Skip to content

Commit 325aaa5

Browse files
rhmdndrhmdnd
committed
OCPBUGS-17216: Update rotate certificates check for OCP 4.14
By default, the rotate certificates rules for CIS 1.4.0 (section 4.2) fail on OpenShift 4.14. This commit updates the rule to check for the proper configuration so that it passes by default, since certificate rotation is enabled by default. This patch also updates the instructions to use a valid command for users looking to verify the configuration manually. The old command didn't return anything because it was looking in the wrong configuration section. This is documented upstream in the following doc: https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation
1 parent 0e7439a commit 325aaa5

3 files changed

Lines changed: 8 additions & 17 deletions

File tree

  • applications/openshift/kubelet
    • kubelet_enable_server_cert_rotation_master
    • kubelet_enable_server_cert_rotation_worker
    • kubelet_enable_server_cert_rotation

applications/openshift/kubelet/kubelet_enable_server_cert_rotation/rule.yml

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,7 @@ description: |-
1717
file <tt>{{{ kubeletconf_path }}}</tt>
1818
on the kubelet node(s) and set the below parameter:
1919
<pre>
20-
featureGates:
21-
...
22-
RotateKubeletServerCertificate: true
23-
...
20+
serverTLSBootstrap: true
2421
</pre>
2522
2623
rationale: |-
@@ -33,7 +30,7 @@ ocil_clause: 'the kubelet cannot rotate server certificate'
3330

3431
ocil: |-
3532
Run the following command on the kubelet node(s):
36-
<pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletServerCertificate; done</pre>
33+
<pre>$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done</pre>
3734
The output should return <tt>true</tt>.
3835
3936
identifiers:

applications/openshift/kubelet/kubelet_enable_server_cert_rotation_master/rule.yml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,7 @@ description: |-
1717
file <tt>{{{ kubeletconf_path }}}</tt>
1818
on the kubelet node(s) and set the below parameter:
1919
<pre>
20-
featureGates:
21-
...
22-
RotateKubeletServerCertificate: true
23-
...
20+
serverTLSBootstrap: true
2421
</pre>
2522
2623
rationale: |-
@@ -33,7 +30,7 @@ ocil_clause: 'the kubelet cannot rotate server certificate'
3330

3431
ocil: |-
3532
Run the following command on the kubelet node(s):
36-
<pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletServerCertificate; done</pre>
33+
<pre>$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap' done</pre>
3734
The output should return <tt>true</tt>.
3835
3936
references:
@@ -49,7 +46,7 @@ template:
4946
ocp_data: "true"
5047
filepath: '/kubeletconfig/role'
5148
filepath_suffix: var_role_master
52-
yamlpath: ".featureGates.RotateKubeletServerCertificate"
49+
yamlpath: ".serverTLSBootstrap"
5350
values:
5451
- value: "true"
5552
operation: "equals"

applications/openshift/kubelet/kubelet_enable_server_cert_rotation_worker/rule.yml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,7 @@ description: |-
1717
file <tt>{{{ kubeletconf_path }}}</tt>
1818
on the kubelet node(s) and set the below parameter:
1919
<pre>
20-
featureGates:
21-
...
22-
RotateKubeletServerCertificate: true
23-
...
20+
serverTLSBootstrap: true
2421
</pre>
2522
2623
rationale: |-
@@ -33,7 +30,7 @@ ocil_clause: 'the kubelet cannot rotate server certificate'
3330

3431
ocil: |-
3532
Run the following command on the kubelet node(s):
36-
<pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletServerCertificate; done</pre>
33+
<pre>$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done</pre>
3734
The output should return <tt>true</tt>.
3835
3936
references:
@@ -49,7 +46,7 @@ template:
4946
ocp_data: "true"
5047
filepath: '/kubeletconfig/role'
5148
filepath_suffix: var_role_worker
52-
yamlpath: ".featureGates.RotateKubeletServerCertificate"
49+
yamlpath: ".serverTLSBootstrap"
5350
values:
5451
- value: "true"
5552
operation: "equals"

0 commit comments

Comments
 (0)