1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
documentation_complete: true
title: 'Configure the etcd Certificate Authority for the API Server'
{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["etcd-cafile"]) | .apiServerArguments["etcd-cafile"][] | select(test("{{.var_apiserver_etcd_ca}}"))]' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["etcd-cafile"]) | .apiServerArguments["etcd-cafile"][] | select(test("/etc/kubernetes/certs/etcd-ca/ca.crt"))]' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}
description: |-
To ensure etcd is configured to make use of TLS encryption for client
connections, follow the OpenShift documentation and setup the TLS
connection between the API Server and etcd. Then, verify
that <tt>apiServerArguments</tt> has the <tt>etcd-cafile</tt> configured in
the <tt>openshift-kube-apiserver</tt> <tt>config</tt> configmap to something
similar to:
<pre>
"apiServerArguments": {
...
"etcd-cafile": [
"/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"
],
...
</pre>
rationale: |-
etcd is a highly-available key-value store used by OpenShift deployments
for persistent storage of all REST API objects. These objects are
sensitive in nature and should be protected by client authentication. This
requires the API Server to identify itself to the etcd server using
a SSL Certificate Authority file.
identifiers:
cce@ocp4: CCE-84216-1
severity: medium
references:
cis@ocp4: 1.2.30
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: SC-8,SC-8(1),SC-8(2)
pcidss: Req-2.2,Req-2.2.3,Req-2.3
srg: SRG-APP-000441-CTR-001090,SRG-APP-000442-CTR-001095
platform: not ocp4-on-hypershift-hosted
ocil_clause: '<tt>etcd-cafile</tt> is not set as appropriate for <tt>apiServerArguments</tt>'
ocil: |-
Run the following command:
<pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["etcd-cafile"]'</pre>
The output should return a configured CA certificate for ETCD.
warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}}
template:
name: yamlfile_value
vars:
ocp_data: "true"
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: "[:]"
check_existence: "at_least_one_exists"
entity_check: "all"
values:
- value: "(.*?)"
operation: "pattern match"
|
