Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCP4 Optimize KubeletConfig rules #10464

Merged
merged 1 commit into from
Aug 29, 2023
Merged

OCP4 Optimize KubeletConfig rules #10464

merged 1 commit into from
Aug 29, 2023

Conversation

Vincent056
Copy link
Contributor

We made some optimization in CO to scan runtime KubeletConfig in a different way, this PR adapts those changes.

@github-actions
Copy link

github-actions bot commented Apr 15, 2023
edited
Loading

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Vincent056 Vincent056 mentioned this pull request Apr 15, 2023
Merged
@marcusburghardt marcusburghardt added the OpenShift OpenShift product related. label Apr 17, 2023
@Vincent056 Vincent056 changed the title OCP4 Optimize HyperShift rule OCP4 Optimize KubeletConfig rules Apr 17, 2023
@rhmdnd rhmdnd mentioned this pull request Apr 18, 2023
Closed
1 task
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Apr 21, 2023
@Vincent056 Vincent056 force-pushed the kubelet_new_w branch 3 times, most recently from 4aec368 to cb14b31 Compare April 25, 2023 09:11
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Apr 25, 2023
@Vincent056 Vincent056 mentioned this pull request Apr 25, 2023
Closed
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label May 17, 2023
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label May 23, 2023
@github-actions
Copy link

github-actions bot commented May 23, 2023
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth'.
--- xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth
+++ xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth
@@ -14,10 +14,6 @@
   anonymous:
     enabled: false
   ...
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth' differs.
--- oval:ssg-kubelet_anonymous_auth:def:1
+++ oval:ssg-kubelet_anonymous_auth:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_anonymous_auth_worker:def:1
-extend_definition oval:ssg-kubelet_anonymous_auth_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_anonymous_auth:tst:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth'
--- xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth
+++ xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_authorization_mode'.
--- xccdf_org.ssgproject.content_rule_kubelet_authorization_mode
+++ xccdf_org.ssgproject.content_rule_kubelet_authorization_mode
@@ -12,10 +12,6 @@
 authorization:
   mode: Webhook
   ...
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_authorization_mode' differs.
--- oval:ssg-kubelet_authorization_mode:def:1
+++ oval:ssg-kubelet_authorization_mode:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_authorization_mode_worker:def:1
-extend_definition oval:ssg-kubelet_authorization_mode_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_authorization_mode:tst:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_authorization_mode'
--- xccdf_org.ssgproject.content_rule_kubelet_authorization_mode
+++ xccdf_org.ssgproject.content_rule_kubelet_authorization_mode
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_authorization_mode_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_authorization_mode_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_authorization_mode_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
@@ -15,10 +15,6 @@
   x509:
     clientCAFile: /etc/kubernetes/kubelet-ca.crt
 ...
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca' differs.
--- oval:ssg-kubelet_configure_client_ca:def:1
+++ oval:ssg-kubelet_configure_client_ca:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_configure_client_ca_worker:def:1
-extend_definition oval:ssg-kubelet_configure_client_ca_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_configure_client_ca:tst:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca'
--- xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation
@@ -23,8 +23,10 @@
         eventRecordQPS: 'xccdf_org.ssgproject.content_value_var_event_record_qps'
 
 [warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
+The MachineConfig Operator does not merge KubeletConfig
+objects, the last object is used instead. In case you need to
+set multiple options for kubelet, consider putting all the custom
+options into a single KubeletConfig object.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation' differs.
--- oval:ssg-kubelet_configure_event_creation:def:1
+++ oval:ssg-kubelet_configure_event_creation:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_configure_event_creation_worker:def:1
-extend_definition oval:ssg-kubelet_configure_event_creation_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_configure_event_creation:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation
@@ -1,18 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     eventRecordQPS: {{.var_event_record_qps}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    eventRecordQPS: {{.var_event_record_qps}}

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation'
--- xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites'.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
@@ -28,10 +28,6 @@
 In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
 and var_kubelet_tls_cipher_suites have to be set
 
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
-
 [reference]:
 CIP-003-8 R6
 

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites' differs.
--- oval:ssg-kubelet_configure_tls_cipher_suites:def:1
+++ oval:ssg-kubelet_configure_tls_cipher_suites:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_configure_tls_cipher_suites_worker:def:1
-extend_definition oval:ssg-kubelet_configure_tls_cipher_suites_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_configure_tls_cipher_suites:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
@@ -1,18 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites'
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_worker is missing in new datastream.
OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version' differs.
--- oval:ssg-kubelet_configure_tls_min_version:def:1
+++ oval:ssg-kubelet_configure_tls_min_version:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_configure_tls_min_version_worker:def:1
-extend_definition oval:ssg-kubelet_configure_tls_min_version_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_configure_tls_min_version:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
@@ -1,18 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     tlsMinVersion: "{{.var_kubelet_tls_min_version}}"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    tlsMinVersion: "{{.var_kubelet_tls_min_version}}"

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version'
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version_worker is missing in new datastream.
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override'
--- xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override
+++ xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation
@@ -10,10 +10,6 @@
 ...
 rotateCertificates: true
 ...
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation' differs.
--- oval:ssg-kubelet_enable_cert_rotation:def:1
+++ oval:ssg-kubelet_enable_cert_rotation:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_enable_cert_rotation_worker:def:1
-extend_definition oval:ssg-kubelet_enable_cert_rotation_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_enable_cert_rotation:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation' differs.
--- ocil:ssg-kubelet_enable_cert_rotation_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_cert_rotation_ocil:questionnaire:1
@@ -1,5 +1,5 @@
 Run the following command on the kubelet node(s):
-$ sudo grep rotateCertificates /etc/kubernetes/kubelet.conf
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
 The output should return nothing or true.
       Is it the case that the kubelet cannot rotate client certificate?
       
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation'
--- xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation
@@ -11,10 +11,6 @@
 ...
   RotateKubeletClientCertificate: true
 ...
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation' differs.
--- oval:ssg-kubelet_enable_client_cert_rotation:def:1
+++ oval:ssg-kubelet_enable_client_cert_rotation:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_enable_client_cert_rotation_worker:def:1
-extend_definition oval:ssg-kubelet_enable_client_cert_rotation_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_enable_client_cert_rotation:tst:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation'
--- xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains
@@ -10,10 +10,6 @@
 file /etc/kubernetes/kubelet.conf
 on the kubelet node(s) and set the below parameter:
 makeIPTablesUtilChains: true
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains' differs.
--- oval:ssg-kubelet_enable_iptables_util_chains:def:1
+++ oval:ssg-kubelet_enable_iptables_util_chains:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_enable_iptables_util_chains_worker:def:1
-extend_definition oval:ssg-kubelet_enable_iptables_util_chains_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_enable_iptables_util_chains:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains' differs.
--- ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1
@@ -1,5 +1,5 @@
 Run the following command on the kubelet node(s):
-$ sudo grep makeIPTablesUtilChains /etc/kubernetes/kubelet.conf
+$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains 
 The output should return true.
       Is it the case that the kubelet cannot modify the firewall settings?
       
kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains
@@ -1,18 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     makeIPTablesUtilChains: true
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    makeIPTablesUtilChains: true

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains'
--- xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation
@@ -8,10 +8,6 @@
 on the kubelet node(s) and set the below parameter:
 
 serverTLSBootstrap: true
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation' differs.
--- oval:ssg-kubelet_enable_server_cert_rotation:def:1
+++ oval:ssg-kubelet_enable_server_cert_rotation:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_enable_server_cert_rotation_worker:def:1
-extend_definition oval:ssg-kubelet_enable_server_cert_rotation_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_enable_server_cert_rotation:tst:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation'
--- xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections'.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections
@@ -19,10 +19,6 @@
             pools.operator.machineconfiguration.openshift.io/$pool_name: ""
     kubeletConfig:
         streamingConnectionIdleTimeout: 'xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts'
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections' differs.
--- oval:ssg-kubelet_enable_streaming_connections:def:1
+++ oval:ssg-kubelet_enable_streaming_connections:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_enable_streaming_connections_worker:def:1
-extend_definition oval:ssg-kubelet_enable_streaming_connections_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_enable_streaming_connections:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections' differs.
--- ocil:ssg-kubelet_enable_streaming_connections_ocil:questionnaire:1
+++ ocil:ssg-kubelet_enable_streaming_connections_ocil:questionnaire:1
@@ -1,5 +1,5 @@
 Run the following command on the kubelet node(s):
 $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
-The output should return .
+The output should not return 0.
       Is it the case that the streaming connection timeouts are not disabled?
       
kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections
@@ -1,18 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     streamingConnectionIdleTimeout: {{.var_streaming_connection_timeouts}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    streamingConnectionIdleTimeout: {{.var_streaming_connection_timeouts}}

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections'
--- xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections
+++ xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections
@@ -1 +1 @@
-oval:ssg-installed_app_is_ocp4:def:1
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available'.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available
@@ -30,10 +30,6 @@
               
 This rule pertains to the imagefs.available setting of the evictionHard
 section.
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available' differs.
--- oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available:def:1
+++ oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker:def:1
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available
@@ -1,9 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionHard:
@@ -11,28 +8,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionHard:
-      imagefs.available: {{.var_kubelet_evictionhard_imagefs_available}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available'
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree'.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree
@@ -31,10 +31,6 @@
 This rule pertains to the imagefs.inodesFree setting of the evictionHard
 section.
 
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
-
 [reference]:
 CIP-003-8 R6
 
@@ -43,6 +39,12 @@
 
 [reference]:
 CIP-007-3 R6.1
+
+[reference]:
+CM-6
+
+[reference]:
+CM-6(1)
 
 [reference]:
 SRG-APP-000516-CTR-001325

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree' differs.
--- oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:def:1
+++ oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:def:1
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree
@@ -1,9 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionHard:
@@ -11,28 +8,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionHard:
-      imagefs.inodesFree: {{.var_kubelet_evictionhard_imagefs_inodesfree}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree'
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available'.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available
@@ -30,10 +30,6 @@
               
 This rule pertains to the memory.available setting of the evictionHard
 section.
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available' differs.
--- oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available:def:1
+++ oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker:def:1
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available
@@ -1,9 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionHard:
@@ -11,28 +8,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionHard:
-      memory.available: {{.var_kubelet_evictionhard_memory_available}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available'
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available'.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available
@@ -30,10 +30,6 @@
               
 This rule pertains to the nodefs.available setting of the evictionHard
 section.
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available' differs.
--- oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available:def:1
+++ oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker:def:1
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available
@@ -1,9 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionHard:
@@ -11,28 +8,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionHard:
-      nodefs.available: {{.var_kubelet_evictionhard_nodefs_available}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available'
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree'.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
@@ -30,10 +30,6 @@
               
 This rule pertains to the nodefs.inodesFree setting of the evictionHard
 section.
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree' differs.
--- oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:def:1
+++ oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:def:1
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
@@ -1,9 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionHard:
@@ -11,28 +8,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionHard:
-      nodefs.inodesFree: {{.var_kubelet_evictionhard_nodefs_inodesfree}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree'
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available'.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available
@@ -31,10 +31,6 @@
 This rule pertains to the imagefs.available setting of the evictionSoft
 section.
 
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
-
 [reference]:
 CIP-003-8 R6
 

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available' differs.
--- oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available:def:1
+++ oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker:def:1
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available
@@ -1,9 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionSoft:
@@ -11,9 +8,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionSoftGracePeriod:
@@ -21,38 +15,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionSoft:
-      imagefs.available: {{.var_kubelet_evictionsoft_imagefs_available}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionSoftGracePeriod:
-      imagefs.available: "1m30s"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available'
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree'.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree
@@ -31,10 +31,6 @@
 This rule pertains to the imagefs.inodesFree setting of the evictionSoft
 section.
 
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
-
 [reference]:
 CIP-003-8 R6
 

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree' differs.
--- oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:def:1
+++ oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:def:1
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree
@@ -1,9 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionSoft:
@@ -11,9 +8,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionSoftGracePeriod:
@@ -21,38 +15,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionSoft:
-      imagefs.inodesFree: {{.var_kubelet_evictionsoft_imagefs_inodesfree}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionSoftGracePeriod:
-      imagefs.inodesFree: "1m30s"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree'
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available'.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available
@@ -31,10 +31,6 @@
 This rule pertains to the memory.available setting of the evictionSoft
 section.
 
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
-
 [reference]:
 CIP-003-8 R6
 

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available' differs.
--- oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available:def:1
+++ oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker:def:1
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available
@@ -1,9 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionSoft:
@@ -11,9 +8,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionSoftGracePeriod:
@@ -21,38 +15,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionSoft:
-      memory.available: {{.var_kubelet_evictionsoft_memory_available}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionSoftGracePeriod:
-      memory.available: "1m30s"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available'
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available'.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available
@@ -31,10 +31,6 @@
 This rule pertains to the nodefs.available setting of the evictionSoft
 section.
 
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
-
 [reference]:
 CIP-003-8 R6
 

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available' differs.
--- oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available:def:1
+++ oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker:def:1
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available
@@ -1,9 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionSoft:
@@ -11,9 +8,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionSoftGracePeriod:
@@ -21,38 +15,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionSoft:
-      nodefs.available: {{.var_kubelet_evictionsoft_nodefs_available}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionSoftGracePeriod:
-      nodefs.available: "1m30s"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available'
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree'.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree
@@ -31,10 +31,6 @@
 This rule pertains to the nodefs.inodesFree setting of the evictionSoft
 section.
 
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
-
 [reference]:
 CIP-003-8 R6
 

OVAL for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree' differs.
--- oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:def:1
+++ oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:def:1
@@ -1,3 +1,2 @@
-criteria AND
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:def:1
-extend_definition oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:def:1
+criteria None
+criterion oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:tst:1

kubernetes remediation for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree' differs.
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree
@@ -1,9 +1,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
 spec:
   kubeletConfig:
     evictionSoft:
@@ -11,9 +8,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
 spec:
   kubeletConfig:
     evictionSoftGracePeriod:
@@ -21,38 +15,6 @@
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
-spec:
-  kubeletConfig:
-    evictionSoft:
-      nodefs.inodesFree: {{.var_kubelet_evictionsoft_nodefs_inodesfree}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
-spec:
-  kubeletConfig:
-    evictionSoftGracePeriod:
-      nodefs.inodesFree: "1m30s"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree'
--- xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree
+++ xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree
@@ -1 +1 @@
-
+oval:ssg-installed_app_is_ocp4_node:def:1

xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master is missing in new datastream.
xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker is missing in new datastream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kubelet_read_only_port_secured'.
--- xccdf_org.ssgproject.content_rule_kubelet_read_only_port_secured
+++ xccdf_org.ssgproject.content_rule_kubelet_read_only_port_secured
@@ -4,10 +4,6 @@
 
 [description]:
 Disable the read-only port.
-
-[warning]:
-This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
-Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through "/api/v1/nodes/NODE_NAME/proxy/configz" true API endpoint to the local "/kubeletconfig/role/role" file.
 
 [reference]:
 CIP-003-

... The diff is trimmed here ...

@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Jun 12, 2023
@jan-cerny
Copy link
Collaborator

@yuumasato @Vincent056 What is your plan?

@yuumasato
Copy link
Member

@yuumasato @Vincent056 What is your plan?

This PR is tied to ComplianceAsCode/compliance-operator#292.
I think Vincent plans to update the operator's PR, and then this will get updated and unblocked too.

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Aug 22, 2023
@xiaojiey
Copy link
Collaborator

xiaojiey commented Aug 22, 2023
edited
Loading

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Aug 22, 2023
@yuumasato
Copy link
Member

/test help

@openshift-ci
Copy link

openshift-ci bot commented Aug 24, 2023

@yuumasato: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test e2e-aws-ocp4-cis
  • /test e2e-aws-ocp4-cis-node
  • /test e2e-aws-ocp4-e8
  • /test e2e-aws-ocp4-high
  • /test e2e-aws-ocp4-high-node
  • /test e2e-aws-ocp4-moderate
  • /test e2e-aws-ocp4-moderate-node
  • /test e2e-aws-ocp4-pci-dss
  • /test e2e-aws-ocp4-pci-dss-node
  • /test e2e-aws-ocp4-stig
  • /test e2e-aws-ocp4-stig-node
  • /test e2e-aws-rhcos4-e8
  • /test e2e-aws-rhcos4-high
  • /test e2e-aws-rhcos4-moderate
  • /test e2e-aws-rhcos4-stig
  • /test images

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@yuumasato
Copy link
Member

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-high-node

yuumasato
yuumasato requested changes Aug 24, 2023
View reviewed changes
applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml Outdated Show resolved Hide resolved
applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml Show resolved Hide resolved
shared/macros/10-kubernetes.jinja Show resolved Hide resolved
applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml
check_existence: "all_exist"
values:
- value: "0"
operation: "not equal"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, item 4.2.8 from CIS v1.4.0 allows 0 or any appropriate value for the deployment.

But I think we should still use the variable var_event_record_qps to check, like it was done in rule kubelet_configure_event_creation_master. Because this will more control over the actual event creation limit.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additionaly, the limit is being bumped to 50 in OCP 4.14.
#10950

Copy link
Contributor Author

@Vincent056 Vincent056 Aug 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will have this fixed to check the variable value instead

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed now

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Vincent056 The rule was not updated to use the variable.

But following the discussion from kubelet_enable_streaming_connections, I think we can keep the rule as is now.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rule is the one causing e2e tests to fail.
The e2e needs to be flipped to pass by default:
https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/kubelet/kubelet_configure_event_creation/tests/ocp4/e2e.yml#L3C1-L3C21

applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml Outdated Show resolved Hide resolved
applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml Show resolved Hide resolved
applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml Outdated Show resolved Hide resolved
@Vincent056 Vincent056 force-pushed the kubelet_new_w branch 2 times, most recently from 1fe26c8 to a59bce5 Compare August 25, 2023 06:43
Vincent056
Vincent056 commented Aug 25, 2023
View reviewed changes
Copy link
Contributor Author

@Vincent056 Vincent056 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review, have all the issues addressed

@Vincent056 Vincent056 force-pushed the kubelet_new_w branch 2 times, most recently from 6fafb36 to f5e29b2 Compare August 25, 2023 06:59
@Vincent056
Copy link
Contributor Author

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-e8
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-high-node
/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-node

@Vincent056 Vincent056 mentioned this pull request Aug 25, 2023
Merged
@Vincent056
Copy link
Contributor Author

@yuumasato we need CO latest image to run e2e test ComplianceAsCode/compliance-operator#390

@yuumasato
Copy link
Member

/retest

yuumasato
yuumasato requested changes Aug 25, 2023
View reviewed changes
applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml
check_existence: "all_exist"
values:
- value: "0"
operation: "not equal"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Vincent056 The rule was not updated to use the variable.

But following the discussion from kubelet_enable_streaming_connections, I think we can keep the rule as is now.

applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml Outdated Show resolved Hide resolved
applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml Show resolved Hide resolved
applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml
check_existence: "all_exist"
values:
- value: "0"
operation: "not equal"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rule is the one causing e2e tests to fail.
The e2e needs to be flipped to pass by default:
https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/kubelet/kubelet_configure_event_creation/tests/ocp4/e2e.yml#L3C1-L3C21

@yuumasato yuumasato added this to the 0.1.70 milestone Aug 25, 2023
@Vincent056
Copy link
Contributor Author

/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-e8
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-high-node
/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-node

@Vincent056
Optimize KubeletConfig rules
e3586bd 
We made some optimization in CO to scan runtime KubeletConfig in a different way, this PR adapts those changes.

Resolve merge conflicts with CIS 1.4.0 updates, also updated kubelet_enable_server_cert_rotation rule for it.
@codeclimate
Copy link

codeclimate bot commented Aug 28, 2023

Code Climate has analyzed commit e3586bd and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.3% (0.0% change).

View more on Code Climate.

yuumasato
yuumasato approved these changes Aug 29, 2023
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @Vincent056

@yuumasato yuumasato merged commit ceb9f9e into ComplianceAsCode:master Aug 29, 2023
30 of 34 checks passed
@Mab879 Mab879 added the Update Rule Issues or pull requests related to Rules updates. label Oct 12, 2023
montaguethomas added a commit to montaguethomas/content that referenced this pull request Nov 2, 2023
@montaguethomas
Remove warning from kubelet rule.
8705fe9 
ComplianceAsCode#10464 did a major refactor of the kubelet rules to move them from running as "Platform" checkType to "Node". This rule was missed to remove the `warnings` flag, as this causes CO to consider the rule as a Platform checkType.
This was referenced Nov 2, 2023
Merged
Open
BenoitGui pushed a commit to BenoitGui/content that referenced this pull request Jan 16, 2024
@montaguethomas @BenoitGui
Remove warning from kubelet rule.
82351e2 
ComplianceAsCode#10464 did a major refactor of the kubelet rules to move them from running as "Platform" checkType to "Node". This rule was missed to remove the `warnings` flag, as this causes CO to consider the rule as a Platform checkType.
vojtapolasek pushed a commit to vojtapolasek/content that referenced this pull request Jan 16, 2024
@montaguethomas @vojtapolasek
Remove warning from kubelet rule.
8ce4bbc 
ComplianceAsCode#10464 did a major refactor of the kubelet rules to move them from running as "Platform" checkType to "Node". This rule was missed to remove the `warnings` flag, as this causes CO to consider the rule as a Platform checkType.
sluetze pushed a commit to sig-bsi-grundschutz/content that referenced this pull request Jan 22, 2024
@montaguethomas @sluetze
Remove warning from kubelet rule.
a4cb61f 
ComplianceAsCode#10464 did a major refactor of the kubelet rules to move them from running as "Platform" checkType to "Node". This rule was missed to remove the `warnings` flag, as this causes CO to consider the rule as a Platform checkType.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

@jhrozek jhrozek Awaiting requested review from jhrozek

@rhmdnd rhmdnd Awaiting requested review from rhmdnd

Assignees

@yuumasato yuumasato

Labels
OpenShift OpenShift product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.70
Development

Successfully merging this pull request may close these issues.
7 participants
@Vincent056 @jan-cerny @yuumasato @xiaojiey @Mab879 @marcusburghardt @openshift-merge-robot