Skip to content

Commit c082183

Browse files
authored
Merge pull request #14606 from Vincent056/CMP-4112-move-kubeletconfig-symlink
CMP-4112: Update kubeletconfig OVAL path to /var/run/compliance-operator
2 parents 271500f + 601bfdd commit c082183

40 files changed

Lines changed: 56 additions & 56 deletions

File tree

applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ ocil: |-
5454
template:
5555
name: yamlfile_value
5656
vars:
57-
filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
57+
filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig'
5858
yamlpath: ".kubeletconfig.authentication.anonymous.enabled"
5959
check_existence: "all_exist"
6060
values:

applications/openshift/kubelet/kubelet_authorization_mode/rule.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ ocil: |-
5050
template:
5151
name: yamlfile_value
5252
vars:
53-
filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
53+
filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig'
5454
yamlpath: ".kubeletconfig.authorization.mode"
5555
check_existence: "all_exist"
5656
values:

applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ references:
5555
template:
5656
name: yamlfile_value
5757
vars:
58-
filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
58+
filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig'
5959
yamlpath: ".kubeletconfig.authentication.x509.clientCAFile"
6060
check_existence: "all_exist"
6161
values:

applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ references:
6363
template:
6464
name: yamlfile_value
6565
vars:
66-
filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
66+
filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig'
6767
yamlpath: ".kubeletconfig.eventRecordQPS"
6868
check_existence: "all_exist"
6969
values:
Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
#!/bin/bash
22
# remediation = none
33

4-
mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
4+
mkdir -p "/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig"
55

6-
cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
6+
cat << EOF > /var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
77
{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":5,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionHard":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionSoft":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
88
EOF
Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
#!/bin/bash
22
# remediation = none
33

4-
mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
4+
mkdir -p "/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig"
55

6-
cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
6+
cat << EOF > /var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
77
{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":0,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
88
EOF

applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ ocil: |-
7171
template:
7272
name: yamlfile_value
7373
vars:
74-
filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
74+
filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig'
7575
yamlpath: ".kubeletconfig.tlsCipherSuites[:]"
7676
xccdf_variable: var_kubelet_tls_cipher_suites_regex
7777
regex_data: true
Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
#!/bin/bash
22
# remediation = none
33

4-
mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
4+
mkdir -p "/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig"
55

6-
cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
6+
cat << EOF > /var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
77
{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":5,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionHard":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionSoft":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
88
EOF
Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
#!/bin/bash
22
# remediation = none
33

4-
mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
4+
mkdir -p "/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig"
55

6-
cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
6+
cat << EOF > /var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
77
{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":0,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
88
EOF

applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,7 @@ ocil: |-
8787
template:
8888
name: yamlfile_value
8989
vars:
90-
filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
90+
filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig'
9191
yamlpath: ".kubeletconfig.tlsMinVersion"
9292
xccdf_variable: var_kubelet_tls_min_version_regex
9393
regex_data: true

0 commit comments

Comments
 (0)