -n openshift-kube-apiserver get configmap config -o json \| jq -r '.data."config.yaml"' \| jq '.apiServerArguments."enable-admission-plugins"'
Rationale	When a pod is created, if a service account is not specified, the pod is automatically assigned the default service account in the same namespace. OpenShift operators should create unique service accounts and let the API Server manage its security tokens.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_admission_control_plugin_ServiceAccount:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_admission_control_plugin_ServiceAccount:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure OpenShift API Server Maximum Audit Log Size

Rule ID	xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ocp_api_server_audit_log_maxsize:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83687-4 References: 1.2.25, CM-6, CM-6(1)
Description	To rotate audit logs upon reaching a maximum size, edit the `openshift-apiserver` configmap and set the `audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it to 100 MB: "apiServerArguments":{ ... "audit-log-maxsize": ["100"], ...
Rationale	OpenShift automatically rotates log files. Retaining old log files ensures that OpenShift Operators have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, there would be approximately 1 GB of log data available for use in analysis.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_ocp_api_server_audit_log_maxsize:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps	config	.data["config.yaml"]	{"apiServerArguments":{"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/openshift-apiserver/audit.log"],"audit-policy-file":["/var/run/configmaps/audit/secure-oauth-storage-default.yaml"],"shutdown-delay-duration":["3s"]},"apiVersion":"openshiftcontrolplane.config.openshift.io/v1","imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"OpenShiftAPIServerConfig","projectConfig":{"projectRequestMessage":""},"routingConfig":{"subdomain":"apps.ocp.ispworld.at"},"servingInfo":{"bindNetwork":"tcp","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12"},"storageConfig":{"urls":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379"]}}

Find the file to be checked ('/api/v1/namespaces/openshift-apiserver/configmaps/config'). oval:ssg-test_file_for_ocp_api_server_audit_log_maxsize:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps/config	regular	1000650000	1000650000	1565	`rw-------`

Disable the AlwaysAdmit Admission Control Plugin

Rule ID	xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_AlwaysAdmit
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_admission_control_plugin_AlwaysAdmit:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84148-6 References: 1.2.11, CM-6, CM-6(1)
Description	To ensure OpenShift only responses to requests explicitly allowed by the admission control plugin. Check that the `config` ConfigMap object does not contain the AlwaysAdmit plugin.
Rationale	Enabling the admission control plugin `AlwaysAdmit` allows all requests and does not provide any filtering.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_admission_control_plugin_AlwaysAdmit:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_admission_control_plugin_AlwaysAdmit:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Enable the NamespaceLifecycle Admission Control Plugin

Rule ID	xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_NamespaceLifecycle
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_admission_control_plugin_NamespaceLifecycle:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83854-0 References: 1.2.15, CM-6, CM-6(1)
Description	OpenShift enables the `NamespaceLifecycle` plugin by default.
Rationale	Setting admission control policy to `NamespaceLifecycle` ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of new objects.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_admission_control_plugin_NamespaceLifecycle:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_admission_control_plugin_NamespaceLifecycle:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Configure the etcd Certificate Key for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_etcd_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_etcd_key:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83546-2 References: 1.2.29, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure etcd is configured to make use of TLS encryption for client communications, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify that `apiServerArguments` has the `etcd-keyfile` configured in the `openshift-kube-apiserver` configmap to something similar to: ... "etcd-keyfile": [ "/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key" ], ...
Rationale	etcd is a highly-available key-value store used by OpenShift deployments for persistent storage of all REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API Server to identify itself to the etcd server using a client certificate and key.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_etcd_key:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_etcd_key:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure the openshift-oauth-apiserver service uses TLS

Rule ID	xccdf_org.ssgproject.content_rule_api_server_oauth_https_serving_cert
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 1.2.4, CM-6, CM-6(1), SC-8, SC-8(1)
Description	By default, the OpenShift OAuth API Server uses TLS. HTTPS should be used for connections between openshift-oauth-apiserver and kube-apiserver. OpenShift OAuth API server enables TLS automatically if a TLS key and a certificate are provided via the `serving-cert` secret in the `openshift-oauth-apiserver` namespace.
Rationale	Connections between the kube-apiserver and the extension openshift-oauth-apiserver could potentially carry sensitive data such as secrets and keys. It is important to use in-transit encryption for any communication between the kube-apiserver and the extension openshift-apiserver.
Evaluation messages info No candidate or applicable check found.

Configure the OpenShift API Server Maximum Retained Audit Logs

Rule ID	xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-ocp_api_server_audit_log_maxbackup:def:1
Time	2021-07-20T05:21:00+00:00
Severity	low
Identifiers and References	Identifiers: CCE-83977-9 References: 1.2.24, CM-6, CM-6(1)
Description	To configure how many rotations of audit logs are retained, edit the `openshift-apiserver` configmap and set the `audit-log-maxbackup` parameter to `10` or to an organizationally appropriate value: "apiServerArguments":{ ... "audit-log-maxbackup": [10], ...
Rationale	OpenShift automatically rotates the log files. Retaining old log files ensures OpenShift Operators will have sufficient log data available for carrying out any investigation or correlation. For example, if the audit log size is set to 100 MB and the number of retained log files is set to 10, OpenShift Operators would have approximately 1 GB of log data to use during analysis.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_ocp_api_server_audit_log_maxbackup:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps	config	.data["config.yaml"]	{"apiServerArguments":{"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/openshift-apiserver/audit.log"],"audit-policy-file":["/var/run/configmaps/audit/secure-oauth-storage-default.yaml"],"shutdown-delay-duration":["3s"]},"apiVersion":"openshiftcontrolplane.config.openshift.io/v1","imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"OpenShiftAPIServerConfig","projectConfig":{"projectRequestMessage":""},"routingConfig":{"subdomain":"apps.ocp.ispworld.at"},"servingInfo":{"bindNetwork":"tcp","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12"},"storageConfig":{"urls":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379"]}}

Find the file to be checked ('/api/v1/namespaces/openshift-apiserver/configmaps/config'). oval:ssg-test_file_for_ocp_api_server_audit_log_maxbackup:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps/config	regular	1000650000	1000650000	1565	`rw-------`

Configure the etcd Certificate Authority for the API Server

Rule ID	xccdf_org.ssgproject.content_rule_api_server_etcd_ca
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_etcd_ca:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84216-1 References: 1.2.32, SC-8, SC-8(1), SC-8(2)
Description	To ensure etcd is configured to make use of TLS encryption for client connections, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify that `apiServerArguments` has the `etcd-cafile` configured in the `openshift-kube-apiserver` `config` configmap to something similar to: "apiServerArguments": { ... "etcd-cafile": [ "/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt" ], ...
Rationale	etcd is a highly-available key-value store used by OpenShift deployments for persistent storage of all REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API Server to identify itself to the etcd server using a SSL Certificate Authority file.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_etcd_ca:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_etcd_ca:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Enable the SecurityContextConstraint Admission Control Plugin

Rule ID	xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_Scc
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-api_server_admission_control_plugin_Scc:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83602-3 References: 1.2.16, CM-6, CM-6(1)
Description	To ensure pod permissions are managed, make sure that the `SecurityContextConstraint` admission control plugin is used.
Rationale	A Security Context Constraint is a cluster-level resource that controls the actions which a pod can perform and what the pod may access. The `SecurityContextConstraint` objects define a set of conditions that a pod must run with in order to be accepted into the system. Security Context Constraints are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_api_server_admission_control_plugin_Scc:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data["config.yaml"]	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_api_server_admission_control_plugin_Scc:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure catch-all FlowSchema object for API Priority and Fairness Exists

Rule ID	xccdf_org.ssgproject.content_rule_api_server_api_priority_flowschema_catch_all
Result	notapplicable
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83522-3 References: 1.2.10, CM-6, CM-6(1)
Description	Using `APIPriorityAndFairness` feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema `catch-all` should be available to make sure that every request gets some kind of classification. By default, the `catch-all` priority level only allows one concurrency share and does not queue requests. To inspect all the `FlowSchema` objects, run: oc get flowschema To inspect the well-known `catch-all` object, run the following: oc describe flowschema catch-all
Rationale	The `FlowSchema` API objects enforce a limit on the number of events that the API Server will accept in a given time slice In a large multi-tenant cluster, there might be a small percentage of misbehaving tenants which could have a significant impact on the performance of the cluster overall. It is recommended to limit the rate of events that the API Server will accept.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all` API endpoint to the local `/kubernetes-api-resources/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all` file. warning Note that this is only applicable in OpenShift Container Platform version 4.8 and higher

Limit Access to the Host IPC Namespace

Rule ID	xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84042-1 References: 5.2.3, CM-6, CM-6(1)
Description	Containers should not be allowed access to the host's Interprocess Commication (IPC) namespace. To prevent containers from getting access to a host's IPC namespace, the appropriate Security Context Constraints (SCCs) should set `allowHostIPC` to `false`.
Rationale	A container running in the host's IPC namespace can use IPC to interact with processes outside the container potentially allowing an attacker to exploit a host process thereby enabling an attacker to exploit other services.
Evaluation messages info No candidate or applicable check found.

Limit Container Running As Root User

Rule ID	xccdf_org.ssgproject.content_rule_scc_limit_root_containers
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.2.6, CM-6, CM-6(1)
Description	Containers should be limited to only the privileges required to run and should very rarely be run as root user. To prevent containers from running as root user, the appropriate Security Context Constraints (SCCs) should set `allowPrivilegedContainer` to `false`.
Rationale	Privileged containers have access to all Linux Kernel capabilities and devices. If a privileged container were compromised, an attacker would have full access to the container and host.
Evaluation messages info No candidate or applicable check found.

Drop Container Capabilities

Rule ID	xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.2.9, CM-6, CM-6(1)
Description	Containers should not enable more capabilites than needed as this opens the door for malicious use. To disable the capabilities, the appropriate Security Context Constraints (SCCs) should set all capabilities as `*` or a list of capabilities in `requiredDropCapabilities`.
Rationale	By default, containers run with a default set of capabilities as assigned by the Container Runtime which can include dangerous or highly privileged capabilities. Capabilities should be dropped unless absolutely critical for the container to run software as added capabilities that are not required allow for malicious containers or attackers.
Evaluation messages info No candidate or applicable check found.

Limit Access to the Host Process ID Namespace

Rule ID	xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.2.2, CM-6, CM-6(1)
Description	Containers should not be allowed access to the host's process ID namespace. To prevent containers from getting access to a host's process ID namespace, the appropriate Security Context Constraints (SCCs) should set `allowHostPID` to `false`.
Rationale	A container running in the host's PID namespace can inspect processes running outside the container which can be used to escalate privileges outside of the container.
Evaluation messages info No candidate or applicable check found.

Limit Access to the Host Network Namespace

Rule ID	xccdf_org.ssgproject.content_rule_scc_limit_network_namespace
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83492-9 References: 5.2.4, CM-6, CM-6(1)
Description	Containers should not be allowed access to the host's network namespace. To prevent containers from getting access to a host's network namespace, the appropriate Security Context Constraints (SCCs) should set `allowHostNetwork` to `false`.
Rationale	A container running in the host's network namespace could access the host network traffic to and from other pods potentially allowing an attacker to exploit pods and network traffic.
Evaluation messages info No candidate or applicable check found.

Limit Containers Ability to Escalate Privileges

Rule ID	xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83447-3 References: 5.2.5, CM-6, CM-6(1)
Description	Containers should be limited to only the privileges required to run and should not be allowed to escalate their privileges. To prevent containers from escalating privileges, the appropriate Security Context Constraints (SCCs) should set `allowPrivilegeEscalation` to `false`.
Rationale	Privileged containers have access to more of the Linux Kernel capabilities and devices. If a privileged container were compromised, an attacker would have full access to the container and host.
Evaluation messages info No candidate or applicable check found.

Limit Container Capabilities

Rule ID	xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.2.8, CM-6, CM-6(1)
Description	Containers should not enable more capabilites than needed as this opens the door for malicious use. To enable only the required capabilities, the appropriate Security Context Constraints (SCCs) should set capabilities as a list in `allowedCapabilities`.
Rationale	By default, containers run with a default set of capabilities as assigned by the Container Runtime which can include dangerous or highly privileged capabilities. Capabilities should be dropped unless absolutely critical for the container to run software as added capabilities that are not required allow for malicious containers or attackers.
Evaluation messages info No candidate or applicable check found.

Limit Privileged Container Use

Rule ID	xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.2.1, CM-6, CM-6(1)
Description	Containers should be limited to only the privileges required to run. To prevent containers from running as privileged containers, the appropriate Security Context Constraints (SCCs) should set `allowPrivilegedContainer` to `false`.
Rationale	Privileged containers have access to all Linux Kernel capabilities and devices. If a privileged container were compromised, an attacker would have full access to the container and host.
Evaluation messages info No candidate or applicable check found.

Limit Use of the CAP_NET_RAW

Rule ID	xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.2.7, CM-6, CM-6(1)
Description	Containers should not enable more capabilites than needed as this opens the door for malicious use. `CAP_NET_RAW` enables a container to launch a network attack on another container or cluster. To disable the `CAP_NET_RAW` capability, the appropriate Security Context Constraints (SCCs) should set `NET_RAW` in `requiredDropCapabilities`.
Rationale	By default, containers run with a default set of capabilities as assigned by the Container Runtime which can include dangerous or highly privileged capabilities. If the CAP_NET_RAW is enabled, it may be misused by malicious containers or attackers.
Evaluation messages info No candidate or applicable check found.

Configure An Identity Provider

Rule ID	xccdf_org.ssgproject.content_rule_idp_is_configured
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-idp_is_configured:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84088-4 References: 3.1.1, AC-2, AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-2(5), AC-2(6), AC-2(7), AC-2(8), AC-7
Description	For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the OpenShift Container Platform API. The authorization layer then uses information about the requesting user to determine if the request is allowed. Understanding authentication \| Authentication \| OpenShift Container Platform The OpenShift Container Platform includes a built-in OAuth server for token-based authentication. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API. It is recommended for an administrator to configure OAuth to specify an identity provider after the cluster is installed. User access to the cluster is managed through the identity provider. Understanding identity provider configuration \| Authentication \| OpenShift Container Platform OpenShift includes built-in role based access control (RBAC) to determine whether a user is allowed to perform a given action within the cluster. Roles can have cluster scope or local (i.e. project) scope. Using RBAC to define and apply permissions \| Authentication \| OpenShift Container Platform
Rationale	With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation. OpenShift's built-in OAuth server allows credential revocation by relying on the Identity provider, as well as giving the administrators the ability to revoke any tokens given to a specific user.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/config.openshift.io/v1/oauths/cluster` API endpoint to the local `/kubernetes-api-resources/apis/config.openshift.io/v1/oauths/cluster` file.

OVAL test results details

In the file '/apis/config.openshift.io/v1/oauths/cluster' find only one object at path '.spec.identityProviders[:].type'. oval:ssg-test_idp_is_configured:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/apis/config.openshift.io/v1/oauths/cluster	/kubernetes-api-resources/apis/config.openshift.io/v1/oauths	cluster	.spec.identityProviders[:].type	HTPasswd

Find the file to be checked ('/apis/config.openshift.io/v1/oauths/cluster'). oval:ssg-test_file_for_idp_is_configured:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/apis/config.openshift.io/v1/oauths/cluster	regular	1000650000	1000650000	981	`rw-------`

Verify Group Who Owns The Worker Proxy Kubeconfig File

Rule ID	xccdf_org.ssgproject.content_rule_file_groupowner_proxy_kubeconfig
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 4.1.4, CM-6, CM-6(1)
Description	To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the correct ownership, make sure that the `sdn-config` ConfigMap is mounted using a ConfigMap at the `/config` mount point and that the `sdn` container points to that configuration using the `--proxy-config` command line option. Run: oc get -nopenshift-sdn ds sdn -ojson \| jq -r '.spec.template.spec.containers[] \| select(.name == "sdn")' and ensure the `--proxy-config` parameter points to `/config/kube-proxy-config.yaml` and that the `config` mount point is mounted from the `sdn-config` ConfigMap.
Rationale	The kubeconfig file for kube-proxy provides permissions to the kube-proxy service. The proxy kubeconfig file contains information about the administrative configuration of the OpenShift cluster that is configured on the system. Protection of this file is critical for OpenShift security. The file is provided via a ConfigMap mount, so the kubelet itself makes sure that the file permissions are appropriate for the container taking it into use.
Evaluation messages info No candidate or applicable check found.

Verify Permissions on the Worker Proxy Kubeconfig File

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig
Result	fail
Multi-check rule	no
OVAL Definition ID	oval:ssg-file_permissions_proxy_kubeconfig:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84047-0 References: 4.1.3, CM-6, CM-6(1)
Description	To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the correct permissions, make sure that the `sdn-config` ConfigMap is mounted using restrictive permissions. Check that the `config` VolumeMount mounts the `sdn-config` configMap with permissions set to 420: { "configMap": { "defaultMode": 420, "name": "sdn-config" }, "name": "config" }
Rationale	The kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. If used, you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. The kube-proxy runs with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file. But appropriate permissions still need to be set in the ConfigMap mount.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn` API endpoint to the local `/kubernetes-api-resources/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn` file.

OVAL test results details

In the file '/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn' find only one object at path 'spec.template.spec.volumes[:].configMap['defaultMode','name']'. oval:ssg-test_file_permissions_proxy_kubeconfig:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_file_permissions_proxy_kubeconfig:obj:1 of type yamlfilecontent_object

Filepath

Yamlpath

/kubernetes-api-resources

/kubernetes-api-resources/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn

spec.template.spec.volumes[:].configMap['defaultMode','name']

Find the file to be checked ('/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn'). oval:ssg-test_file_for_file_permissions_proxy_kubeconfig:tst:1 false

No items have been found conforming to the following objects:

Object oval:ssg-object_file_for_file_permissions_proxy_kubeconfig:obj:1 of type file_object

Filepath

/kubernetes-api-resources

/kubernetes-api-resources/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn

Verify User Who Owns The Worker Proxy Kubeconfig File

Rule ID	xccdf_org.ssgproject.content_rule_file_owner_proxy_kubeconfig
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 4.1.4, CM-6, CM-6(1)
Description	To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the correct ownership, make sure that the `sdn-config` ConfigMap is mounted using a ConfigMap at the `/config` mount point and that the `sdn` container points to that configuration using the `--proxy-config` command line option. Run: oc get -nopenshift-sdn ds sdn -ojson \| jq -r '.spec.template.spec.containers[] \| select(.name == "sdn")' and ensure the `--proxy-config` parameter points to `/config/kube-proxy-config.yaml` and that the `config` mount point is mounted from the `sdn-config` ConfigMap.
Rationale	The kubeconfig file for kube-proxy provides permissions to the kube-proxy service. The proxy kubeconfig file contains information about the administrative configuration of the OpenShift cluster that is configured on the system. Protection of this file is critical for OpenShift security. The file is provided via a ConfigMap mount, so the kubelet itself makes sure that the file permissions are appropriate for the container taking it into use.
Evaluation messages info No candidate or applicable check found.

Ensure That The etcd Key File Is Correctly Set

Rule ID	xccdf_org.ssgproject.content_rule_etcd_key_file
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-etcd_key_file:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83745-0 References: 2.1, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure the etcd service is serving TLS to clients, make sure the `etcd-pod*` ConfigMaps in the `openshift-etcd` namespace contain the following argument for the `etcd` binary in the `etcd` pod: oc get -nopenshift-etcd cm etcd-pod -oyaml \| grep "\-\-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-[a-z]+/etcd-serving-NODE_NAME.key" . Note that the [a-z]+ is being used since the directory might change between OpenShift versions.
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' find only one object at path '.data['pod.yaml']'. oval:ssg-test_etcd_key_file:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps	etcd-pod	.data['pod.yaml']	apiVersion: v1 kind: Pod metadata: name: etcd namespace: openshift-etcd labels: app: etcd k8s-app: etcd etcd: "true" revision: "REVISION" spec: initContainers: - name: etcd-ensure-env-vars image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail : "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}" : "${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}" : "${NODE_NODE_ENVVAR_NAME_IP?not set}" # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_IP}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_IP}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}" >&2 exit 1 fi # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" >&2 exit 1 fi resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: NODE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: etcd-resources-copy image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/) cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/.sh /usr/local/bin resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /usr/local/bin name: usr-local-bin containers: # The etcdctl container should always be first. It is intended to be used # to open a remote shell via `oc rsh` that is ready to run `etcdctl`. - name: etcdctl image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - "/bin/bash" - "-c" - "trap TERM INT; sleep infinity & wait" resources: requests: memory: 60Mi cpu: 10m volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: etcd image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail etcdctl member list \|\| true # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you # will succeed when you should fail. ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \ --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --endpoints=${ALL_ETCD_ENDPOINTS} \ --data-dir=/var/lib/etcd \ --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \ --target-name=NODE_NAME) export ETCD_INITIAL_CLUSTER # we cannot use the "normal" port conflict initcontainer because when we upgrade, the existing static pod will never yield, # so we do the detection in etcd container itsefl. echo -n "Waiting for ports 2379, 2380 and 9978 to be released." while [ -n "$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')" ]; do echo -n "." sleep 1 done export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} env \| grep ETCD \| grep -v NODE set -x # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice exec ionice -c2 -n0 etcd \ --log-level=info \ --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \ --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.crt \ --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.key \ --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --client-cert-auth=true \ --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --peer-client-cert-auth=true \ --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \ --listen-client-urls=https://0.0.0.0:2379 \ --listen-peer-urls=https://0.0.0.0:2380 \ --listen-metrics-urls=https://0.0.0.0:9978 \|\| mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 600Mi cpu: 300m readinessProbe: tcpSocket: port: 2380 failureThreshold: 3 initialDelaySeconds: 3 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir - name: etcd-metrics image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} exec etcd grpc-proxy start \ --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \ --metrics-addr https://0.0.0.0:9979 \ --listen-addr 127.0.0.1:9977 \ --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.key \ --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.crt \ --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 200Mi cpu: 40m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: "Exists" volumes: - hostPath: path: /etc/kubernetes/manifests name: static-pod-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-certs name: cert-dir - hostPath: path: /var/lib/etcd type: "" name: data-dir - hostPath: path: /usr/local/bin name: usr-local-bin

Find the file to be checked ('/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod'). oval:ssg-test_file_for_etcd_key_file:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	regular	1000650000	1000650000	19673	`rw-------`

Ensure That The etcd Peer Client Certificate Is Correctly Set

Rule ID	xccdf_org.ssgproject.content_rule_etcd_peer_cert_file
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-etcd_peer_cert_file:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83847-4 References: 2.4, SC-8, SC-8(1), SC-8(2)
Description	To ensure the etcd service is serving TLS to peers, make sure the `etcd-pod*` ConfigMaps in the `openshift-etcd` namespace contain the following argument for the `etcd` binary in the `etcd` pod: --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-[a-z]+/etcd-peer-NODE_NAME.crt Note that the [a-z]+ is being used since the directory might change between OpenShift versions.
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' find only one object at path '.data['pod.yaml']'. oval:ssg-test_etcd_peer_cert_file:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps	etcd-pod	.data['pod.yaml']	apiVersion: v1 kind: Pod metadata: name: etcd namespace: openshift-etcd labels: app: etcd k8s-app: etcd etcd: "true" revision: "REVISION" spec: initContainers: - name: etcd-ensure-env-vars image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail : "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}" : "${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}" : "${NODE_NODE_ENVVAR_NAME_IP?not set}" # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_IP}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_IP}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}" >&2 exit 1 fi # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" >&2 exit 1 fi resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: NODE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: etcd-resources-copy image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/) cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/.sh /usr/local/bin resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /usr/local/bin name: usr-local-bin containers: # The etcdctl container should always be first. It is intended to be used # to open a remote shell via `oc rsh` that is ready to run `etcdctl`. - name: etcdctl image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - "/bin/bash" - "-c" - "trap TERM INT; sleep infinity & wait" resources: requests: memory: 60Mi cpu: 10m volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: etcd image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail etcdctl member list \|\| true # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you # will succeed when you should fail. ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \ --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --endpoints=${ALL_ETCD_ENDPOINTS} \ --data-dir=/var/lib/etcd \ --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \ --target-name=NODE_NAME) export ETCD_INITIAL_CLUSTER # we cannot use the "normal" port conflict initcontainer because when we upgrade, the existing static pod will never yield, # so we do the detection in etcd container itsefl. echo -n "Waiting for ports 2379, 2380 and 9978 to be released." while [ -n "$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')" ]; do echo -n "." sleep 1 done export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} env \| grep ETCD \| grep -v NODE set -x # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice exec ionice -c2 -n0 etcd \ --log-level=info \ --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \ --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.crt \ --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.key \ --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --client-cert-auth=true \ --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --peer-client-cert-auth=true \ --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \ --listen-client-urls=https://0.0.0.0:2379 \ --listen-peer-urls=https://0.0.0.0:2380 \ --listen-metrics-urls=https://0.0.0.0:9978 \|\| mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 600Mi cpu: 300m readinessProbe: tcpSocket: port: 2380 failureThreshold: 3 initialDelaySeconds: 3 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir - name: etcd-metrics image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} exec etcd grpc-proxy start \ --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \ --metrics-addr https://0.0.0.0:9979 \ --listen-addr 127.0.0.1:9977 \ --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.key \ --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.crt \ --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 200Mi cpu: 40m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: "Exists" volumes: - hostPath: path: /etc/kubernetes/manifests name: static-pod-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-certs name: cert-dir - hostPath: path: /var/lib/etcd type: "" name: data-dir - hostPath: path: /usr/local/bin name: usr-local-bin

Find the file to be checked ('/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod'). oval:ssg-test_file_for_etcd_peer_cert_file:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	regular	1000650000	1000650000	19673	`rw-------`

Enable The Peer Client Certificate Authentication

Rule ID	xccdf_org.ssgproject.content_rule_etcd_peer_client_cert_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-etcd_peer_client_cert_auth:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83465-5 References: 2.5, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure the `etcd` service is serving TLS to clients, make sure the `etcd-pod*` `ConfigMaps` in the `openshift-etcd` namespace contain the following argument for the `etcd` binary in the `etcd` pod: oc get -nopenshift-etcd cm etcd-pod -oyaml \| grep "\-\-peer-client-cert-auth=" the parameter should be set to `true`.
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' find only one object at path '.data['pod.yaml']'. oval:ssg-test_etcd_peer_client_cert_auth:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps	etcd-pod	.data['pod.yaml']	apiVersion: v1 kind: Pod metadata: name: etcd namespace: openshift-etcd labels: app: etcd k8s-app: etcd etcd: "true" revision: "REVISION" spec: initContainers: - name: etcd-ensure-env-vars image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail : "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}" : "${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}" : "${NODE_NODE_ENVVAR_NAME_IP?not set}" # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_IP}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_IP}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}" >&2 exit 1 fi # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" >&2 exit 1 fi resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: NODE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: etcd-resources-copy image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/) cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/.sh /usr/local/bin resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /usr/local/bin name: usr-local-bin containers: # The etcdctl container should always be first. It is intended to be used # to open a remote shell via `oc rsh` that is ready to run `etcdctl`. - name: etcdctl image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - "/bin/bash" - "-c" - "trap TERM INT; sleep infinity & wait" resources: requests: memory: 60Mi cpu: 10m volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: etcd image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail etcdctl member list \|\| true # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you # will succeed when you should fail. ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \ --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --endpoints=${ALL_ETCD_ENDPOINTS} \ --data-dir=/var/lib/etcd \ --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \ --target-name=NODE_NAME) export ETCD_INITIAL_CLUSTER # we cannot use the "normal" port conflict initcontainer because when we upgrade, the existing static pod will never yield, # so we do the detection in etcd container itsefl. echo -n "Waiting for ports 2379, 2380 and 9978 to be released." while [ -n "$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')" ]; do echo -n "." sleep 1 done export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} env \| grep ETCD \| grep -v NODE set -x # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice exec ionice -c2 -n0 etcd \ --log-level=info \ --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \ --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.crt \ --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.key \ --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --client-cert-auth=true \ --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --peer-client-cert-auth=true \ --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \ --listen-client-urls=https://0.0.0.0:2379 \ --listen-peer-urls=https://0.0.0.0:2380 \ --listen-metrics-urls=https://0.0.0.0:9978 \|\| mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 600Mi cpu: 300m readinessProbe: tcpSocket: port: 2380 failureThreshold: 3 initialDelaySeconds: 3 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir - name: etcd-metrics image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} exec etcd grpc-proxy start \ --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \ --metrics-addr https://0.0.0.0:9979 \ --listen-addr 127.0.0.1:9977 \ --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.key \ --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.crt \ --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 200Mi cpu: 40m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: "Exists" volumes: - hostPath: path: /etc/kubernetes/manifests name: static-pod-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-certs name: cert-dir - hostPath: path: /var/lib/etcd type: "" name: data-dir - hostPath: path: /usr/local/bin name: usr-local-bin

Find the file to be checked ('/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod'). oval:ssg-test_file_for_etcd_peer_client_cert_auth:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	regular	1000650000	1000650000	19673	`rw-------`

Ensure That The etcd Peer Key File Is Correctly Set

Rule ID	xccdf_org.ssgproject.content_rule_etcd_peer_key_file
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-etcd_peer_key_file:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83711-2 References: 2.4, SC-8, SC-8(1), SC-8(2)
Description	To ensure the etcd service is serving TLS to peers, make sure the `etcd-pod*` ConfigMaps in the `openshift-etcd` namespace contain the following argument for the `etcd` binary in the `etcd` pod: oc get -nopenshift-etcd cm etcd-pod -oyaml \| grep "\-\-peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-[a-z]+/etcd-peer-NODE_NAME.key" Note that the [a-z]+ is being used since the directory might change between OpenShift versions.
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' find only one object at path '.data['pod.yaml']'. oval:ssg-test_etcd_peer_key_file:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps	etcd-pod	.data['pod.yaml']	apiVersion: v1 kind: Pod metadata: name: etcd namespace: openshift-etcd labels: app: etcd k8s-app: etcd etcd: "true" revision: "REVISION" spec: initContainers: - name: etcd-ensure-env-vars image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail : "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}" : "${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}" : "${NODE_NODE_ENVVAR_NAME_IP?not set}" # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_IP}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_IP}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}" >&2 exit 1 fi # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" >&2 exit 1 fi resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: NODE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: etcd-resources-copy image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/) cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/.sh /usr/local/bin resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /usr/local/bin name: usr-local-bin containers: # The etcdctl container should always be first. It is intended to be used # to open a remote shell via `oc rsh` that is ready to run `etcdctl`. - name: etcdctl image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - "/bin/bash" - "-c" - "trap TERM INT; sleep infinity & wait" resources: requests: memory: 60Mi cpu: 10m volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: etcd image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail etcdctl member list \|\| true # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you # will succeed when you should fail. ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \ --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --endpoints=${ALL_ETCD_ENDPOINTS} \ --data-dir=/var/lib/etcd \ --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \ --target-name=NODE_NAME) export ETCD_INITIAL_CLUSTER # we cannot use the "normal" port conflict initcontainer because when we upgrade, the existing static pod will never yield, # so we do the detection in etcd container itsefl. echo -n "Waiting for ports 2379, 2380 and 9978 to be released." while [ -n "$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')" ]; do echo -n "." sleep 1 done export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} env \| grep ETCD \| grep -v NODE set -x # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice exec ionice -c2 -n0 etcd \ --log-level=info \ --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \ --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.crt \ --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.key \ --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --client-cert-auth=true \ --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --peer-client-cert-auth=true \ --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \ --listen-client-urls=https://0.0.0.0:2379 \ --listen-peer-urls=https://0.0.0.0:2380 \ --listen-metrics-urls=https://0.0.0.0:9978 \|\| mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 600Mi cpu: 300m readinessProbe: tcpSocket: port: 2380 failureThreshold: 3 initialDelaySeconds: 3 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir - name: etcd-metrics image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} exec etcd grpc-proxy start \ --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \ --metrics-addr https://0.0.0.0:9979 \ --listen-addr 127.0.0.1:9977 \ --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.key \ --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.crt \ --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 200Mi cpu: 40m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: "Exists" volumes: - hostPath: path: /etc/kubernetes/manifests name: static-pod-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-certs name: cert-dir - hostPath: path: /var/lib/etcd type: "" name: data-dir - hostPath: path: /usr/local/bin name: usr-local-bin

Find the file to be checked ('/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod'). oval:ssg-test_file_for_etcd_peer_key_file:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	regular	1000650000	1000650000	19673	`rw-------`

Ensure That The etcd Client Certificate Is Correctly Set

Rule ID	xccdf_org.ssgproject.content_rule_etcd_cert_file
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-etcd_cert_file:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83553-8 References: 2.1, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure the etcd service is serving TLS to clients, make sure the `etcd-pod*` ConfigMaps in the `openshift-etcd` namespace contain the following argument for the `etcd` binary in the `etcd` pod: --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-[a-z]+/etcd-serving-NODE_NAME.crt . Note that the [a-z]+ is being used since the directory might change between OpenShift versions.
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' find only one object at path '.data['pod.yaml']'. oval:ssg-test_etcd_cert_file:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps	etcd-pod	.data['pod.yaml']	apiVersion: v1 kind: Pod metadata: name: etcd namespace: openshift-etcd labels: app: etcd k8s-app: etcd etcd: "true" revision: "REVISION" spec: initContainers: - name: etcd-ensure-env-vars image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail : "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}" : "${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}" : "${NODE_NODE_ENVVAR_NAME_IP?not set}" # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_IP}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_IP}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}" >&2 exit 1 fi # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" >&2 exit 1 fi resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: NODE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: etcd-resources-copy image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/) cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/.sh /usr/local/bin resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /usr/local/bin name: usr-local-bin containers: # The etcdctl container should always be first. It is intended to be used # to open a remote shell via `oc rsh` that is ready to run `etcdctl`. - name: etcdctl image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - "/bin/bash" - "-c" - "trap TERM INT; sleep infinity & wait" resources: requests: memory: 60Mi cpu: 10m volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: etcd image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail etcdctl member list \|\| true # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you # will succeed when you should fail. ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \ --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --endpoints=${ALL_ETCD_ENDPOINTS} \ --data-dir=/var/lib/etcd \ --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \ --target-name=NODE_NAME) export ETCD_INITIAL_CLUSTER # we cannot use the "normal" port conflict initcontainer because when we upgrade, the existing static pod will never yield, # so we do the detection in etcd container itsefl. echo -n "Waiting for ports 2379, 2380 and 9978 to be released." while [ -n "$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')" ]; do echo -n "." sleep 1 done export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} env \| grep ETCD \| grep -v NODE set -x # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice exec ionice -c2 -n0 etcd \ --log-level=info \ --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \ --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.crt \ --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.key \ --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --client-cert-auth=true \ --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --peer-client-cert-auth=true \ --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \ --listen-client-urls=https://0.0.0.0:2379 \ --listen-peer-urls=https://0.0.0.0:2380 \ --listen-metrics-urls=https://0.0.0.0:9978 \|\| mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 600Mi cpu: 300m readinessProbe: tcpSocket: port: 2380 failureThreshold: 3 initialDelaySeconds: 3 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir - name: etcd-metrics image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} exec etcd grpc-proxy start \ --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \ --metrics-addr https://0.0.0.0:9979 \ --listen-addr 127.0.0.1:9977 \ --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.key \ --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.crt \ --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 200Mi cpu: 40m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: "Exists" volumes: - hostPath: path: /etc/kubernetes/manifests name: static-pod-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-certs name: cert-dir - hostPath: path: /var/lib/etcd type: "" name: data-dir - hostPath: path: /usr/local/bin name: usr-local-bin

Find the file to be checked ('/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod'). oval:ssg-test_file_for_etcd_cert_file:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	regular	1000650000	1000650000	19673	`rw-------`

Enable The Client Certificate Authentication

Rule ID	xccdf_org.ssgproject.content_rule_etcd_client_cert_auth
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-etcd_client_cert_auth:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84077-7 References: 2.2, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure the `etcd` service is serving TLS to clients, make sure the `etcd-pod*` `ConfigMaps` in the `openshift-etcd` namespace contain the following argument for the `etcd` binary in the `etcd` pod: oc get -nopenshift-etcd cm etcd-pod -oyaml \| grep "\-\-client-cert-auth=" the parameter should be set to `true`.
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' find only one object at path '.data['pod.yaml']'. oval:ssg-test_etcd_client_cert_auth:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps	etcd-pod	.data['pod.yaml']	apiVersion: v1 kind: Pod metadata: name: etcd namespace: openshift-etcd labels: app: etcd k8s-app: etcd etcd: "true" revision: "REVISION" spec: initContainers: - name: etcd-ensure-env-vars image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail : "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}" : "${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}" : "${NODE_NODE_ENVVAR_NAME_IP?not set}" # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_IP}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_IP}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}" >&2 exit 1 fi # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" >&2 exit 1 fi resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: NODE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: etcd-resources-copy image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/) cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/.sh /usr/local/bin resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /usr/local/bin name: usr-local-bin containers: # The etcdctl container should always be first. It is intended to be used # to open a remote shell via `oc rsh` that is ready to run `etcdctl`. - name: etcdctl image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - "/bin/bash" - "-c" - "trap TERM INT; sleep infinity & wait" resources: requests: memory: 60Mi cpu: 10m volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: etcd image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail etcdctl member list \|\| true # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you # will succeed when you should fail. ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \ --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --endpoints=${ALL_ETCD_ENDPOINTS} \ --data-dir=/var/lib/etcd \ --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \ --target-name=NODE_NAME) export ETCD_INITIAL_CLUSTER # we cannot use the "normal" port conflict initcontainer because when we upgrade, the existing static pod will never yield, # so we do the detection in etcd container itsefl. echo -n "Waiting for ports 2379, 2380 and 9978 to be released." while [ -n "$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')" ]; do echo -n "." sleep 1 done export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} env \| grep ETCD \| grep -v NODE set -x # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice exec ionice -c2 -n0 etcd \ --log-level=info \ --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \ --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.crt \ --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.key \ --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --client-cert-auth=true \ --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --peer-client-cert-auth=true \ --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \ --listen-client-urls=https://0.0.0.0:2379 \ --listen-peer-urls=https://0.0.0.0:2380 \ --listen-metrics-urls=https://0.0.0.0:9978 \|\| mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 600Mi cpu: 300m readinessProbe: tcpSocket: port: 2380 failureThreshold: 3 initialDelaySeconds: 3 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir - name: etcd-metrics image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} exec etcd grpc-proxy start \ --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \ --metrics-addr https://0.0.0.0:9979 \ --listen-addr 127.0.0.1:9977 \ --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.key \ --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.crt \ --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 200Mi cpu: 40m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: "Exists" volumes: - hostPath: path: /etc/kubernetes/manifests name: static-pod-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-certs name: cert-dir - hostPath: path: /var/lib/etcd type: "" name: data-dir - hostPath: path: /usr/local/bin name: usr-local-bin

Find the file to be checked ('/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod'). oval:ssg-test_file_for_etcd_client_cert_auth:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	regular	1000650000	1000650000	19673	`rw-------`

Disable etcd Peer Self-Signed Certificates

Rule ID	xccdf_org.ssgproject.content_rule_etcd_peer_auto_tls
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-etcd_peer_auto_tls:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84184-1 References: 2.6, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure the `etcd` service is not using self-signed certificates, run the following command: $ oc get cm/etcd-pod -n openshift-etcd -o yaml The etcd pod configuration contained in the configmap should not contain the `--peer-auto-tls=true` flag.
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Using self-signed certificates ensures that the certificates are never validated against a certificate authority and could lead to compromised and invalidated data.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' find only one object at path '.data["pod.yaml"]'. oval:ssg-test_etcd_peer_auto_tls:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps	etcd-pod	.data["pod.yaml"]	apiVersion: v1 kind: Pod metadata: name: etcd namespace: openshift-etcd labels: app: etcd k8s-app: etcd etcd: "true" revision: "REVISION" spec: initContainers: - name: etcd-ensure-env-vars image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail : "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}" : "${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}" : "${NODE_NODE_ENVVAR_NAME_IP?not set}" # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_IP}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_IP}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}" >&2 exit 1 fi # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" >&2 exit 1 fi resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: NODE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: etcd-resources-copy image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/) cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/.sh /usr/local/bin resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /usr/local/bin name: usr-local-bin containers: # The etcdctl container should always be first. It is intended to be used # to open a remote shell via `oc rsh` that is ready to run `etcdctl`. - name: etcdctl image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - "/bin/bash" - "-c" - "trap TERM INT; sleep infinity & wait" resources: requests: memory: 60Mi cpu: 10m volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: etcd image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail etcdctl member list \|\| true # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you # will succeed when you should fail. ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \ --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --endpoints=${ALL_ETCD_ENDPOINTS} \ --data-dir=/var/lib/etcd \ --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \ --target-name=NODE_NAME) export ETCD_INITIAL_CLUSTER # we cannot use the "normal" port conflict initcontainer because when we upgrade, the existing static pod will never yield, # so we do the detection in etcd container itsefl. echo -n "Waiting for ports 2379, 2380 and 9978 to be released." while [ -n "$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')" ]; do echo -n "." sleep 1 done export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} env \| grep ETCD \| grep -v NODE set -x # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice exec ionice -c2 -n0 etcd \ --log-level=info \ --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \ --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.crt \ --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.key \ --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --client-cert-auth=true \ --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --peer-client-cert-auth=true \ --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \ --listen-client-urls=https://0.0.0.0:2379 \ --listen-peer-urls=https://0.0.0.0:2380 \ --listen-metrics-urls=https://0.0.0.0:9978 \|\| mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 600Mi cpu: 300m readinessProbe: tcpSocket: port: 2380 failureThreshold: 3 initialDelaySeconds: 3 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir - name: etcd-metrics image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} exec etcd grpc-proxy start \ --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \ --metrics-addr https://0.0.0.0:9979 \ --listen-addr 127.0.0.1:9977 \ --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.key \ --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.crt \ --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 200Mi cpu: 40m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: "Exists" volumes: - hostPath: path: /etc/kubernetes/manifests name: static-pod-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-certs name: cert-dir - hostPath: path: /var/lib/etcd type: "" name: data-dir - hostPath: path: /usr/local/bin name: usr-local-bin

Find the file to be checked ('/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod'). oval:ssg-test_file_for_etcd_peer_auto_tls:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	regular	1000650000	1000650000	19673	`rw-------`

Disable etcd Self-Signed Certificates

Rule ID	xccdf_org.ssgproject.content_rule_etcd_auto_tls
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-etcd_auto_tls:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84199-9 References: 2.3, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure the `etcd` service is not using self-signed certificates, run the following command: $ oc get cm/etcd-pod -n openshift-etcd -o yaml The etcd pod configuration contained in the configmap should not contain the `--auto-tls=true` flag.
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Using self-signed certificates ensures that the certificates are never validated against a certificate authority and could lead to compromised and invalidated data.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' find only one object at path '.data["pod.yaml"]'. oval:ssg-test_etcd_auto_tls:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps	etcd-pod	.data["pod.yaml"]	apiVersion: v1 kind: Pod metadata: name: etcd namespace: openshift-etcd labels: app: etcd k8s-app: etcd etcd: "true" revision: "REVISION" spec: initContainers: - name: etcd-ensure-env-vars image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail : "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}" : "${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}" : "${NODE_NODE_ENVVAR_NAME_IP?not set}" # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_IP}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_IP}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}" >&2 exit 1 fi # check for ipv4 addresses as well as ipv6 addresses with extra square brackets if [[ "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "${NODE_IP}" && "${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" != "[${NODE_IP}]" ]]; then # echo the error message to stderr echo "Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}" >&2 exit 1 fi resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: NODE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: etcd-resources-copy image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/) cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/.sh /usr/local/bin resources: requests: memory: 60Mi cpu: 10m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /usr/local/bin name: usr-local-bin containers: # The etcdctl container should always be first. It is intended to be used # to open a remote shell via `oc rsh` that is ready to run `etcdctl`. - name: etcdctl image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - "/bin/bash" - "-c" - "trap TERM INT; sleep infinity & wait" resources: requests: memory: 60Mi cpu: 10m volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" - name: etcd image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail etcdctl member list \|\| true # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you # will succeed when you should fail. ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \ --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --endpoints=${ALL_ETCD_ENDPOINTS} \ --data-dir=/var/lib/etcd \ --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \ --target-name=NODE_NAME) export ETCD_INITIAL_CLUSTER # we cannot use the "normal" port conflict initcontainer because when we upgrade, the existing static pod will never yield, # so we do the detection in etcd container itsefl. echo -n "Waiting for ports 2379, 2380 and 9978 to be released." while [ -n "$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')" ]; do echo -n "." sleep 1 done export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} env \| grep ETCD \| grep -v NODE set -x # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice exec ionice -c2 -n0 etcd \ --log-level=info \ --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \ --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.crt \ --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-NODE_NAME.key \ --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt \ --client-cert-auth=true \ --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --peer-client-cert-auth=true \ --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \ --listen-client-urls=https://0.0.0.0:2379 \ --listen-peer-urls=https://0.0.0.0:2380 \ --listen-metrics-urls=https://0.0.0.0:9978 \|\| mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 600Mi cpu: 300m readinessProbe: tcpSocket: port: 2380 failureThreshold: 3 initialDelaySeconds: 3 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/manifests name: static-pod-dir - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir - name: etcd-metrics image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615 imagePullPolicy: IfNotPresent terminationMessagePolicy: FallbackToLogsOnError command: - /bin/sh - -c - \| #!/bin/sh set -euo pipefail export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME} exec etcd grpc-proxy start \ --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \ --metrics-addr https://0.0.0.0:9979 \ --listen-addr 127.0.0.1:9977 \ --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \ --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.key \ --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \ --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-serving-metrics/etcd-serving-metrics-NODE_NAME.crt \ --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt \ --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt env: - name: "ALL_ETCD_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_API" value: "3" - name: "ETCDCTL_CACERT" value: "/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt" - name: "ETCDCTL_CERT" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt" - name: "ETCDCTL_ENDPOINTS" value: "https://192.168.50.10:2379,https://192.168.50.11:2379,https://192.168.50.12:2379" - name: "ETCDCTL_KEY" value: "/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key" - name: "ETCD_CIPHER_SUITES" value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - name: "ETCD_DATA_DIR" value: "/var/lib/etcd" - name: "ETCD_ELECTION_TIMEOUT" value: "1000" - name: "ETCD_ENABLE_PPROF" value: "true" - name: "ETCD_HEARTBEAT_INTERVAL" value: "100" - name: "ETCD_IMAGE" value: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d33e906d435b7a195f5876b722e4b17da684d140fe65c1e5e7ab8771a597615" - name: "ETCD_INITIAL_CLUSTER_STATE" value: "existing" - name: "ETCD_QUOTA_BACKEND_BYTES" value: "7516192768" - name: "NODE_master_0_ETCD_NAME" value: "master-0" - name: "NODE_master_0_ETCD_URL_HOST" value: "192.168.50.10" - name: "NODE_master_0_IP" value: "192.168.50.10" - name: "NODE_master_1_ETCD_NAME" value: "master-1" - name: "NODE_master_1_ETCD_URL_HOST" value: "192.168.50.11" - name: "NODE_master_1_IP" value: "192.168.50.11" - name: "NODE_master_2_ETCD_NAME" value: "master-2" - name: "NODE_master_2_ETCD_URL_HOST" value: "192.168.50.12" - name: "NODE_master_2_IP" value: "192.168.50.12" resources: requests: memory: 200Mi cpu: 40m securityContext: privileged: true volumeMounts: - mountPath: /etc/kubernetes/static-pod-resources name: resource-dir - mountPath: /etc/kubernetes/static-pod-certs name: cert-dir - mountPath: /var/lib/etcd/ name: data-dir hostNetwork: true priorityClassName: system-node-critical tolerations: - operator: "Exists" volumes: - hostPath: path: /etc/kubernetes/manifests name: static-pod-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION name: resource-dir - hostPath: path: /etc/kubernetes/static-pod-resources/etcd-certs name: cert-dir - hostPath: path: /var/lib/etcd type: "" name: data-dir - hostPath: path: /usr/local/bin name: usr-local-bin

Find the file to be checked ('/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod'). oval:ssg-test_file_for_etcd_auto_tls:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod	regular	1000650000	1000650000	19673	`rw-------`

Create administrative boundaries between resources using namespaces

Rule ID	xccdf_org.ssgproject.content_rule_general_namespaces_in_use
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.6.1, CM-6, CM-6(1)
Description	Use namespaces to isolate your Kubernetes objects.
Rationale	Limiting the scope of user permissions can reduce the impact of mistakes or malicious activities. A Kubernetes namespace allows you to partition created resources into logically named groups. Resources created in one namespace can be hidden from other namespaces. By default, each resource created by a user in Kubernetes cluster runs in a default namespace, called default. You can create additional namespaces and attach resources and users to them. You can use Kubernetes Authorization plugins to create policies that segregate access to namespace resources between different users.
Evaluation messages info No candidate or applicable check found.

Manage Image Provenance Using ImagePolicyWebhook

Rule ID	xccdf_org.ssgproject.content_rule_general_configure_imagepolicywebhook
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.5.1, CM-6, CM-6(1)
Description	OpenShift administrators can control which images can be imported, tagged, and run in a cluster. There are two facilities for this purpose: (1) Allowed Registries, allowing administrators to restrict image origins to known external registries; and (2) ImagePolicy Admission plug-in which lets administrators specify specific images which are allowed to run on the OpenShift cluster. Configure an Image policy per the Image Policy chapter in the OpenShift documentation: https://docs.openshift.com/container-platform/4.4/openshift_images/image-configuration.html
Rationale	Image Policy ensures that only approved container images are allowed to be ran on the OpenShift platform.
Evaluation messages info No candidate or applicable check found.

The default namespace should not be used

Rule ID	xccdf_org.ssgproject.content_rule_general_default_namespace_use
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.6.4, CM-6, CM-6(1)
Description	Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.
Rationale	Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.
Evaluation messages info No candidate or applicable check found.

Apply Security Context to Your Pods and Containers

Rule ID	xccdf_org.ssgproject.content_rule_general_apply_scc
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.6.3, CM-6, CM-6(1)
Description	Apply Security Context to your Pods and Containers
Rationale	A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context.
Evaluation messages info No candidate or applicable check found.

Ensure Seccomp Profile Pod Definitions

Rule ID	xccdf_org.ssgproject.content_rule_general_default_seccomp_profile
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.6.2, CM-6, CM-6(1)
Description	Enable `default` seccomp profiles in your pod definitions.
Rationale	Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.
Evaluation messages info No candidate or applicable check found.

Configure the Audit Log Path

Rule ID	xccdf_org.ssgproject.content_rule_openshift_api_server_audit_log_path
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-openshift_api_server_audit_log_path:def:1
Time	2021-07-20T05:21:00+00:00
Severity	high
Identifiers and References	Identifiers: CCE-83547-0 References: 1.2.22, CM-6, CM-6(1)
Description	To enable auditing on the OpenShift API Server, the audit log path must be set. Edit the `openshift-apiserver` configmap and set the `audit-log-path` to a suitable path and file where audit logs should be written. For example: "apiServerArguments":{ ... "audit-log-path":"/var/log/openshift-apiserver/audit.log", ...
Rationale	Auditing of the API Server is not enabled by default. Auditing the API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by users, administrators, or other system components.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-apiserver/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_openshift_api_server_audit_log_path:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps	config	.data["config.yaml"]	{"apiServerArguments":{"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/openshift-apiserver/audit.log"],"audit-policy-file":["/var/run/configmaps/audit/secure-oauth-storage-default.yaml"],"shutdown-delay-duration":["3s"]},"apiVersion":"openshiftcontrolplane.config.openshift.io/v1","imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"OpenShiftAPIServerConfig","projectConfig":{"projectRequestMessage":""},"routingConfig":{"subdomain":"apps.ocp.ispworld.at"},"servingInfo":{"bindNetwork":"tcp","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12"},"storageConfig":{"urls":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379"]}}

Find the file to be checked ('/api/v1/namespaces/openshift-apiserver/configmaps/config'). oval:ssg-test_file_for_openshift_api_server_audit_log_path:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-apiserver/configmaps/config	regular	1000650000	1000650000	1565	`rw-------`

Ensure Controller secure-port argument is set

Rule ID	xccdf_org.ssgproject.content_rule_controller_secure_port
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-controller_secure_port:def:1
Time	2021-07-20T05:21:00+00:00
Severity	low
Identifiers and References	Identifiers: CCE-83861-5 References: 1.3.7, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure the Controller Manager service is bound to secure loopback address using a secure port, set the `RotateKubeletServerCertificate` option to `true` in the `openshift-kube-controller-manager` configmap on the master node(s): "extendedArguments": { ... "secure-port": ["10257"], ...
Rationale	The Controller Manager API service is used for health and metrics information and is available without authentication or encryption. As such, it should only be bound to a localhost interface to minimize the cluster's attack surface.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_controller_secure_port:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps	config	.data["config.yaml"]	{"apiVersion":"kubecontrolplane.config.openshift.io/v1","extendedArguments":{"allocate-node-cidrs":["false"],"cert-dir":["/var/run/kubernetes"],"cluster-cidr":["10.128.0.0/14"],"cluster-name":["ocp-d8r5b"],"cluster-signing-cert-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.crt"],"cluster-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.key"],"configure-cloud-routes":["false"],"controllers":["*","-ttl","-bootstrapsigner","-tokencleaner"],"enable-dynamic-provisioning":["true"],"experimental-cluster-signing-duration":["720h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"flex-volume-plugin-dir":["/etc/kubernetes/kubelet-plugins/volume/exec"],"kube-api-burst":["300"],"kube-api-qps":["150"],"leader-elect":["true"],"leader-elect-resource-lock":["configmaps"],"leader-elect-retry-period":["3s"],"port":["0"],"pv-recycler-pod-template-filepath-hostpath":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"pv-recycler-pod-template-filepath-nfs":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"root-ca-file":["/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt"],"secure-port":["10257"],"service-account-private-key-file":["/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key"],"service-cluster-ip-range":["172.30.0.0/16"],"use-service-account-credentials":["true"]},"kind":"KubeControllerManagerConfig","serviceServingCert":{"certFile":"/etc/kubernetes/static-pod-resources/configmaps/service-ca/ca-bundle.crt"}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config'). oval:ssg-test_file_for_controller_secure_port:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	regular	1000650000	1000650000	2368	`rw-------`

Ensure that use-service-account-credentials is enabled

Rule ID	xccdf_org.ssgproject.content_rule_controller_use_service_account
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-controller_use_service_account:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84208-8 References: 1.3.3, CM-6, CM-6(1)
Description	To ensure individual service account credentials are used, set the `use-service-account-credentials` option to `true` in the `openshift-kube-controller-manager` configmap on the master node(s): "extendedArguments": { ... "use-service-account-credentials": [ "true" ], ...
Rationale	The controller manager creates a service account per controller in `kube-system` namespace, generates an API token and credentials for it, then builds a dedicated API client with that service account credential for each controller loop to use. Setting the `use-service-account-credentials` to `true` runs each control loop within the contoller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_controller_use_service_account:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps	config	.data["config.yaml"]	{"apiVersion":"kubecontrolplane.config.openshift.io/v1","extendedArguments":{"allocate-node-cidrs":["false"],"cert-dir":["/var/run/kubernetes"],"cluster-cidr":["10.128.0.0/14"],"cluster-name":["ocp-d8r5b"],"cluster-signing-cert-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.crt"],"cluster-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.key"],"configure-cloud-routes":["false"],"controllers":["*","-ttl","-bootstrapsigner","-tokencleaner"],"enable-dynamic-provisioning":["true"],"experimental-cluster-signing-duration":["720h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"flex-volume-plugin-dir":["/etc/kubernetes/kubelet-plugins/volume/exec"],"kube-api-burst":["300"],"kube-api-qps":["150"],"leader-elect":["true"],"leader-elect-resource-lock":["configmaps"],"leader-elect-retry-period":["3s"],"port":["0"],"pv-recycler-pod-template-filepath-hostpath":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"pv-recycler-pod-template-filepath-nfs":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"root-ca-file":["/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt"],"secure-port":["10257"],"service-account-private-key-file":["/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key"],"service-cluster-ip-range":["172.30.0.0/16"],"use-service-account-credentials":["true"]},"kind":"KubeControllerManagerConfig","serviceServingCert":{"certFile":"/etc/kubernetes/static-pod-resources/configmaps/service-ca/ca-bundle.crt"}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config'). oval:ssg-test_file_for_controller_use_service_account:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	regular	1000650000	1000650000	2368	`rw-------`

Ensure Controller insecure port argument is unset

Rule ID	xccdf_org.ssgproject.content_rule_controller_insecure_port_disabled
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-controller_insecure_port_disabled:def:1
Time	2021-07-20T05:21:00+00:00
Severity	low
Identifiers and References	Identifiers: CCE-83578-5 References: 1.3.7, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure the Controller Manager service is bound to secure loopback address and a secure port, set the `RotateKubeletServerCertificate` option to `true` in the `openshift-kube-controller-manager` configmap on the master node(s): "extendedArguments": { ... "port": ["0"], ...
Rationale	The Controller Manager API service is used for health and metrics information and is available without authentication or encryption. As such, it should only be bound to a localhost interface to minimize the cluster's attack surface.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_controller_insecure_port_disabled:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps	config	.data["config.yaml"]	{"apiVersion":"kubecontrolplane.config.openshift.io/v1","extendedArguments":{"allocate-node-cidrs":["false"],"cert-dir":["/var/run/kubernetes"],"cluster-cidr":["10.128.0.0/14"],"cluster-name":["ocp-d8r5b"],"cluster-signing-cert-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.crt"],"cluster-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.key"],"configure-cloud-routes":["false"],"controllers":["*","-ttl","-bootstrapsigner","-tokencleaner"],"enable-dynamic-provisioning":["true"],"experimental-cluster-signing-duration":["720h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"flex-volume-plugin-dir":["/etc/kubernetes/kubelet-plugins/volume/exec"],"kube-api-burst":["300"],"kube-api-qps":["150"],"leader-elect":["true"],"leader-elect-resource-lock":["configmaps"],"leader-elect-retry-period":["3s"],"port":["0"],"pv-recycler-pod-template-filepath-hostpath":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"pv-recycler-pod-template-filepath-nfs":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"root-ca-file":["/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt"],"secure-port":["10257"],"service-account-private-key-file":["/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key"],"service-cluster-ip-range":["172.30.0.0/16"],"use-service-account-credentials":["true"]},"kind":"KubeControllerManagerConfig","serviceServingCert":{"certFile":"/etc/kubernetes/static-pod-resources/configmaps/service-ca/ca-bundle.crt"}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config'). oval:ssg-test_file_for_controller_insecure_port_disabled:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	regular	1000650000	1000650000	2368	`rw-------`

Configure the Service Account Certificate Authority Key for the Controller Manager

Rule ID	xccdf_org.ssgproject.content_rule_controller_service_account_ca
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-controller_service_account_ca:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84244-3 References: 1.3.5, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure the API Server utilizes its own key pair, set the `masterCA` parameter to the public key file for service accounts in the `openshift-kube-controller-manager` configmap on the master node(s): "extendedArguments": { ... "root-ca-file": [ "/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt" ], ...
Rationale	Service accounts authenticate to the API using tokens signed by a private RSA key. The authentication layer verifies the signature using a matching public RSA key. Configuring the certificate authority file ensures that the API server's signing certificates are validated.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_controller_service_account_ca:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps	config	.data["config.yaml"]	{"apiVersion":"kubecontrolplane.config.openshift.io/v1","extendedArguments":{"allocate-node-cidrs":["false"],"cert-dir":["/var/run/kubernetes"],"cluster-cidr":["10.128.0.0/14"],"cluster-name":["ocp-d8r5b"],"cluster-signing-cert-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.crt"],"cluster-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.key"],"configure-cloud-routes":["false"],"controllers":["*","-ttl","-bootstrapsigner","-tokencleaner"],"enable-dynamic-provisioning":["true"],"experimental-cluster-signing-duration":["720h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"flex-volume-plugin-dir":["/etc/kubernetes/kubelet-plugins/volume/exec"],"kube-api-burst":["300"],"kube-api-qps":["150"],"leader-elect":["true"],"leader-elect-resource-lock":["configmaps"],"leader-elect-retry-period":["3s"],"port":["0"],"pv-recycler-pod-template-filepath-hostpath":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"pv-recycler-pod-template-filepath-nfs":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"root-ca-file":["/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt"],"secure-port":["10257"],"service-account-private-key-file":["/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key"],"service-cluster-ip-range":["172.30.0.0/16"],"use-service-account-credentials":["true"]},"kind":"KubeControllerManagerConfig","serviceServingCert":{"certFile":"/etc/kubernetes/static-pod-resources/configmaps/service-ca/ca-bundle.crt"}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config'). oval:ssg-test_file_for_controller_service_account_ca:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	regular	1000650000	1000650000	2368	`rw-------`

Configure the Service Account Private Key for the Controller Manager

Rule ID	xccdf_org.ssgproject.content_rule_controller_service_account_private_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-controller_service_account_private_key:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83526-4 References: 1.3.4, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To ensure the API Server utilizes its own key pair, set the `privateKeyFile` parameter to the public key file for service accounts in the `openshift-kube-controller-manager` configmap on the master node(s): "extendedArguments": { ... "service-account-private-key-file": [ "/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key" ], ...
Rationale	By default if no private key file is specified to the API Server, the API Server uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' find only one object at path '.data['config.yaml']'. oval:ssg-test_controller_service_account_private_key:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps	config	.data['config.yaml']	{"apiVersion":"kubecontrolplane.config.openshift.io/v1","extendedArguments":{"allocate-node-cidrs":["false"],"cert-dir":["/var/run/kubernetes"],"cluster-cidr":["10.128.0.0/14"],"cluster-name":["ocp-d8r5b"],"cluster-signing-cert-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.crt"],"cluster-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.key"],"configure-cloud-routes":["false"],"controllers":["*","-ttl","-bootstrapsigner","-tokencleaner"],"enable-dynamic-provisioning":["true"],"experimental-cluster-signing-duration":["720h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"flex-volume-plugin-dir":["/etc/kubernetes/kubelet-plugins/volume/exec"],"kube-api-burst":["300"],"kube-api-qps":["150"],"leader-elect":["true"],"leader-elect-resource-lock":["configmaps"],"leader-elect-retry-period":["3s"],"port":["0"],"pv-recycler-pod-template-filepath-hostpath":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"pv-recycler-pod-template-filepath-nfs":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"root-ca-file":["/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt"],"secure-port":["10257"],"service-account-private-key-file":["/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key"],"service-cluster-ip-range":["172.30.0.0/16"],"use-service-account-credentials":["true"]},"kind":"KubeControllerManagerConfig","serviceServingCert":{"certFile":"/etc/kubernetes/static-pod-resources/configmaps/service-ca/ca-bundle.crt"}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config'). oval:ssg-test_file_for_controller_service_account_private_key:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	regular	1000650000	1000650000	2368	`rw-------`

Ensure that the RotateKubeletServerCertificate argument is set

Rule ID	xccdf_org.ssgproject.content_rule_controller_rotate_kubelet_server_certs
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-controller_rotate_kubelet_server_certs:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83730-2 References: 1.3.6, CM-6, CM-6(1), SC-8, SC-8(1)
Description	To enforce kublet server certificate rotation on the Controller Manager, set the `RotateKubeletServerCertificate` option to `true` in the `openshift-kube-controller-manager` configmap on the master node(s): "extendedArguments": { ... "feature-gates": [ ... "RotateKubeletServerCertificate=true", ... ...
Rationale	Enabling kubelet certificate rotation causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that there are no downtimes due to expired certificates and thus addressing the availability in the C/I/A security triad.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config` file. warning This recommendation only applies if you let kubelets get their certificates from the API Server. In case your certificates come from an outside Certificate Authority/tool (e.g. Vault) then you need to take care of rotation yourself

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config' find only one object at path '.data["config.yaml"]'. oval:ssg-test_controller_rotate_kubelet_server_certs:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps	config	.data["config.yaml"]	{"apiVersion":"kubecontrolplane.config.openshift.io/v1","extendedArguments":{"allocate-node-cidrs":["false"],"cert-dir":["/var/run/kubernetes"],"cluster-cidr":["10.128.0.0/14"],"cluster-name":["ocp-d8r5b"],"cluster-signing-cert-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.crt"],"cluster-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/csr-signer/tls.key"],"configure-cloud-routes":["false"],"controllers":["*","-ttl","-bootstrapsigner","-tokencleaner"],"enable-dynamic-provisioning":["true"],"experimental-cluster-signing-duration":["720h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"flex-volume-plugin-dir":["/etc/kubernetes/kubelet-plugins/volume/exec"],"kube-api-burst":["300"],"kube-api-qps":["150"],"leader-elect":["true"],"leader-elect-resource-lock":["configmaps"],"leader-elect-retry-period":["3s"],"port":["0"],"pv-recycler-pod-template-filepath-hostpath":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"pv-recycler-pod-template-filepath-nfs":["/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"],"root-ca-file":["/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt"],"secure-port":["10257"],"service-account-private-key-file":["/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key"],"service-cluster-ip-range":["172.30.0.0/16"],"use-service-account-credentials":["true"]},"kind":"KubeControllerManagerConfig","serviceServingCert":{"certFile":"/etc/kubernetes/static-pod-resources/configmaps/service-ca/ca-bundle.crt"}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config'). oval:ssg-test_file_for_controller_rotate_kubelet_server_certs:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config	regular	1000650000	1000650000	2368	`rw-------`

Ensure That The kubelet Client Certificate Is Correctly Set

Rule ID	xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-kubelet_configure_tls_cert:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83396-2 References: 4.2.10, SC-8, SC-8(1), SC-8(2)
Description	To ensure the kubelet TLS client certificate is configured, edit the kubelet configuration file `/etc/kubernetes/kubelet.conf` and configure the kubelet certificate file. tlsCertFile: /path/to/TLS/cert.key
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data['config.yaml']'. oval:ssg-test_kubelet_configure_tls_cert:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data['config.yaml']	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_kubelet_configure_tls_cert:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

kubelet - Disable the Read-Only Port

Rule ID	xccdf_org.ssgproject.content_rule_kubelet_disable_readonly_port
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-kubelet_disable_readonly_port:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83427-5 References: 4.2.4, CM-6, CM-6(1)
Description	To disable the read-only port, edit the kubelet configuration Edit the `openshift-kube-apiserver` configmap and set the `kubelet-read-only-port` parameter to 0: "apiServerArguments":{ ... "kubelet-read-only-port":[ "0" ], ...
Rationale	OpenShift disables the read-only port (`10255`) on all nodes by setting the read-only port kubelet flag to `0`. This ensures only authenticated connections are able to receive information about the OpenShift system.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data['config.yaml']'. oval:ssg-test_kubelet_disable_readonly_port:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data['config.yaml']	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_kubelet_disable_readonly_port:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure That The kubelet Server Key Is Correctly Set

Rule ID	xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-kubelet_configure_tls_key:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 4.2.10, SC-8, SC-8(1), SC-8(2)
Description	To ensure the kubelet TLS private server key certificate is configured, edit the kubelet configuration file `/etc/kubernetes/kubelet.conf` and configure the kubelet private key file. tlsPrivateKeyFile: /path/to/TLS/private.key
Rationale	Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` API endpoint to the local `/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config` file.

OVAL test results details

In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' find only one object at path '.data['config.yaml']'. oval:ssg-test_kubelet_configure_tls_key:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps	config	.data['config.yaml']	{"admission":{"pluginConfig":{"network.openshift.io/ExternalIPRanger":{"configuration":{"allowIngressIP":false,"apiVersion":"network.openshift.io/v1","externalIPNetworkCIDRs":null,"kind":"ExternalIPRangerAdmissionConfig"},"location":""},"network.openshift.io/RestrictedEndpointsAdmission":{"configuration":{"apiVersion":"network.openshift.io/v1","kind":"RestrictedEndpointsAdmissionConfig","restrictedCIDRs":["10.128.0.0/14","172.30.0.0/16"]}}}},"apiServerArguments":{"allow-privileged":["true"],"anonymous-auth":["true"],"api-audiences":["https://kubernetes.default.svc"],"audit-log-format":["json"],"audit-log-maxbackup":["10"],"audit-log-maxsize":["100"],"audit-log-path":["/var/log/kube-apiserver/audit.log"],"audit-policy-file":["/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/default.yaml"],"authorization-mode":["Scope","SystemMasters","RBAC","Node"],"client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"],"enable-admission-plugins":["CertificateApproval","CertificateSigning","CertificateSubjectRestriction","DefaultIngressClass","DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","NodeRestriction","OwnerReferencesPermissionEnforcement","PersistentVolumeClaimResize","PersistentVolumeLabel","PodNodeSelector","PodTolerationRestriction","Priority","ResourceQuota","RuntimeClass","ServiceAccount","StorageObjectInUseProtection","TaintNodesByCondition","ValidatingAdmissionWebhook","authorization.openshift.io/RestrictSubjectBindings","authorization.openshift.io/ValidateRoleBindingRestriction","config.openshift.io/DenyDeleteClusterConfiguration","config.openshift.io/ValidateAPIServer","config.openshift.io/ValidateAuthentication","config.openshift.io/ValidateConsole","config.openshift.io/ValidateFeatureGate","config.openshift.io/ValidateImage","config.openshift.io/ValidateOAuth","config.openshift.io/ValidateProject","config.openshift.io/ValidateScheduler","image.openshift.io/ImagePolicy","network.openshift.io/ExternalIPRanger","network.openshift.io/RestrictedEndpointsAdmission","quota.openshift.io/ClusterResourceQuota","quota.openshift.io/ValidateClusterResourceQuota","route.openshift.io/IngressAdmission","scheduling.openshift.io/OriginPodNodeEnvironment","security.openshift.io/DefaultSecurityContextConstraints","security.openshift.io/SCCExecRestrictions","security.openshift.io/SecurityContextConstraint","security.openshift.io/ValidateSecurityContextConstraints"],"enable-aggregator-routing":["true"],"enable-logs-handler":["false"],"enable-swagger-ui":["true"],"endpoint-reconciler-type":["lease"],"etcd-cafile":["/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"],"etcd-certfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"],"etcd-keyfile":["/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"],"etcd-prefix":["kubernetes.io"],"etcd-servers":["https://192.168.50.10:2379","https://192.168.50.11:2379","https://192.168.50.12:2379","https://localhost:2379"],"event-ttl":["3h"],"feature-gates":["APIPriorityAndFairness=true","RotateKubeletServerCertificate=true","SupportPodPidsLimit=true","NodeDisruptionExclusion=true","ServiceNodeExclusion=true","SCTPSupport=true","LegacyNodeRoleBehavior=false","RemoveSelfLink=false"],"goaway-chance":["0"],"http2-max-streams-per-connection":["2000"],"insecure-port":["0"],"kubelet-certificate-authority":["/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"],"kubelet-client-certificate":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"],"kubelet-client-key":["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"],"kubelet-https":["true"],"kubelet-preferred-address-types":["InternalIP"],"kubelet-read-only-port":["0"],"kubernetes-service-node-port":["0"],"max-mutating-requests-inflight":["1000"],"max-requests-inflight":["3000"],"min-request-timeout":["3600"],"proxy-client-cert-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"],"proxy-client-key-file":["/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"],"requestheader-allowed-names":["kube-apiserver-proxy","system:kube-apiserver-proxy","system:openshift-aggregator"],"requestheader-client-ca-file":["/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"],"requestheader-extra-headers-prefix":["X-Remote-Extra-"],"requestheader-group-headers":["X-Remote-Group"],"requestheader-username-headers":["X-Remote-User"],"runtime-config":["flowcontrol.apiserver.k8s.io/v1alpha1=true"],"service-account-issuer":["https://kubernetes.default.svc"],"service-account-jwks-uri":["https://api-int.ocp.ispworld.at:6443/openid/v1/jwks"],"service-account-lookup":["true"],"service-account-signing-key-file":["/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"],"service-node-port-range":["30000-32767"],"shutdown-delay-duration":["70s"],"storage-backend":["etcd3"],"storage-media-type":["application/vnd.kubernetes.protobuf"],"tls-cert-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"],"tls-private-key-file":["/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"]},"apiVersion":"kubecontrolplane.config.openshift.io/v1","authConfig":{"oauthMetadataFile":"/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"},"consolePublicURL":"","corsAllowedOrigins":["//127\\.0\\.0\\.1(:\|$)","//localhost(:\|$)"],"imagePolicyConfig":{"internalRegistryHostname":"image-registry.openshift-image-registry.svc:5000"},"kind":"KubeAPIServerConfig","projectConfig":{"defaultNodeSelector":""},"serviceAccountPublicKeyFiles":["/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs","/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"],"servicesSubnet":"172.30.0.0/16","servingInfo":{"bindAddress":"0.0.0.0:6443","bindNetwork":"tcp4","cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"minTLSVersion":"VersionTLS12","namedCertificates":[{"certFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"},{"certFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt","keyFile":"/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"}]}}

Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config'). oval:ssg-test_file_for_kubelet_configure_tls_key:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config	regular	1000650000	1000650000	7872	`rw-------`

Ensure that the cluster's audit profile is properly set

Rule ID	xccdf_org.ssgproject.content_rule_audit_profile_set
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-audit_profile_set:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-83577-7 References: 3.2.1, 3.2.2, AU-2, AU-3, AU-3(1), AU-6, AU-6(1), AU-7, AU-7(1), AU-8, AU-8(1), AU-9, AU-12, CM-5(1), SI-11, SI-12
Description	OpenShift can audit the details of requests made to the API server through the standard Kubernetes audit capabilities. In OpenShift, auditing of the API Server is on by default. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators, or other components of the system. Audit works at the API server level, logging all requests coming to the server. Each audit log contains two entries: The request line containing: A Unique ID allowing to match the response line (see #2) The source IP of the request The HTTP method being invoked The original user invoking the operation The impersonated user for the operation (self meaning himself) The impersonated group for the operation (lookup meaning user's group) The namespace of the request or none The URI as requested The response line containing: The aforementioned unique ID The response code For more information on how to configure the audit profile, please visit the documentation
Rationale	Logging is an important detective control for all systems, to detect potential unauthorised access.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/config.openshift.io/v1/apiservers/cluster` API endpoint to the local `/kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster` file.

OVAL test results details

In the file '/apis/config.openshift.io/v1/apiservers/cluster' find only one object at path 'spec.audit.profile'. oval:ssg-test_audit_profile_set:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster	/kubernetes-api-resources/apis/config.openshift.io/v1/apiservers	cluster	spec.audit.profile	Default

Find the file to be checked ('/apis/config.openshift.io/v1/apiservers/cluster'). oval:ssg-test_file_for_audit_profile_set:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/apis/config.openshift.io/v1/apiservers/cluster	regular	1000650000	1000650000	869	`rw-------`

Minimize Wildcard Usage in Cluster and Local Roles

Rule ID	xccdf_org.ssgproject.content_rule_rbac_wildcard_use
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.1.3, CM-6, CM-6(1)
Description	Kubernetes Cluster and Local Roles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these using a wildcard `*` which matches all items. This violates the principle of least privilege and leaves a cluster in a more vulnerable state to privilege abuse.
Rationale	The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.
Evaluation messages info No candidate or applicable check found.

Limit Access to Kubernetes Secrets

Rule ID	xccdf_org.ssgproject.content_rule_rbac_limit_secrets_access
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.1.2, CM-6, CM-6(1)
Description	The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation. To restrict users from secrets, remove `get`, `list`, and `watch` access to unauthorized users to secret objects in the cluster.
Rationale	Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets.
Evaluation messages info No candidate or applicable check found.

Minimize Access to Pod Creation

Rule ID	xccdf_org.ssgproject.content_rule_rbac_pod_creation_access
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.1.4, CM-6, CM-6(1)
Description	The ability to create pods in a namespace can provide a number of opportunities for privilege escalation. Where applicable, remove `create` access to `pod` objects in the cluster.
Rationale	The ability to create pods in a cluster opens up the cluster for privilege escalation.
Evaluation messages info No candidate or applicable check found.

Profiling is protected by RBAC

Rule ID	xccdf_org.ssgproject.content_rule_rbac_debug_role_protects_pprof
Result	pass
Multi-check rule	no
OVAL Definition ID	oval:ssg-rbac_debug_role_protects_pprof:def:1
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	Identifiers: CCE-84182-5 References: 1.3.2, 1.4.1, CM-6, CM-6(1)
Description	Ensure that the cluster-debugger cluster role includes the /debug/pprof resource URL. This demonstrates that profiling is protected by RBAC, with a specific cluster role to allow access.
Rationale	Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface. To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to cluster-admin or cluster-debugger role. Profiling can not be disabled.
Warnings	warning This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the `/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger` API endpoint to the local `/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger` file.

OVAL test results details

In the file '/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger' find only one object at path '.rules[0].nonResourceURLs[:]'. oval:ssg-test_rbac_debug_role_protects_pprof:tst:1 true

Following items have been found on the system:

Filepath	Path	Filename	Yamlpath	Value
/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger	/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterroles	cluster-debugger	.rules[0].nonResourceURLs[:]	/debug/pprof /debug/pprof/* /metrics

Find the file to be checked ('/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger'). oval:ssg-test_file_for_rbac_debug_role_protects_pprof:tst:1 true

Following items have been found on the system:

Path	Type	UID	GID	Size (B)	Permissions
/kubernetes-api-resources/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger	regular	1000650000	1000650000	773	`rw-------`

Ensure that the cluster-admin role is only used where required

Rule ID	xccdf_org.ssgproject.content_rule_rbac_limit_cluster_admin
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	medium
Identifiers and References	References: 5.1.1, CM-6, CM-6(1)
Description	The RBAC role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed.
Rationale	Kubernetes provides a set of default roles where RBAC is used. Some of these roles such as cluster-admin provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as cluster-admin allow super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the rolebinding's namespace, including the namespace itself.
Evaluation messages info No candidate or applicable check found.

Ensure that application Namespaces have Network Policies defined.

Rule ID	xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	high
Identifiers and References	References: 5.3.2, CM-6, CM-6(1)
Description	Use network policies to isolate traffic in your cluster network.
Rationale	Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace all traffic will be allowed into and out of the pods in that namespace.
Evaluation messages info No candidate or applicable check found.

Ensure that the CNI in use supports Network Policies

Rule ID	xccdf_org.ssgproject.content_rule_configure_network_policies
Result	notchecked
Multi-check rule	no
Time	2021-07-20T05:21:00+00:00
Severity	high
Identifiers and References	References: 5.3.1, CM-6, CM-6(1)
Description	There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster. OpenShift supports Kubernetes NetworkPolicy using a Kubernetes Container Network Interface (CNI) plug-in.
Rationale	Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies.
Evaluation messages info No candidate or applicable check found.

Scroll back to the first rule

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.