From a582345e800973e031de033eff96ee313aec4f08 Mon Sep 17 00:00:00 2001 From: Rutvik Date: Mon, 20 May 2024 16:49:17 +0530 Subject: [PATCH 1/6] To fix CMP-2548 --- .../rule.yml | 14 ++++++++------ .../tests/ocp4/e2e.yml | 2 +- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml index a9926333490..1c58010ff2b 100644 --- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml +++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml @@ -37,19 +37,21 @@ rationale: |- ensures that there are no downtimes due to expired certificates and thus addressing the availability in the C/I/A security triad. + In OpenShift 4, the kubelete certification rotation is enabled by default, hence this check is not-applicable. + severity: medium platform: not ocp4-on-hypershift-hosted ocil_clause: |- - RotateKubeletServerCertificate argument is set to false in the - controllerArguments options + serverTLSBootstrap argument is set to false in the + kubeletconfig options ocil: |- - To verify that RotateKubeletServerCertificate is configured correctly, - run the following command: - 
$ oc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data["config.yaml"]' | jq -r '.extendedArguments["feature-gates"]'
- The output should return RotateKubeletServerCertificate=true. + RotateKubeletServerCertificate is no longer a valid check, instead an user should run below commands and confirm the rotation settings are enabled as default. + 
$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
+ 
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
+ The output should return true identifiers: cce@ocp4: CCE-83730-2 diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/e2e.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/e2e.yml index b49fd368b98..8878bb5724a 100644 --- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/e2e.yml +++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/e2e.yml @@ -1,2 +1,2 @@ --- -default_result: PASS +default_result: NOT-APPLICABLE From 651cfa9fc7d57bbefae882b8c4a4602a62ebfa3a Mon Sep 17 00:00:00 2001 From: Rutvik Date: Fri, 14 Jun 2024 20:32:20 +0530 Subject: [PATCH 2/6] modifying rule content and selection criteria --- .../controller_rotate_kubelet_server_certs/rule.yml | 13 +++++++------ controls/nist_ocp4.yml | 4 ---- controls/srg_ctr/SRG-APP-000516-CTR-001325.yml | 1 - products/ocp4/profiles/stig-v1r1.profile | 1 - 4 files changed, 7 insertions(+), 12 deletions(-) diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml index 1c58010ff2b..f0492802674 100644 --- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml +++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml @@ -37,21 +37,22 @@ rationale: |- ensures that there are no downtimes due to expired certificates and thus addressing the availability in the C/I/A security triad. - In OpenShift 4, the kubelete certification rotation is enabled by default, hence this check is not-applicable. + Note: In OpenShift 4, the kubelete certification rotation is enabled by default. Openshift v4 automatically generates a new kube-apiserver-to-kubelet-signer CA certificates at 292 days and removes old CA certificate after 365 days, and the kubelet-client, kubelet-server certs are auto-rotated once every month. Hence, this rule is deprecated and not-applicable. + ref: https://access.redhat.com/articles/5651701 severity: medium platform: not ocp4-on-hypershift-hosted ocil_clause: |- - serverTLSBootstrap argument is set to false in the + RotateKubeletServerCertificate argument is set to false in the kubeletconfig options ocil: |- - RotateKubeletServerCertificate is no longer a valid check, instead an user should run below commands and confirm the rotation settings are enabled as default. - 
$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
- 
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
- The output should return true + To verify that RotateKubeletServerCertificate is configured correctly, + run the following command: + 
$ oc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data["config.yaml"]' | jq -r '.extendedArguments["feature-gates"]'
+ The output should return RotateKubeletServerCertificate=true identifiers: cce@ocp4: CCE-83730-2 diff --git a/controls/nist_ocp4.yml b/controls/nist_ocp4.yml index ccf5d5bab7e..d220538cb63 100644 --- a/controls/nist_ocp4.yml +++ b/controls/nist_ocp4.yml @@ -4898,7 +4898,6 @@ controls: - file_owner_proxy_kubeconfig - file_groupowner_etcd_data_files - api_server_auth_mode_node - - controller_rotate_kubelet_server_certs - api_server_openshift_https_serving_cert - api_server_service_account_lookup - file_groupowner_openshift_pki_cert_files @@ -5121,7 +5120,6 @@ controls: - file_owner_proxy_kubeconfig - file_groupowner_etcd_data_files - api_server_auth_mode_node - - controller_rotate_kubelet_server_certs - api_server_openshift_https_serving_cert - api_server_service_account_lookup - file_groupowner_openshift_pki_cert_files @@ -13887,7 +13885,6 @@ controls: - etcd_peer_client_cert_auth - controller_secure_port - etcd_peer_cert_file - - controller_rotate_kubelet_server_certs - api_server_openshift_https_serving_cert - api_server_etcd_key - kubelet_configure_tls_cert @@ -13943,7 +13940,6 @@ controls: - etcd_peer_client_cert_auth - controller_secure_port - etcd_peer_cert_file - - controller_rotate_kubelet_server_certs - api_server_openshift_https_serving_cert - api_server_etcd_key - kubelet_configure_tls_cert diff --git a/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml b/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml index 7b5d85ddd8f..2c2a2b88fdf 100644 --- a/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml +++ b/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml @@ -48,7 +48,6 @@ controls: - ocp_api_server_audit_log_maxbackup - ocp_api_server_audit_log_maxsize - controller_insecure_port_disabled - - controller_rotate_kubelet_server_certs - controller_secure_port - controller_service_account_ca - controller_service_account_private_key diff --git a/products/ocp4/profiles/stig-v1r1.profile b/products/ocp4/profiles/stig-v1r1.profile index 37ef22e8e5c..7c1d113ac74 100644 --- a/products/ocp4/profiles/stig-v1r1.profile +++ b/products/ocp4/profiles/stig-v1r1.profile @@ -71,7 +71,6 @@ selections: - api_server_tls_cipher_suites - api_server_token_auth - controller_insecure_port_disabled - - controller_rotate_kubelet_server_certs - controller_secure_port - controller_service_account_ca - controller_service_account_private_key From 35f5869cb1fdcad286a99146caf7c6b62f36a647 Mon Sep 17 00:00:00 2001 From: Rutvik Date: Mon, 17 Jun 2024 17:25:12 +0530 Subject: [PATCH 3/6] adding warning section --- .../rule.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml index f0492802674..85ac80b7ed6 100644 --- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml +++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml @@ -37,9 +37,6 @@ rationale: |- ensures that there are no downtimes due to expired certificates and thus addressing the availability in the C/I/A security triad. - Note: In OpenShift 4, the kubelete certification rotation is enabled by default. Openshift v4 automatically generates a new kube-apiserver-to-kubelet-signer CA certificates at 292 days and removes old CA certificate after 365 days, and the kubelet-client, kubelet-server certs are auto-rotated once every month. Hence, this rule is deprecated and not-applicable. - ref: https://access.redhat.com/articles/5651701 - severity: medium platform: not ocp4-on-hypershift-hosted @@ -59,13 +56,10 @@ identifiers: warnings: - general: |- - {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}} -- functionality: |- - This recommendation only applies if you let kubelets get their - certificates from the API Server. In case your certificates come from an - outside Certificate Authority/tool (e.g. Vault) then you need to take care - of rotation yourself - + In OpenShift 4, the kubelete certification rotation is enabled by default. Openshift v4 automatically generates a new kube-apiserver-to-kubelet-signer CA certificates at 292 days and removes old CA + certificate after 365 days, and the kubelet-client, kubelet-server certs are auto-rotated once every month. Hence, this rule is deprecated and not-applicable. + ref: https://access.redhat.com/articles/5651701 + references: nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1 nist: CM-6,CM-6(1),SC-8,SC-8(1) From 028049f1aa039fca14ef62f195a98088c641239d Mon Sep 17 00:00:00 2001 From: Rutvik Date: Mon, 17 Jun 2024 17:31:52 +0530 Subject: [PATCH 4/6] fixing whitespaces in warning section --- .../controller_rotate_kubelet_server_certs/rule.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml index 85ac80b7ed6..abe9be8527e 100644 --- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml +++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml @@ -56,8 +56,10 @@ identifiers: warnings: - general: |- - In OpenShift 4, the kubelete certification rotation is enabled by default. Openshift v4 automatically generates a new kube-apiserver-to-kubelet-signer CA certificates at 292 days and removes old CA - certificate after 365 days, and the kubelet-client, kubelet-server certs are auto-rotated once every month. Hence, this rule is deprecated and not-applicable. + In OpenShift 4, the kubelete certification rotation is enabled by default. + Openshift v4 automatically generates a new kube-apiserver-to-kubelet-signer CA certificates at 292 + days, removes old CA certificate after 365 days, and the kubelet-client, kubelet-server + certs are auto-rotated once every month. Hence, this rule is deprecated and not-applicable. ref: https://access.redhat.com/articles/5651701 references: From c378c0848d156fad256ef4f3a924eebc608d6e8e Mon Sep 17 00:00:00 2001 From: Rutvik Date: Mon, 24 Jun 2024 15:38:48 +0530 Subject: [PATCH 5/6] updating platform check and tests --- .../controller_rotate_kubelet_server_certs/rule.yml | 10 ++++++---- .../tests/ocp4/4.12.yml | 2 ++ .../tests/ocp4/4.13.yml | 2 ++ controls/nist_ocp4.yml | 4 ++++ controls/srg_ctr/SRG-APP-000516-CTR-001325.yml | 1 + products/ocp4/profiles/stig-v1r1.profile | 1 + 6 files changed, 16 insertions(+), 4 deletions(-) create mode 100644 applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.12.yml create mode 100644 applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.13.yml diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml index abe9be8527e..e81c48aefcb 100644 --- a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml +++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml @@ -39,11 +39,11 @@ rationale: |- severity: medium -platform: not ocp4-on-hypershift-hosted +platform: not ocp4-on-hypershift-hosted and (ocp4.12 or ocp4.13) ocil_clause: |- RotateKubeletServerCertificate argument is set to false in the - kubeletconfig options + controllerArguments options ocil: |- To verify that RotateKubeletServerCertificate is configured correctly, @@ -56,11 +56,13 @@ identifiers: warnings: - general: |- - In OpenShift 4, the kubelete certification rotation is enabled by default. + {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}} +- functionality: |- + In OpenShift 4, the kubelet certification rotation is enabled by default. Openshift v4 automatically generates a new kube-apiserver-to-kubelet-signer CA certificates at 292 days, removes old CA certificate after 365 days, and the kubelet-client, kubelet-server certs are auto-rotated once every month. Hence, this rule is deprecated and not-applicable. - ref: https://access.redhat.com/articles/5651701 + ref: https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/security_and_compliance/certificate-types-and-descriptions#purpose-5 references: nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1 diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.12.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.12.yml new file mode 100644 index 00000000000..b49fd368b98 --- /dev/null +++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.12.yml @@ -0,0 +1,2 @@ +--- +default_result: PASS diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.13.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.13.yml new file mode 100644 index 00000000000..b49fd368b98 --- /dev/null +++ b/applications/openshift/controller/controller_rotate_kubelet_server_certs/tests/ocp4/4.13.yml @@ -0,0 +1,2 @@ +--- +default_result: PASS diff --git a/controls/nist_ocp4.yml b/controls/nist_ocp4.yml index d220538cb63..ccf5d5bab7e 100644 --- a/controls/nist_ocp4.yml +++ b/controls/nist_ocp4.yml @@ -4898,6 +4898,7 @@ controls: - file_owner_proxy_kubeconfig - file_groupowner_etcd_data_files - api_server_auth_mode_node + - controller_rotate_kubelet_server_certs - api_server_openshift_https_serving_cert - api_server_service_account_lookup - file_groupowner_openshift_pki_cert_files @@ -5120,6 +5121,7 @@ controls: - file_owner_proxy_kubeconfig - file_groupowner_etcd_data_files - api_server_auth_mode_node + - controller_rotate_kubelet_server_certs - api_server_openshift_https_serving_cert - api_server_service_account_lookup - file_groupowner_openshift_pki_cert_files @@ -13885,6 +13887,7 @@ controls: - etcd_peer_client_cert_auth - controller_secure_port - etcd_peer_cert_file + - controller_rotate_kubelet_server_certs - api_server_openshift_https_serving_cert - api_server_etcd_key - kubelet_configure_tls_cert @@ -13940,6 +13943,7 @@ controls: - etcd_peer_client_cert_auth - controller_secure_port - etcd_peer_cert_file + - controller_rotate_kubelet_server_certs - api_server_openshift_https_serving_cert - api_server_etcd_key - kubelet_configure_tls_cert diff --git a/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml b/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml index 2c2a2b88fdf..7b5d85ddd8f 100644 --- a/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml +++ b/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml @@ -48,6 +48,7 @@ controls: - ocp_api_server_audit_log_maxbackup - ocp_api_server_audit_log_maxsize - controller_insecure_port_disabled + - controller_rotate_kubelet_server_certs - controller_secure_port - controller_service_account_ca - controller_service_account_private_key diff --git a/products/ocp4/profiles/stig-v1r1.profile b/products/ocp4/profiles/stig-v1r1.profile index 7c1d113ac74..37ef22e8e5c 100644 --- a/products/ocp4/profiles/stig-v1r1.profile +++ b/products/ocp4/profiles/stig-v1r1.profile @@ -71,6 +71,7 @@ selections: - api_server_tls_cipher_suites - api_server_token_auth - controller_insecure_port_disabled + - controller_rotate_kubelet_server_certs - controller_secure_port - controller_service_account_ca - controller_service_account_private_key From 3beb2f63b482b4f02930512ccdbef7d707ed4076 Mon Sep 17 00:00:00 2001 From: Rutvik Date: Mon, 24 Jun 2024 21:37:02 +0530 Subject: [PATCH 6/6] fixing e2e assertions --- tests/assertions/ocp4/ocp4-high-4.14.yml | 4 ++-- tests/assertions/ocp4/ocp4-high-4.15.yml | 4 ++-- tests/assertions/ocp4/ocp4-high-4.16.yml | 4 ++-- tests/assertions/ocp4/ocp4-moderate-4.14.yml | 4 ++-- tests/assertions/ocp4/ocp4-moderate-4.15.yml | 4 ++-- tests/assertions/ocp4/ocp4-moderate-4.16.yml | 4 ++-- tests/assertions/ocp4/ocp4-stig-4.14.yml | 4 ++-- tests/assertions/ocp4/ocp4-stig-4.15.yml | 4 ++-- tests/assertions/ocp4/ocp4-stig-4.16.yml | 4 ++-- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/tests/assertions/ocp4/ocp4-high-4.14.yml b/tests/assertions/ocp4/ocp4-high-4.14.yml index dc9407ed83d..79f27d693d9 100644 --- a/tests/assertions/ocp4/ocp4-high-4.14.yml +++ b/tests/assertions/ocp4/ocp4-high-4.14.yml @@ -181,8 +181,8 @@ rule_results: default_result: PASS result_after_remediation: PASS e2e-high-controller-rotate-kubelet-server-certs: - default_result: PASS - result_after_remediation: PASS + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE e2e-high-controller-secure-port: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-high-4.15.yml b/tests/assertions/ocp4/ocp4-high-4.15.yml index be7f4b640da..23e7ef5e310 100644 --- a/tests/assertions/ocp4/ocp4-high-4.15.yml +++ b/tests/assertions/ocp4/ocp4-high-4.15.yml @@ -185,8 +185,8 @@ rule_results: default_result: PASS result_after_remediation: PASS e2e-high-controller-rotate-kubelet-server-certs: - default_result: PASS - result_after_remediation: PASS + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE e2e-high-controller-secure-port: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-high-4.16.yml b/tests/assertions/ocp4/ocp4-high-4.16.yml index be7f4b640da..23e7ef5e310 100644 --- a/tests/assertions/ocp4/ocp4-high-4.16.yml +++ b/tests/assertions/ocp4/ocp4-high-4.16.yml @@ -185,8 +185,8 @@ rule_results: default_result: PASS result_after_remediation: PASS e2e-high-controller-rotate-kubelet-server-certs: - default_result: PASS - result_after_remediation: PASS + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE e2e-high-controller-secure-port: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-moderate-4.14.yml b/tests/assertions/ocp4/ocp4-moderate-4.14.yml index c23d2e5e8ba..12bff0d98da 100644 --- a/tests/assertions/ocp4/ocp4-moderate-4.14.yml +++ b/tests/assertions/ocp4/ocp4-moderate-4.14.yml @@ -179,8 +179,8 @@ rule_results: default_result: PASS result_after_remediation: PASS e2e-moderate-controller-rotate-kubelet-server-certs: - default_result: PASS - result_after_remediation: PASS + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE e2e-moderate-controller-secure-port: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-moderate-4.15.yml b/tests/assertions/ocp4/ocp4-moderate-4.15.yml index 098fbffcc6c..aa440cbb0c1 100644 --- a/tests/assertions/ocp4/ocp4-moderate-4.15.yml +++ b/tests/assertions/ocp4/ocp4-moderate-4.15.yml @@ -176,8 +176,8 @@ rule_results: default_result: PASS result_after_remediation: PASS e2e-moderate-controller-rotate-kubelet-server-certs: - default_result: PASS - result_after_remediation: PASS + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE e2e-moderate-controller-secure-port: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-moderate-4.16.yml b/tests/assertions/ocp4/ocp4-moderate-4.16.yml index c23d2e5e8ba..12bff0d98da 100644 --- a/tests/assertions/ocp4/ocp4-moderate-4.16.yml +++ b/tests/assertions/ocp4/ocp4-moderate-4.16.yml @@ -179,8 +179,8 @@ rule_results: default_result: PASS result_after_remediation: PASS e2e-moderate-controller-rotate-kubelet-server-certs: - default_result: PASS - result_after_remediation: PASS + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE e2e-moderate-controller-secure-port: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-stig-4.14.yml b/tests/assertions/ocp4/ocp4-stig-4.14.yml index 5fb0b1d2850..6d2362eaef2 100644 --- a/tests/assertions/ocp4/ocp4-stig-4.14.yml +++ b/tests/assertions/ocp4/ocp4-stig-4.14.yml @@ -158,8 +158,8 @@ rule_results: default_result: PASS result_after_remediation: PASS e2e-stig-controller-rotate-kubelet-server-certs: - default_result: PASS - result_after_remediation: PASS + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE e2e-stig-controller-secure-port: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-stig-4.15.yml b/tests/assertions/ocp4/ocp4-stig-4.15.yml index 5fb0b1d2850..6d2362eaef2 100644 --- a/tests/assertions/ocp4/ocp4-stig-4.15.yml +++ b/tests/assertions/ocp4/ocp4-stig-4.15.yml @@ -158,8 +158,8 @@ rule_results: default_result: PASS result_after_remediation: PASS e2e-stig-controller-rotate-kubelet-server-certs: - default_result: PASS - result_after_remediation: PASS + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE e2e-stig-controller-secure-port: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-stig-4.16.yml b/tests/assertions/ocp4/ocp4-stig-4.16.yml index 5fb0b1d2850..6d2362eaef2 100644 --- a/tests/assertions/ocp4/ocp4-stig-4.16.yml +++ b/tests/assertions/ocp4/ocp4-stig-4.16.yml @@ -158,8 +158,8 @@ rule_results: default_result: PASS result_after_remediation: PASS e2e-stig-controller-rotate-kubelet-server-certs: - default_result: PASS - result_after_remediation: PASS + default_result: NOT-APPLICABLE + result_after_remediation: NOT-APPLICABLE e2e-stig-controller-secure-port: default_result: PASS result_after_remediation: PASS