Add kubelet tls ingresscontroller rule to CIS benchmarks

This rule was originally written for CIS benchmarks, but somewhere along the way it was refactored out. This could have been due to a re-indexing of the controls from the benchmark. This commit adds the rule back into the CIS profiles so that it's run with all supports CIS benchmarks. We should be able to prevent against regressions by including it to the e2e rule assertion files.
ComplianceAsCode · Aug 14, 2024 · 3c24d28 · 3c24d28
1 parent cd81b94
commit 3c24d28
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 0 deletions.
diff --git a/controls/cis_ocp_1_4_0/section-4.yml b/controls/cis_ocp_1_4_0/section-4.yml
@@ -157,5 +157,6 @@ controls:
       status: automated
       rules:
         - kubelet_configure_tls_cipher_suites
+        - kubelet_configure_tls_cipher_suites_ingresscontroller
       levels: [ level_1, ]
 
diff --git a/tests/assertions/ocp4/ocp4-cis-4.12.yml b/tests/assertions/ocp4/ocp4-cis-4.12.yml
@@ -89,6 +89,9 @@ rule_results:
   e2e-cis-api-server-kubelet-client-key-pre-4-9:
     default_result: NOT-APPLICABLE
     result_after_remediation: NOT-APPLICABLE
+  e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller:
+    default_result: FAIL
+    result_after_remediation: PASS
   e2e-cis-api-server-oauth-https-serving-cert:
     default_result: PASS
     result_after_remediation: PASS

diff --git a/tests/assertions/ocp4/ocp4-cis-4.13.yml b/tests/assertions/ocp4/ocp4-cis-4.13.yml
@@ -87,6 +87,9 @@ rule_results:
   e2e-cis-api-server-kubelet-client-key-pre-4-9:
     default_result: NOT-APPLICABLE
     result_after_remediation: NOT-APPLICABLE
+  e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller:
+    default_result: FAIL
+    result_after_remediation: PASS
   e2e-cis-api-server-oauth-https-serving-cert:
     default_result: PASS
     result_after_remediation: PASS

diff --git a/tests/assertions/ocp4/ocp4-cis-4.14.yml b/tests/assertions/ocp4/ocp4-cis-4.14.yml
@@ -87,6 +87,9 @@ rule_results:
   e2e-cis-api-server-kubelet-client-key-pre-4-9:
     default_result: NOT-APPLICABLE
     result_after_remediation: NOT-APPLICABLE
+  e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller:
+    default_result: FAIL
+    result_after_remediation: PASS
   e2e-cis-api-server-oauth-https-serving-cert:
     default_result: PASS
     result_after_remediation: PASS

diff --git a/tests/assertions/ocp4/ocp4-cis-4.15.yml b/tests/assertions/ocp4/ocp4-cis-4.15.yml
@@ -89,6 +89,9 @@ rule_results:
   e2e-cis-api-server-kubelet-client-key-pre-4-9:
     default_result: NOT-APPLICABLE
     result_after_remediation: NOT-APPLICABLE
+  e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller:
+    default_result: FAIL
+    result_after_remediation: PASS
   e2e-cis-api-server-oauth-https-serving-cert:
     default_result: PASS
     result_after_remediation: PASS

diff --git a/tests/assertions/ocp4/ocp4-cis-4.16.yml b/tests/assertions/ocp4/ocp4-cis-4.16.yml
@@ -207,6 +207,9 @@ rule_results:
   e2e-cis-kubelet-disable-readonly-port:
     default_result: PASS
     result_after_remediation: PASS
+  e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller:
+    default_result: FAIL
+    result_after_remediation: PASS
   e2e-cis-ocp-allowed-registries:
     default_result: FAIL
   e2e-cis-ocp-allowed-registries-for-import: