From fafd758a9c4932430ee7c91e3eed35010f4f4644 Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Mon, 17 Jun 2024 16:49:46 +0000 Subject: [PATCH] OCPBUGS-17828 Improve ocp4-cis-scc-limit-container-allowed-capabilities instructions Update the ocil so the instruction for rule ocp4-cis-scc-limit-container-allowed-capabilities is correctly rendered --- .../scc/scc_limit_container_allowed_capabilities/rule.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml b/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml index 2fd0ad6e779a..47a67f621b2c 100644 --- a/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml +++ b/applications/openshift/scc/scc_limit_container_allowed_capabilities/rule.yml @@ -25,10 +25,10 @@ description: |- spec: description: Allows an additional scc setValues: - - name: upstream-ocp4-var-sccs-with-allowed-capabilities-regex + - name: ocp4-var-sccs-with-allowed-capabilities-regex rationale: Allow our own custom SCC value: ^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$|^additional$ - extends: upstream-ocp4-cis + extends: ocp4-cis title: Modified CIS allowing one more SCC

@@ -65,7 +65,7 @@ ocil: |- check the variable value, e.g:

$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}' 
Then use following command to list the SCCs that would fail the test: -
$ oc get scc -o json | jq '{{{ jqfilter }}}'
+ {{{ ocil_oc_pipe_jq_filter('scc', networkpolicies_for_non_ctlplane_namespaces_filter) }}} Please replace the regular expression in the test command with the value read from the variable
ocp4-var-sccs-with-allowed-capabilities-regex
. You can read the variable value with: