content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

check for makeIPTablesUtilChains does not reflect benchmark and product description

Open tmishina opened this issue 3 years ago • 3 comments

Description of problem:

  • Rule kubelet_enable_iptables_util_chains of openshift (link) checks existence of .makeIPTablesUtilChains and its value should be true 
template:
    name: yamlfile_value
    vars:
        filepath: {{{ kubeletconf_path }}}
        yamlpath: ".makeIPTablesUtilChains"
        values:
         - value: "true"
           operation: "equals"
  • However, CIS Benchmark spec and kubelet documentation say that the default value of .makeIPTablesUtilChains is true
  • According to the spec and the doc, it is better to check non-existence of .makeIPTablesUtilChains is false 
template:
    name: yamlfile_value
    vars:
        filepath: {{{ kubeletconf_path }}}
        check_existence: "none_exist"
        yamlpath: ".makeIPTablesUtilChains"
        values:
         - value: "false"
           operation: "equals"

Steps to Reproduce:

Run cis-node profile check on an OpenShift cluster which configuration (/etc/kubernetes/kubelet.conf) does not contain .makeIPTablesUtilChains.

Actual Results:

FAIL

Expected Results:

PASS

tmishina avatar Mar 29 '22 04:03 tmishina

I think it makes sense, but if we need to check if makeIPTablesUtilChains doesn't exist in other config files?

Vincent056 avatar Mar 29 '22 04:03 Vincent056

Hello, Wouldn't make sense instead of performing verification through file kubelet.conf, to identify the values from apiserver?

for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do  oc get --raw "/api/v1/nodes/${node}/proxy/configz" | jq -r '.kubeletconfig| .makeIPTablesUtilChains'; done

etcshad0vv avatar May 13 '22 07:05 etcshad0vv