diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
index 41efcde4892..e55c2454e5e 100644
--- a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
+++ b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml
@@ -2,14 +2,14 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 {{%- if product == "eks" %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- else %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- endif %}}
 
+platform: {{{ product }}}-node
+
 title: 'Disable Anonymous Authentication to the Kubelet'
 
 description: |-
@@ -52,10 +52,12 @@ ocil: |-
     <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done</pre>
     The output should return <pre>enabled: false</pre>.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
-
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.authentication.anonymous.enabled"
+        check_existence: "all_exist"
+        values:
+         - value: "false"
+           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth_deprecated/rule.yml
deleted file mode 100644
index 06cb2873bf9..00000000000
--- a/applications/openshift/kubelet/kubelet_anonymous_auth_deprecated/rule.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}-node
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'Disable Anonymous Authentication to the Kubelet'
-
-description: |-
-    By default, anonymous access to the Kubelet server is enabled. This
-    configuration check ensures that anonymous requests to the Kubelet
-    server are disabled. Edit the Kubelet server configuration file
-    <tt>{{{ kubeletconf_path }}}</tt> on the kubelet node(s)
-    and set the below parameter:
-    <pre>
-    authentication:
-      ...
-      anonymous:
-        enabled: false
-      ...
-    </pre>
-
-rationale: |-
-    When enabled, requests that are not rejected by other configured
-    authentication methods are treated as anonymous requests. These
-    requests are then served by the Kubelet server. OpenShift Operators should
-    rely on authentication to authorize access and disallow anonymous
-    requests.
-
-severity: medium
-
-references:
-    cis@eks: 3.2.1
-    cis@ocp4: 4.2.1
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>anonymous</tt> authentication is not set to <tt>false</tt>'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ sudo grep -A1 anonymous {{{ kubeletconf_path }}}</pre>
-    The output should return <pre>enabled: false</pre>.
-
-template:
-    name: yamlfile_value
-    vars:
-        filepath: {{{ kubeletconf_path }}}
-        yamlpath: ".authentication.anonymous.enabled"
-        values:
-         - value: "false"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth_master/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth_master/rule.yml
deleted file mode 100644
index 27d6802dd9f..00000000000
--- a/applications/openshift/kubelet/kubelet_anonymous_auth_master/rule.yml
+++ /dev/null
@@ -1,62 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'Disable Anonymous Authentication to the Kubelet'
-
-description: |-
-    By default, anonymous access to the Kubelet server is enabled. This
-    configuration check ensures that anonymous requests to the Kubelet
-    server are disabled. Edit the Kubelet server configuration file
-    <tt>{{{ kubeletconf_path }}}</tt> on the kubelet node(s)
-    and set the below parameter:
-    <pre>
-    authentication:
-      ...
-      anonymous:
-        enabled: false
-      ...
-    </pre>
-
-rationale: |-
-    When enabled, requests that are not rejected by other configured
-    authentication methods are treated as anonymous requests. These
-    requests are then served by the Kubelet server. OpenShift Operators should
-    rely on authentication to authorize access and disallow anonymous
-    requests.
-
-severity: medium
-
-references:
-    cis@eks: 3.2.1
-    cis@ocp4: 4.2.1
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>anonymous</tt> authentication is not set to <tt>false</tt>'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done</pre>
-    The output should return <pre>enabled: false</pre>.
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".authentication.anonymous.enabled"
-        check_existence: "all_exist"
-        values:
-         - value: "false"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth_worker/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth_worker/rule.yml
deleted file mode 100644
index 8ad93574ebc..00000000000
--- a/applications/openshift/kubelet/kubelet_anonymous_auth_worker/rule.yml
+++ /dev/null
@@ -1,62 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'Disable Anonymous Authentication to the Kubelet'
-
-description: |-
-    By default, anonymous access to the Kubelet server is enabled. This
-    configuration check ensures that anonymous requests to the Kubelet
-    server are disabled. Edit the Kubelet server configuration file
-    <tt>{{{ kubeletconf_path }}}</tt> on the kubelet node(s)
-    and set the below parameter:
-    <pre>
-    authentication:
-      ...
-      anonymous:
-        enabled: false
-      ...
-    </pre>
-
-rationale: |-
-    When enabled, requests that are not rejected by other configured
-    authentication methods are treated as anonymous requests. These
-    requests are then served by the Kubelet server. OpenShift Operators should
-    rely on authentication to authorize access and disallow anonymous
-    requests.
-
-severity: medium
-
-references:
-    cis@eks: 3.2.1
-    cis@ocp4: 4.2.1
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>anonymous</tt> authentication is not set to <tt>false</tt>'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done</pre>
-    The output should return <pre>enabled: false</pre>.
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".authentication.anonymous.enabled"
-        check_existence: "all_exist"
-        values:
-         - value: "false"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_authorization_mode/rule.yml b/applications/openshift/kubelet/kubelet_authorization_mode/rule.yml
index f9af77deb7f..e1a1a32e519 100644
--- a/applications/openshift/kubelet/kubelet_authorization_mode/rule.yml
+++ b/applications/openshift/kubelet/kubelet_authorization_mode/rule.yml
@@ -2,14 +2,14 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 {{%- if product == "eks" %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- else %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- endif %}}
 
+platform: {{{ product }}}-node
+
 title: 'Ensure authorization is set to Webhook'
 
 description: |-
@@ -31,7 +31,6 @@ rationale: |-
 identifiers:
   cce@ocp4: CCE-83593-4
 
-
 severity: medium
 
 references:
@@ -49,10 +48,12 @@ ocil: |-
     Verify that the output is not set to <tt>mode: AlwaysAllow</tt>, or missing
     (defaults to <tt>mode: Webhook</tt>).
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.authorization.mode"
+        check_existence: "all_exist"
+        values:
+         - value: "AlwaysAllow"
+           operation: "not equal"
diff --git a/applications/openshift/kubelet/kubelet_authorization_mode_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_authorization_mode_deprecated/rule.yml
deleted file mode 100644
index f9feca53cc4..00000000000
--- a/applications/openshift/kubelet/kubelet_authorization_mode_deprecated/rule.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}-node
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'Ensure authorization is set to Webhook'
-
-description: |-
-    Unauthenticated/unauthorized users should have no access to OpenShift nodes.
-    The Kubelet should be set to only allow Webhook authorization.
-    To ensure that the Kubelet requires authorization,
-    validate that <tt>authorization</tt> is configured to <tt>Webhook</tt>
-    in <tt>{{{ kubeletconf_path }}}</tt>:
-    <pre>
-    authorization:
-      mode: Webhook
-      ...
-    </pre>
-
-rationale: |-
-    Ensuring that the authorization is configured correctly helps enforce that
-    unauthenticated/unauthorized users have no access to OpenShift nodes.
-
-severity: medium
-
-references:
-    cis@eks: 3.2.2
-    cis@ocp4: 4.2.2
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ sudo grep -A1 authorization {{{ kubeletconf_path }}}</pre>
-    Verify that the output is not set to <tt>mode: AlwaysAllow</tt>, or missing
-    (defaults to <tt>mode: Webhook</tt>).
-
-template:
-    name: yamlfile_value
-    vars:
-        filepath: {{{ kubeletconf_path }}}
-        yamlpath: ".authorization.mode"
-        check_existence: "any_exist"
-        values:
-         - value: "AlwaysAllow"
-           operation: "not equal"
diff --git a/applications/openshift/kubelet/kubelet_authorization_mode_master/rule.yml b/applications/openshift/kubelet/kubelet_authorization_mode_master/rule.yml
deleted file mode 100644
index 70ea53eb6d0..00000000000
--- a/applications/openshift/kubelet/kubelet_authorization_mode_master/rule.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'Ensure authorization is set to Webhook'
-
-description: |-
-    Unauthenticated/unauthorized users should have no access to OpenShift nodes.
-    The Kubelet should be set to only allow Webhook authorization.
-    To ensure that the Kubelet requires authorization,
-    validate that <tt>authorization</tt> is configured to <tt>Webhook</tt>
-    in <tt>{{{ kubeletconf_path }}}</tt>:
-    <pre>
-    authorization:
-      mode: Webhook
-      ...
-    </pre>
-
-rationale: |-
-    Ensuring that the authorization is configured correctly helps enforce that
-    unauthenticated/unauthorized users have no access to OpenShift nodes.
-
-severity: medium
-
-references:
-    cis@eks: 3.2.2
-    cis@ocp4: 4.2.2
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done</pre>
-    Verify that the output is not set to <tt>mode: AlwaysAllow</tt>, or missing
-    (defaults to <tt>mode: Webhook</tt>).
-
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".authorization.mode"
-        check_existence: "all_exist"
-        values:
-         - value: "AlwaysAllow"
-           operation: "not equal"
diff --git a/applications/openshift/kubelet/kubelet_authorization_mode_worker/rule.yml b/applications/openshift/kubelet/kubelet_authorization_mode_worker/rule.yml
deleted file mode 100644
index 298aa954326..00000000000
--- a/applications/openshift/kubelet/kubelet_authorization_mode_worker/rule.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'Ensure authorization is set to Webhook'
-
-description: |-
-    Unauthenticated/unauthorized users should have no access to OpenShift nodes.
-    The Kubelet should be set to only allow Webhook authorization.
-    To ensure that the Kubelet requires authorization,
-    validate that <tt>authorization</tt> is configured to <tt>Webhook</tt>
-    in <tt>{{{ kubeletconf_path }}}</tt>:
-    <pre>
-    authorization:
-      mode: Webhook
-      ...
-    </pre>
-
-rationale: |-
-    Ensuring that the authorization is configured correctly helps enforce that
-    unauthenticated/unauthorized users have no access to OpenShift nodes.
-
-severity: medium
-
-references:
-    cis@eks: 3.2.2
-    cis@ocp4: 4.2.2
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done</pre>
-    Verify that the output is not set to <tt>mode: AlwaysAllow</tt>, or missing
-    (defaults to <tt>mode: Webhook</tt>).
-
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".authorization.mode"
-        check_existence: "all_exist"
-        values:
-         - value: "AlwaysAllow"
-           operation: "not equal"
diff --git a/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml b/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml
index 29f7f4035af..a505a8debf7 100644
--- a/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml
@@ -2,12 +2,11 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 {{%- if product == "eks" %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- set ca_path = "/etc/kubernetes/pki/ca.crt" %}}
 {{%- else %}}
+platform: ocp4-node
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- set ca_path = "/etc/kubernetes/kubelet-ca.crt" %}}
 {{%- endif %}}
@@ -54,10 +53,12 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.authentication.x509.clientCAFile"
+        check_existence: "all_exist"
+        values:
+         - value: "{{{ ca_path}}}"
+           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_configure_client_ca_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_configure_client_ca_deprecated/rule.yml
deleted file mode 100644
index 8ccecf1aa88..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_client_ca_deprecated/rule.yml
+++ /dev/null
@@ -1,61 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}-node
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- set ca_path = "/etc/kubernetes/pki/ca.crt" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- set ca_path = "/etc/kubernetes/kubelet-ca.crt" %}}
-{{%- endif %}}
-
-title: 'kubelet - Configure the Client CA Certificate'
-
-description: |-
-    By default, the kubelet is not configured with a CA certificate which
-    can subject the kubelet to man-in-the-middle attacks.
-
-    To configure a client CA certificate, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    authentication:
-    ...
-      x509:
-        clientCAFile: {{{ ca_path}}}
-    ...
-    </pre>
-
-rationale: |-
-    Not having a CA certificate for the kubelet will subject the kubelet to possible
-    man-in-the-middle attacks especially on unsafe or untrusted networks.
-    Certificate validation for the kubelet allows the API server to validate
-    the kubelet's identity.
-
-severity: medium
-
-ocil_clause: 'no client CA certificate has been configured'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ sudo grep -A1 x509 {{{ kubeletconf_path }}}</pre>
-    The output should contain a configured certificate like <tt>{{{ ca_path}}}</tt>.
-
-references:
-    cis@eks: 3.2.3
-    cis@ocp4: 4.2.3
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: {{{ kubeletconf_path }}}
-    yamlpath: ".authentication.x509.clientCAFile"
-    values:
-      - value: "{{{ ca_path}}}"
-        operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_configure_client_ca_master/rule.yml b/applications/openshift/kubelet/kubelet_configure_client_ca_master/rule.yml
deleted file mode 100644
index 6626a63bd53..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_client_ca_master/rule.yml
+++ /dev/null
@@ -1,64 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- set ca_path = "/etc/kubernetes/pki/ca.crt" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- set ca_path = "/etc/kubernetes/kubelet-ca.crt" %}}
-{{%- endif %}}
-
-title: 'kubelet - Configure the Client CA Certificate'
-
-description: |-
-    By default, the kubelet is not configured with a CA certificate which
-    can subject the kubelet to man-in-the-middle attacks.
-
-    To configure a client CA certificate, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    authentication:
-    ...
-      x509:
-        clientCAFile: {{{ ca_path}}}
-    ...
-    </pre>
-
-rationale: |-
-    Not having a CA certificate for the kubelet will subject the kubelet to possible
-    man-in-the-middle attacks especially on unsafe or untrusted networks.
-    Certificate validation for the kubelet allows the API server to validate
-    the kubelet's identity.
-
-severity: medium
-
-ocil_clause: 'no client CA certificate has been configured'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done</pre>
-    The output should contain a configured certificate like <tt>{{{ ca_path}}}</tt>.
-
-references:
-    cis@eks: 3.2.3
-    cis@ocp4: 4.2.3
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".authentication.x509.clientCAFile"
-        check_existence: "all_exist"
-        values:
-         - value: "{{{ ca_path}}}"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_configure_client_ca_worker/rule.yml b/applications/openshift/kubelet/kubelet_configure_client_ca_worker/rule.yml
deleted file mode 100644
index 2f444fe1291..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_client_ca_worker/rule.yml
+++ /dev/null
@@ -1,64 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- set ca_path = "/etc/kubernetes/pki/ca.crt" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- set ca_path = "/etc/kubernetes/kubelet-ca.crt" %}}
-{{%- endif %}}
-
-title: 'kubelet - Configure the Client CA Certificate'
-
-description: |-
-    By default, the kubelet is not configured with a CA certificate which
-    can subject the kubelet to man-in-the-middle attacks.
-
-    To configure a client CA certificate, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    authentication:
-    ...
-      x509:
-        clientCAFile: {{{ ca_path}}}
-    ...
-    </pre>
-
-rationale: |-
-    Not having a CA certificate for the kubelet will subject the kubelet to possible
-    man-in-the-middle attacks especially on unsafe or untrusted networks.
-    Certificate validation for the kubelet allows the API server to validate
-    the kubelet's identity.
-
-severity: medium
-
-ocil_clause: 'no client CA certificate has been configured'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done</pre>
-    The output should contain a configured certificate like <tt>{{{ ca_path}}}</tt>.
-
-references:
-    cis@eks: 3.2.3
-    cis@ocp4: 4.2.3
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".authentication.x509.clientCAFile"
-        check_existence: "all_exist"
-        values:
-         - value: "{{{ ca_path}}}"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_configure_event_creation/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_event_creation/kubernetes/shared.yml
index b87851525b2..ce7b35f0d04 100644
--- a/applications/openshift/kubelet/kubelet_configure_event_creation/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_configure_event_creation/kubernetes/shared.yml
@@ -1,5 +1,3 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='eventRecordQPS', value='{{.var_event_record_qps}}', role='var_role_worker') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='eventRecordQPS', value='{{.var_event_record_qps}}', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='eventRecordQPS', value='{{.var_event_record_qps}}') }}}
diff --git a/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml b/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml
index 0852c9a1535..59d45638f0c 100644
--- a/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml
@@ -2,6 +2,8 @@ documentation_complete: true
 
 prodtype: ocp4
 
+platform: ocp4-node
+
 title: 'Kubelet - Ensure Event Creation Is Configured'
 
 description: |-
@@ -56,9 +58,15 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
+# This check ensures that the option is not left defaulted in the config.  The
+# default of 5 might be sufficient for a deployment; here the point is to check
+# that at least _some_ value has been considered.
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.eventRecordQPS"
+        check_existence: "all_exist"
+        values:
+            - value: "0"
+              operation: "not equal"
diff --git a/applications/openshift/kubelet/kubelet_configure_event_creation/tests/match.pass.sh b/applications/openshift/kubelet/kubelet_configure_event_creation/tests/match.pass.sh
index 5fb002427f7..b84b1d4335e 100644
--- a/applications/openshift/kubelet/kubelet_configure_event_creation/tests/match.pass.sh
+++ b/applications/openshift/kubelet/kubelet_configure_event_creation/tests/match.pass.sh
@@ -1,459 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":5,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionHard":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionSoft":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_configure_event_creation/tests/nomatch.fail.sh b/applications/openshift/kubelet/kubelet_configure_event_creation/tests/nomatch.fail.sh
index f4a044b8a59..ce3c83159be 100644
--- a/applications/openshift/kubelet/kubelet_configure_event_creation/tests/nomatch.fail.sh
+++ b/applications/openshift/kubelet/kubelet_configure_event_creation/tests/nomatch.fail.sh
@@ -1,459 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 10,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "6m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":0,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_configure_event_creation/tests/ocp4/e2e.yml b/applications/openshift/kubelet/kubelet_configure_event_creation/tests/ocp4/e2e.yml
index 4c241e3f580..b49fd368b98 100644
--- a/applications/openshift/kubelet/kubelet_configure_event_creation/tests/ocp4/e2e.yml
+++ b/applications/openshift/kubelet/kubelet_configure_event_creation/tests/ocp4/e2e.yml
@@ -1,4 +1,2 @@
 ---
-# This rule fails by default on 4.13, and passes by default on 4.14
-default_result: FAIL
-result_after_remediation: PASS
+default_result: PASS
diff --git a/applications/openshift/kubelet/kubelet_configure_event_creation_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_configure_event_creation_deprecated/rule.yml
deleted file mode 100644
index 5a00c3e36bf..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_event_creation_deprecated/rule.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Kubelet - Ensure Event Creation Is Configured'
-
-description: |-
-    Security relevant information should be captured. The eventRecordQPS
-    Kubelet option can be used to limit the rate at which events are gathered.
-    Setting this too low could result in relevant events not being logged,
-    however the unlimited setting of 0 could result in a denial of service on
-    the kubelet. Processing and storage systems should be scaled to handle the
-    expected event load. To set the <tt>eventRecordQPS</tt> option for the kubelet,
-    create a <tt>KubeletConfig</tt> option along these lines:
-    <pre>
-    apiVersion: machineconfiguration.openshift.io/v1
-    kind: KubeletConfig
-    metadata:
-       name: kubelet-config-$pool
-    spec:
-        machineConfigPoolSelector:
-            matchLabels:
-                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-        kubeletConfig:
-            eventRecordQPS: {{{ xccdf_value("var_event_record_qps") }}}
-    </pre>
-
-
-warnings:
-    - functionality: |-
-        The MachineConfig Operator does not merge <tt>KubeletConfig</tt>
-        objects, the last object is used instead. In case you need to
-        set multiple options for kubelet, consider putting all the custom
-        options into a single <tt>KubeletConfig</tt> object.
-
-rationale: |-
-    It is important to capture all events and not restrict event creation.
-    Events are an important source of security information and analytics that
-    ensure that your environment is consistently monitored using the event
-    data.
-
-severity: medium
-
-
-ocil_clause: 'event creation limits are not configured'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ sudo grep eventRecordQPS /etc/kubernetes/kubelet.conf</pre>
-    The output should return <tt>{{{ xccdf_value("var_event_record_qps") }}}</tt>.
-
-references:
-    cis@ocp4: 4.2.9
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-# This check ensures that the option is not left defaulted in the config.  The
-# default of 5 might be sufficient for a deployment; here the point is to check
-# that at least _some_ value has been considered.
-template:
-    name: yamlfile_value
-    vars:
-        filepath: /etc/kubernetes/kubelet.conf
-        yamlpath: ".eventRecordQPS"
-        values:
-         - value: 0
-           type: int
-           operation: "greater than or equal"
diff --git a/applications/openshift/kubelet/kubelet_configure_event_creation_master/rule.yml b/applications/openshift/kubelet/kubelet_configure_event_creation_master/rule.yml
deleted file mode 100644
index 807e99bd4d3..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_event_creation_master/rule.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Kubelet - Ensure Event Creation Is Configured'
-
-description: |-
-    Security relevant information should be captured. The eventRecordQPS
-    Kubelet option can be used to limit the rate at which events are gathered.
-    Setting this too low could result in relevant events not being logged,
-    however the unlimited setting of 0 could result in a denial of service on
-    the kubelet. Processing and storage systems should be scaled to handle the
-    expected event load. To set the <tt>eventRecordQPS</tt> option for the kubelet,
-    create a <tt>KubeletConfig</tt> option along these lines:
-    <pre>
-    apiVersion: machineconfiguration.openshift.io/v1
-    kind: KubeletConfig
-    metadata:
-       name: kubelet-config-$pool
-    spec:
-        machineConfigPoolSelector:
-            matchLabels:
-                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-        kubeletConfig:
-            eventRecordQPS: {{{ xccdf_value("var_event_record_qps") }}}
-    </pre>
-
-
-warnings:
-    - functionality: |-
-        The MachineConfig Operator does not merge <tt>KubeletConfig</tt>
-        objects, the last object is used instead. In case you need to
-        set multiple options for kubelet, consider putting all the custom
-        options into a single <tt>KubeletConfig</tt> object.
-
-rationale: |-
-    It is important to capture all events and not restrict event creation.
-    Events are an important source of security information and analytics that
-    ensure that your environment is consistently monitored using the event
-    data.
-
-severity: medium
-
-ocil_clause: 'event creation limits are not configured'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep eventRecordQPS; done</pre>
-    The output should return <tt>{{{ xccdf_value("var_event_record_qps") }}}</tt>.
-
-references:
-    cis@ocp4: 4.2.9
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-# This check ensures that the option is not left defaulted in the config.  The
-# default of 5 might be sufficient for a deployment; here the point is to check
-# that at least _some_ value has been considered.
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".eventRecordQPS"
-        check_existence: "all_exist"
-        xccdf_variable: var_event_record_qps
-
diff --git a/applications/openshift/kubelet/kubelet_configure_event_creation_worker/rule.yml b/applications/openshift/kubelet/kubelet_configure_event_creation_worker/rule.yml
deleted file mode 100644
index 105a8e51185..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_event_creation_worker/rule.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Kubelet - Ensure Event Creation Is Configured'
-
-description: |-
-    Security relevant information should be captured. The eventRecordQPS
-    Kubelet option can be used to limit the rate at which events are gathered.
-    Setting this too low could result in relevant events not being logged,
-    however the unlimited setting of 0 could result in a denial of service on
-    the kubelet. Processing and storage systems should be scaled to handle the
-    expected event load. To set the <tt>eventRecordQPS</tt> option for the kubelet,
-    create a <tt>KubeletConfig</tt> option along these lines:
-    <pre>
-    apiVersion: machineconfiguration.openshift.io/v1
-    kind: KubeletConfig
-    metadata:
-       name: kubelet-config-$pool
-    spec:
-        machineConfigPoolSelector:
-            matchLabels:
-                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-        kubeletConfig:
-            eventRecordQPS: {{{ xccdf_value("var_event_record_qps") }}}
-    </pre>
-
-
-warnings:
-    - functionality: |-
-        The MachineConfig Operator does not merge <tt>KubeletConfig</tt>
-        objects, the last object is used instead. In case you need to
-        set multiple options for kubelet, consider putting all the custom
-        options into a single <tt>KubeletConfig</tt> object.
-
-rationale: |-
-    It is important to capture all events and not restrict event creation.
-    Events are an important source of security information and analytics that
-    ensure that your environment is consistently monitored using the event
-    data.
-
-severity: medium
-
-ocil_clause: 'event creation limits are not configured'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep eventRecordQPS; done</pre>
-    The output should return <tt>{{{ xccdf_value("var_event_record_qps") }}}</tt>.
-
-references:
-    cis@ocp4: 4.2.9
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-# This check ensures that the option is not left defaulted in the config.  The
-# default of 5 might be sufficient for a deployment; here the point is to check
-# that at least _some_ value has been considered.
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".eventRecordQPS"
-        check_existence: "all_exist"
-        xccdf_variable: var_event_record_qps
-
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/kubernetes/shared.yml
index b3d37411d7d..9b487f16d07 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/kubernetes/shared.yml
@@ -2,18 +2,6 @@
 # platform = multi_platform_ocp
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
-spec:
-  kubeletConfig:
-    tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
 spec:
   kubeletConfig:
     tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
index 9baa86b472c..f19a85d69f6 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4
-
 title: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers"
 
 description: |-
@@ -48,6 +46,8 @@ references:
   nist: CM-6,CM-6(1)
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
+
 ocil_clause: "TLS cipher suite configuration is not configured or contains insecure ciphers"
 
 ocil: |-
@@ -63,10 +63,10 @@ ocil: |-
     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
     </pre>
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.tlsCipherSuites[:]"
+        xccdf_variable: var_kubelet_tls_cipher_suites_regex
+        regex_data: true
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/tests/match.pass.sh b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/tests/match.pass.sh
new file mode 100644
index 00000000000..b84b1d4335e
--- /dev/null
+++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/tests/match.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# remediation = none
+
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
+
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":5,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionHard":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionSoft":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
+EOF
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/tests/nomatch.fail.sh b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/tests/nomatch.fail.sh
new file mode 100644
index 00000000000..9a842a0ba4b
--- /dev/null
+++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/tests/nomatch.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# remediation = none
+
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
+
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":0,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
+EOF
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_deprecated/rule.yml
deleted file mode 100644
index ede8cd6d721..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_deprecated/rule.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers"
-
-description: |-
-  Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
-  To set the cipher suites for the kubelet, create new or modify existing
-  <tt>KubeletConfig</tt> object along these lines, one for every
-  <tt>MachineConfigPool</tt>:
-    <pre>
-    apiVersion: machineconfiguration.openshift.io/v1
-    kind: KubeletConfig
-    metadata:
-       name: kubelet-config-$pool
-    spec:
-        machineConfigPoolSelector:
-            matchLabels:
-                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-        kubeletConfig:
-          tlsCipherSuites:
-          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-    </pre>
-  In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
-  and var_kubelet_tls_cipher_suites have to be set
-rationale: |-
-  TLS ciphers have had a number of known vulnerabilities and weaknesses,
-  which can reduce the protection provided by them. By default Kubernetes
-  supports a number of TLS ciphersuites including some that have security
-  concerns, weakening the protection provided.
-
-severity: medium
-
-#identifiers:
-#    cce@ocp4:
-
-references:
-  cis@ocp4: 4.2.13
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: "TLS cipher suite configuration is not configured or contains insecure ciphers"
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ sudo grep tlsCipherSuites /etc/kubernetes/kubelet.conf</pre>
-    Verify that the set of ciphers contains only the following:
-    <pre>
-    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-    </pre>
-
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".tlsCipherSuites[:]"
-    xccdf_variable: var_kubelet_tls_cipher_suites_regex
-    regex_data: true
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_master/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_master/rule.yml
deleted file mode 100644
index 331d1f986ed..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_master/rule.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4
-
-title: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers"
-
-description: |-
-  Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
-  To set the cipher suites for the kubelet, create new or modify existing
-  <tt>KubeletConfig</tt> object along these lines, one for every
-  <tt>MachineConfigPool</tt>:
-    <pre>
-    apiVersion: machineconfiguration.openshift.io/v1
-    kind: KubeletConfig
-    metadata:
-       name: kubelet-config-$pool
-    spec:
-        machineConfigPoolSelector:
-            matchLabels:
-                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-        kubeletConfig:
-          tlsCipherSuites:
-          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-          - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-          - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-    </pre>
-  In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
-  and var_kubelet_tls_cipher_suites have to be set
-rationale: |-
-  TLS ciphers have had a number of known vulnerabilities and weaknesses,
-  which can reduce the protection provided by them. By default Kubernetes
-  supports a number of TLS ciphersuites including some that have security
-  concerns, weakening the protection provided.
-
-severity: medium
-
-#identifiers:
-#    cce@ocp4:
-
-references:
-  cis@ocp4: 4.2.13
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: "TLS cipher suite configuration is not configured or contains insecure ciphers"
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done</pre>
-    Verify that the set of ciphers contains only the following:
-    <pre>
-    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-    </pre>
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".tlsCipherSuites[:]"
-        xccdf_variable: var_kubelet_tls_cipher_suites_regex
-        regex_data: true
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_worker/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_worker/rule.yml
deleted file mode 100644
index 881d32fce6e..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_worker/rule.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4
-
-title: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers"
-
-description: |-
-  Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
-  To set the cipher suites for the kubelet, create new or modify existing
-  <tt>KubeletConfig</tt> object along these lines, one for every
-  <tt>MachineConfigPool</tt>:
-    <pre>
-    apiVersion: machineconfiguration.openshift.io/v1
-    kind: KubeletConfig
-    metadata:
-       name: kubelet-config-$pool
-    spec:
-        machineConfigPoolSelector:
-            matchLabels:
-                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-        kubeletConfig:
-          tlsCipherSuites:
-          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-          - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-          - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-    </pre>
-  In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
-  and var_kubelet_tls_cipher_suites have to be set
-rationale: |-
-  TLS ciphers have had a number of known vulnerabilities and weaknesses,
-  which can reduce the protection provided by them. By default Kubernetes
-  supports a number of TLS ciphersuites including some that have security
-  concerns, weakening the protection provided.
-
-severity: medium
-
-#identifiers:
-#    cce@ocp4:
-
-references:
-  cis@ocp4: 4.2.13
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: "TLS cipher suite configuration is not configured or contains insecure ciphers"
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done</pre>
-    Verify that the set of ciphers contains only the following:
-    <pre>
-    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-    </pre>
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".tlsCipherSuites[:]"
-        xccdf_variable: var_kubelet_tls_cipher_suites_regex
-        regex_data: true
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_min_version/kubernetes/shared.yml
index 977816ac6fd..d82f51c3451 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_min_version/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_min_version/kubernetes/shared.yml
@@ -2,18 +2,6 @@
 # platform = multi_platform_ocp
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_worker}}"
-spec:
-  kubeletConfig:
-    tlsMinVersion: "{{.var_kubelet_tls_min_version}}"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.var_role_master}}"
 spec:
   kubeletConfig:
     tlsMinVersion: "{{.var_kubelet_tls_min_version}}"
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml
index a3e4e7988e4..f62be01d23d 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-platform: ocp4
-
 title: "Ensure Kubelet is configured with allowed TLS versions"
 
 description: |-
@@ -77,6 +75,8 @@ references:
     nist: SC-8,SC-8(1)
     srg: SRG-APP-000014-CTR-000040,SRG-APP-000560-CTR-001340
 
+platform: ocp4-node
+
 ocil_clause: 'Minimum TLS version configured for Kubelet uses insecure version'
 
 ocil: |-
@@ -90,4 +90,9 @@ warnings:
         {{{ openshift_cluster_setting_kubeletconfig() | indent(8) }}}
 
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.tlsMinVersion"
+        xccdf_variable: var_kubelet_tls_min_version_regex
+        regex_data: true
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version/tests/match.pass.sh b/applications/openshift/kubelet/kubelet_configure_tls_min_version/tests/match.pass.sh
new file mode 100644
index 00000000000..b84b1d4335e
--- /dev/null
+++ b/applications/openshift/kubelet/kubelet_configure_tls_min_version/tests/match.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# remediation = none
+
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
+
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":5,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionHard":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionSoft":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
+EOF
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version/tests/nomatch.fail.sh b/applications/openshift/kubelet/kubelet_configure_tls_min_version/tests/nomatch.fail.sh
new file mode 100644
index 00000000000..c741d5e2088
--- /dev/null
+++ b/applications/openshift/kubelet/kubelet_configure_tls_min_version/tests/nomatch.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# remediation = none
+
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
+
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS09","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":0,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
+EOF
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version_master/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_min_version_master/rule.yml
deleted file mode 100644
index a8b900b72f5..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_min_version_master/rule.yml
+++ /dev/null
@@ -1,97 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4
-
-title: "Ensure Kubelet is configured with allowed TLS versions"
-
-description: |-
-    <p>
-    The configuration <tt>tlsSecurityProfile</tt> specifies TLS configurations
-    to be used while establishing connections with the externally exposed
-    servers. Though secure transport mode is used for establishing connections,
-    the protocols used may not always be strong enough to avoid interception and
-    manipulation of the data in transport. TLS Security profile configured should
-    not make use of any protocols, ciphers, and algorithms with known security
-    vulnerabilities.
-    </p>
-
-    <p>
-    <tt>tlsSecurityProfile</tt> can be configured to use one of custom, intermediate,
-    modern, or old profile. Profile Old should be avoided at all times and when using
-    custom profile one should be extremely careful as invalid configurations can be
-    catastrophic. It is always advised to configure minimum TLS version to TLSv1.2 or
-    latest when using Custom profile or to use predefined profiles Intermediate or
-    modern. If a TLS security profile is not configured, the default TLS security
-    profile is Intermediate.
-    </p>
-
-    <p>
-    To configure Custom tlsSecurityProfile for the Kubelet with TLSv1.2 as minimum
-    TLS version, create a new or modify existing <tt>KubeletConfig</tt> object along
-    these lines, one for every <tt>MachineConfigPool</tt>:
-      <pre>
-      apiVersion: machineconfiguration.openshift.io/v1
-      kind: KubeletConfig
-      metadata:
-          name: kubelet-tls-config-$pool
-      spec:
-          tlsSecurityProfile:
-              type: Custom
-              custom:
-                  ciphers:
-                  - ECDHE-ECDSA-CHACHA20-POLY1305
-                  - ECDHE-RSA-CHACHA20-POLY1305
-                  - ECDHE-RSA-AES128-GCM-SHA256
-                  - ECDHE-ECDSA-AES128-GCM-SHA256
-                  minTLSVersion: {{{ xccdf_value("var_kubelet_tls_min_version") }}}
-          machineConfigPoolSelector:
-              matchLabels:
-                  pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-      </pre>
-    In order to configure this rule to check for an alternate TLS version, both var_kubelet_tls_min_version_regex
-    and var_kubelet_tls_min_version should be updated.
-    </p>
-
-    <p>
-    For more information, follow
-    OpenShift documentation:
-    {{{ weblink(link="https://docs.openshift.com/container-platform/4.11/nodes/nodes/nodes-nodes-tls.html",
-                text="the relevant documentation") }}}.
-    </p>
-
-rationale: |-
-    The authenticity and integrity of the container platform and communication
-    between nodes and components must be secure. If an insecure protocol,
-    cipher, or algorithms is used, during transmission of data, the data can be
-    intercepted and manipulated. To thwart the manipulation of the data during
-    transmission secure protocol, cipher and algorithms must be used.
-
-severity: medium
-
-references:
-    nist: SC-8,SC-8(1)
-    srg: SRG-APP-000014-CTR-000040
-
-ocil_clause: 'Minimum TLS version configured for Kubelet uses insecure version'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsMinVersion'; done</pre>
-    The output shows the configured TLS minimum version which should be
-    TLSv1.2 or newer.
-
-warnings:
-    - general: |-
-        {{{ openshift_cluster_setting_kubeletconfig() | indent(8) }}}
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".tlsMinVersion"
-        xccdf_variable: var_kubelet_tls_min_version_regex
-        regex_data: true
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version_worker/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_min_version_worker/rule.yml
deleted file mode 100644
index eb66206c72d..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_min_version_worker/rule.yml
+++ /dev/null
@@ -1,97 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4
-
-title: "Ensure Kubelet is configured with allowed TLS versions"
-
-description: |-
-    <p>
-    The configuration <tt>tlsSecurityProfile</tt> specifies TLS configurations
-    to be used while establishing connections with the externally exposed
-    servers. Though secure transport mode is used for establishing connections,
-    the protocols used may not always be strong enough to avoid interception and
-    manipulation of the data in transport. TLS Security profile configured should
-    not make use of any protocols, ciphers, and algorithms with known security
-    vulnerabilities.
-    </p>
-
-    <p>
-    <tt>tlsSecurityProfile</tt> can be configured to use one of custom, intermediate,
-    modern, or old profile. Profile Old should be avoided at all times and when using
-    custom profile one should be extremely careful as invalid configurations can be
-    catastrophic. It is always advised to configure minimum TLS version to TLSv1.2 or
-    latest when using Custom profile or to use predefined profiles Intermediate or
-    modern. If a TLS security profile is not configured, the default TLS security
-    profile is Intermediate.
-    </p>
-
-    <p>
-    To configure Custom tlsSecurityProfile for the Kubelet with TLSv1.2 as minimum
-    TLS version, create a new or modify existing <tt>KubeletConfig</tt> object along
-    these lines, one for every <tt>MachineConfigPool</tt>:
-      <pre>
-      apiVersion: machineconfiguration.openshift.io/v1
-      kind: KubeletConfig
-      metadata:
-          name: kubelet-tls-config-$pool
-      spec:
-          tlsSecurityProfile:
-              type: Custom
-              custom:
-                  ciphers:
-                  - ECDHE-ECDSA-CHACHA20-POLY1305
-                  - ECDHE-RSA-CHACHA20-POLY1305
-                  - ECDHE-RSA-AES128-GCM-SHA256
-                  - ECDHE-ECDSA-AES128-GCM-SHA256
-                  minTLSVersion: {{{ xccdf_value("var_kubelet_tls_min_version") }}}
-          machineConfigPoolSelector:
-              matchLabels:
-                  pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-      </pre>
-    In order to configure this rule to check for an alternate TLS version, both var_kubelet_tls_min_version_regex
-    and var_kubelet_tls_min_version should be updated.
-    </p>
-
-    <p>
-    For more information, follow
-    OpenShift documentation:
-    {{{ weblink(link="https://docs.openshift.com/container-platform/4.11/nodes/nodes/nodes-nodes-tls.html",
-                text="the relevant documentation") }}}.
-    </p>
-
-rationale: |-
-    The authenticity and integrity of the container platform and communication
-    between nodes and components must be secure. If an insecure protocol,
-    cipher, or algorithms is used, during transmission of data, the data can be
-    intercepted and manipulated. To thwart the manipulation of the data during
-    transmission secure protocol, cipher and algorithms must be used.
-
-severity: medium
-
-references:
-    nist: SC-8,SC-8(1)
-    srg: SRG-APP-000014-CTR-000040
-
-ocil_clause: 'Minimum TLS version configured for Kubelet uses insecure version'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsMinVersion'; done</pre>
-    The output shows the configured TLS minimum version which should be
-    TLSv1.2 or newer.
-
-warnings:
-    - general: |-
-        {{{ openshift_cluster_setting_kubeletconfig() | indent(8) }}}
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".tlsMinVersion"
-        xccdf_variable: var_kubelet_tls_min_version_regex
-        regex_data: true
diff --git a/applications/openshift/kubelet/kubelet_disable_hostname_override/rule.yml b/applications/openshift/kubelet/kubelet_disable_hostname_override/rule.yml
index 4ddb3a162b0..3e87c1db88c 100644
--- a/applications/openshift/kubelet/kubelet_disable_hostname_override/rule.yml
+++ b/applications/openshift/kubelet/kubelet_disable_hostname_override/rule.yml
@@ -2,14 +2,14 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
-{{%- if product == "eks"  %}}
+{{%- if product == "eks" %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- else %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- endif %}}
 
+platform: {{{ product }}}-node
+
 title: 'kubelet - Hostname Override handling'
 
 description: |-
@@ -39,12 +39,13 @@ references:
     nist: CM-6,CM-6(1)
 
 {{%- if product == "eks"  %}}
-
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.hostname-override"
+        check_existence: "none_exist"
+        values:
+         - value: ".*"
+           operation: "pattern match"
 {{%- endif %}}
diff --git a/applications/openshift/kubelet/kubelet_disable_hostname_override_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_disable_hostname_override_deprecated/rule.yml
deleted file mode 100644
index 0ae793a8998..00000000000
--- a/applications/openshift/kubelet/kubelet_disable_hostname_override_deprecated/rule.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}-node
-
-{{%- if product == "eks"  %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Hostname Override handling'
-
-description: |-
-    Normally, OpenShift lets the kubelet get the hostname from either the
-    cloud provider itself, or from the node's hostname. This ensures that
-    the PKI allocated by the deployment uses the appropriate values, is valid
-    and keeps working throughout the lifecycle of the cluster. IP addresses
-    are not used, and hence this makes it easier for security analysts to
-    associate kubelet logs with the appropriate node.
-rationale: |-
-    Allowing hostnames to be overridden creates issues around resolving nodes
-    in addition to TLS configuration, certificate validation, and log correlation
-    and validation.
-{{%- if product == "ocp4"  %}}
-    However, in some cases explicit overriding this parameter is
-    necessary to ensure that the appropriate node name stays as it is in case of
-    certain upgrade conditions. e.g. as is the case in AWS and OpenStack when migrating
-    to external cloud providers.
-{{%- endif %}}
-
-severity: low
-
-references:
-    cis@eks: 3.2.8
-    cis@ocp4: 4.2.8
-    nerc-cip: CIP-003-3 R6,CIP-004-3 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-
-{{%- if product == "eks"  %}}
-template:
-  name: yamlfile_value
-  vars:
-    filepath: {{{ kubeletconf_path }}}
-    yamlpath: ".hostname-override"
-    check_existence: "none_exist"
-    values:
-      - value: ".*"
-        operation: "pattern match"
-{{%- endif %}}
diff --git a/applications/openshift/kubelet/kubelet_disable_hostname_override_master/rule.yml b/applications/openshift/kubelet/kubelet_disable_hostname_override_master/rule.yml
deleted file mode 100644
index b716b815861..00000000000
--- a/applications/openshift/kubelet/kubelet_disable_hostname_override_master/rule.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks"  %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Hostname Override handling'
-
-description: |-
-    Normally, OpenShift lets the kubelet get the hostname from either the
-    cloud provider itself, or from the node's hostname. This ensures that
-    the PKI allocated by the deployment uses the appropriate values, is valid
-    and keeps working throughout the lifecycle of the cluster. IP addresses
-    are not used, and hence this makes it easier for security analysts to
-    associate kubelet logs with the appropriate node.
-rationale: |-
-    Allowing hostnames to be overridden creates issues around resolving nodes
-    in addition to TLS configuration, certificate validation, and log correlation
-    and validation.
-{{%- if product == "ocp4"  %}}
-    However, in some cases explicit overriding this parameter is
-    necessary to ensure that the appropriate node name stays as it is in case of
-    certain upgrade conditions. e.g. as is the case in AWS and OpenStack when migrating
-    to external cloud providers.
-{{%- endif %}}
-
-severity: low
-
-references:
-    cis@eks: 3.2.8
-    cis@ocp4: 4.2.8
-    nerc-cip: CIP-003-3 R6,CIP-004-3 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-
-{{%- if product == "eks"  %}}
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".hostname-override"
-        check_existence: "none_exist"
-        values:
-         - value: ".*"
-           operation: "pattern match"
-{{%- endif %}}
diff --git a/applications/openshift/kubelet/kubelet_disable_hostname_override_worker/rule.yml b/applications/openshift/kubelet/kubelet_disable_hostname_override_worker/rule.yml
deleted file mode 100644
index 28a8677c39b..00000000000
--- a/applications/openshift/kubelet/kubelet_disable_hostname_override_worker/rule.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks"  %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Hostname Override handling'
-
-description: |-
-    Normally, OpenShift lets the kubelet get the hostname from either the
-    cloud provider itself, or from the node's hostname. This ensures that
-    the PKI allocated by the deployment uses the appropriate values, is valid
-    and keeps working throughout the lifecycle of the cluster. IP addresses
-    are not used, and hence this makes it easier for security analysts to
-    associate kubelet logs with the appropriate node.
-rationale: |-
-    Allowing hostnames to be overridden creates issues around resolving nodes
-    in addition to TLS configuration, certificate validation, and log correlation
-    and validation.
-{{%- if product == "ocp4"  %}}
-    However, in some cases explicit overriding this parameter is
-    necessary to ensure that the appropriate node name stays as it is in case of
-    certain upgrade conditions. e.g. as is the case in AWS and OpenStack when migrating
-    to external cloud providers.
-{{%- endif %}}
-
-severity: low
-
-references:
-    cis@eks: 3.2.8
-    cis@ocp4: 4.2.8
-    nerc-cip: CIP-003-3 R6,CIP-004-3 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-
-{{%- if product == "eks"  %}}
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".hostname-override"
-        check_existence: "none_exist"
-        values:
-         - value: ".*"
-           operation: "pattern match"
-{{%- endif %}}
diff --git a/applications/openshift/kubelet/kubelet_enable_cert_rotation/rule.yml b/applications/openshift/kubelet/kubelet_enable_cert_rotation/rule.yml
index 464348716dc..5f528d412d2 100644
--- a/applications/openshift/kubelet/kubelet_enable_cert_rotation/rule.yml
+++ b/applications/openshift/kubelet/kubelet_enable_cert_rotation/rule.yml
@@ -2,14 +2,14 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 {{%- if product == "eks" %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- else %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- endif %}}
 
+platform: {{{ product }}}-node
+
 title: 'kubelet - Enable Certificate Rotation'
 
 description: |-
@@ -32,7 +32,7 @@ ocil_clause: 'the kubelet cannot rotate client certificate'
 
 ocil: |-
     Run the following command on the kubelet node(s):
-    <pre>$ sudo grep rotateCertificates {{{ kubeletconf_path }}}</pre>
+    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done</pre>
     The output should return nothing or <tt>true</tt>.
 
 identifiers:
@@ -45,10 +45,12 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.rotateCertificates"
+        check_existence: "all_exist"
+        values:
+         - value: "true"
+           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_cert_rotation_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_enable_cert_rotation_deprecated/rule.yml
deleted file mode 100644
index 98783570468..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_cert_rotation_deprecated/rule.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}-node
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Enable Certificate Rotation'
-
-description: |-
-    To enable the kubelet to rotate client certificates, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    ...
-    rotateCertificates: true
-    ...
-    </pre>
-
-rationale: |-
-    Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-    in certificate renewal as well as ensures confidentiality and integrity.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot rotate client certificate'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ sudo grep rotateCertificates {{{ kubeletconf_path }}}</pre>
-    The output should return nothing or <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.10
-    cis@ocp4: 4.2.11
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        filepath: {{{ kubeletconf_path }}}
-        yamlpath: ".rotateCertificates"
-        values:
-         - value: "true"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_cert_rotation_master/rule.yml b/applications/openshift/kubelet/kubelet_enable_cert_rotation_master/rule.yml
deleted file mode 100644
index 6020b95b738..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_cert_rotation_master/rule.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Enable Certificate Rotation'
-
-description: |-
-    To enable the kubelet to rotate client certificates, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    ...
-    rotateCertificates: true
-    ...
-    </pre>
-
-rationale: |-
-    Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-    in certificate renewal as well as ensures confidentiality and integrity.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot rotate client certificate'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done</pre>
-    The output should return nothing or <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.10
-    cis@ocp4: 4.2.11
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".rotateCertificates"
-        check_existence: "all_exist"
-        values:
-         - value: "true"
-           operation: "equals"
-
-
diff --git a/applications/openshift/kubelet/kubelet_enable_cert_rotation_worker/rule.yml b/applications/openshift/kubelet/kubelet_enable_cert_rotation_worker/rule.yml
deleted file mode 100644
index 93fa71f395b..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_cert_rotation_worker/rule.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Enable Certificate Rotation'
-
-description: |-
-    To enable the kubelet to rotate client certificates, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    ...
-    rotateCertificates: true
-    ...
-    </pre>
-
-rationale: |-
-    Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-    in certificate renewal as well as ensures confidentiality and integrity.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot rotate client certificate'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done</pre>
-    The output should return nothing or <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.10
-    cis@ocp4: 4.2.11
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".rotateCertificates"
-        check_existence: "all_exist"
-        values:
-         - value: "true"
-           operation: "equals"
-
-
diff --git a/applications/openshift/kubelet/kubelet_enable_client_cert_rotation/rule.yml b/applications/openshift/kubelet/kubelet_enable_client_cert_rotation/rule.yml
index cab7d28eafb..dc5a923a901 100644
--- a/applications/openshift/kubelet/kubelet_enable_client_cert_rotation/rule.yml
+++ b/applications/openshift/kubelet/kubelet_enable_client_cert_rotation/rule.yml
@@ -2,14 +2,14 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 {{%- if product == "eks" %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- else %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- endif %}}
 
+platform: {{{ product }}}-node
+
 title: 'kubelet - Enable Client Certificate Rotation'
 
 description: |-
@@ -46,11 +46,12 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
-
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.featureGates.RotateKubeletClientCertificate"
+        check_existence: "any_exist"
+        values:
+         - value: "false"
+           operation: "not equal"
diff --git a/applications/openshift/kubelet/kubelet_enable_client_cert_rotation_master/rule.yml b/applications/openshift/kubelet/kubelet_enable_client_cert_rotation_master/rule.yml
deleted file mode 100644
index 85a49860071..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_client_cert_rotation_master/rule.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Enable Client Certificate Rotation'
-
-description: |-
-    To enable the kubelet to rotate client certificates, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    featureGates:
-    ...
-      RotateKubeletClientCertificate: true
-    ...
-    </pre>
-
-rationale: |-
-    Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-    in certificate renewal as well as ensures confidentiality and integrity.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot rotate client certificate'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done</pre>
-    The output should return nothing or <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.10
-    cis@ocp4: 4.2.11
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".featureGates.RotateKubeletClientCertificate"
-        check_existence: "any_exist"
-        values:
-         - value: "false"
-           operation: "not equal"
diff --git a/applications/openshift/kubelet/kubelet_enable_client_cert_rotation_worker/rule.yml b/applications/openshift/kubelet/kubelet_enable_client_cert_rotation_worker/rule.yml
deleted file mode 100644
index 85a49860071..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_client_cert_rotation_worker/rule.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Enable Client Certificate Rotation'
-
-description: |-
-    To enable the kubelet to rotate client certificates, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    featureGates:
-    ...
-      RotateKubeletClientCertificate: true
-    ...
-    </pre>
-
-rationale: |-
-    Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-    in certificate renewal as well as ensures confidentiality and integrity.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot rotate client certificate'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done</pre>
-    The output should return nothing or <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.10
-    cis@ocp4: 4.2.11
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".featureGates.RotateKubeletClientCertificate"
-        check_existence: "any_exist"
-        values:
-         - value: "false"
-           operation: "not equal"
diff --git a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/kubernetes/shared.yml
index 16b5833c335..2bfd4fd40b7 100644
--- a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/kubernetes/shared.yml
@@ -1,5 +1,3 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='makeIPTablesUtilChains', value='true', role='var_role_worker') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='makeIPTablesUtilChains', value='true', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='makeIPTablesUtilChains', value='true') }}}
diff --git a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/rule.yml b/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/rule.yml
index 07ce8384ece..9f1d117266c 100644
--- a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/rule.yml
+++ b/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/rule.yml
@@ -2,10 +2,13 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
+{{%- if product == "eks" %}}
+{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
+{{%- else %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
+{{%- endif %}}
 
+platform: {{{ product }}}-node
 
 title: 'kubelet - Allow Automatic Firewall Configuration'
 
@@ -30,7 +33,7 @@ ocil_clause: 'the kubelet cannot modify the firewall settings'
 
 ocil: |-
     Run the following command on the kubelet node(s):
-    <pre>$ sudo grep makeIPTablesUtilChains {{{ kubeletconf_path }}}</pre>
+    <pre>$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains </pre>
     The output should return <tt>true</tt>.
 
 identifiers:
@@ -43,10 +46,11 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.makeIPTablesUtilChains"
+        values:
+         - value: "true"
+           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_enable_iptables_util_chains_deprecated/rule.yml
deleted file mode 100644
index 6ad658f4bf8..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains_deprecated/rule.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}-node
-
-{{%- if product == "eks"  %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Allow Automatic Firewall Configuration'
-
-description: |-
-    The kubelet has the ability to automatically configure the firewall to allow
-    the containers required ports and connections to networking resources and destinations
-    parameters potentially creating a security incident.
-    To allow the kubelet to modify the firewall, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>makeIPTablesUtilChains: true</pre>
-
-rationale: |-
-    The kubelet should automatically configure the firewall settings to allow access and
-    networking traffic through. This ensures that when a pod or container is running that
-    the correct ports are configured as well as removing the ports when a pod or
-    container is no longer in existence.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot modify the firewall settings'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ sudo grep makeIPTablesUtilChains {{{ kubeletconf_path }}}</pre>
-    The output should return <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.7
-    cis@ocp4: 4.2.7
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        filepath: {{{ kubeletconf_path }}}
-        yamlpath: ".makeIPTablesUtilChains"
-        values:
-         - value: "true"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains_master/rule.yml b/applications/openshift/kubelet/kubelet_enable_iptables_util_chains_master/rule.yml
deleted file mode 100644
index d0aa2ba4cc5..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains_master/rule.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-title: 'kubelet - Allow Automatic Firewall Configuration'
-
-description: |-
-    The kubelet has the ability to automatically configure the firewall to allow
-    the containers required ports and connections to networking resources and destinations
-    parameters potentially creating a security incident.
-    To allow the kubelet to modify the firewall, edit the kubelet configuration
-    To set the <tt>makeIPTablesUtilChains</tt> option for the kubelet,
-    create a <tt>KubeletConfig</tt> option along these lines:
-    <pre>
-    apiVersion: machineconfiguration.openshift.io/v1
-    kind: KubeletConfig
-    metadata:
-       name: kubelet-config-$pool
-    spec:
-        machineConfigPoolSelector:
-            matchLabels:
-                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-        kubeletConfig:
-            makeIPTablesUtilChains: true
-    </pre>
-rationale: |-
-    The kubelet should automatically configure the firewall settings to allow access and
-    networking traffic through. This ensures that when a pod or container is running that
-    the correct ports are configured as well as removing the ports when a pod or
-    container is no longer in existence.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot modify the firewall settings'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains </pre>
-    The output should return <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.7
-    cis@ocp4: 4.2.7
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".makeIPTablesUtilChains"
-        values:
-         - value: "true"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains_worker/rule.yml b/applications/openshift/kubelet/kubelet_enable_iptables_util_chains_worker/rule.yml
deleted file mode 100644
index 6995bb11133..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains_worker/rule.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-title: 'kubelet - Allow Automatic Firewall Configuration'
-
-description: |-
-    The kubelet has the ability to automatically configure the firewall to allow
-    the containers required ports and connections to networking resources and destinations
-    parameters potentially creating a security incident.
-    To allow the kubelet to modify the firewall, edit the kubelet configuration
-    To set the <tt>makeIPTablesUtilChains</tt> option for the kubelet,
-    create a <tt>KubeletConfig</tt> option along these lines:
-    <pre>
-    apiVersion: machineconfiguration.openshift.io/v1
-    kind: KubeletConfig
-    metadata:
-       name: kubelet-config-$pool
-    spec:
-        machineConfigPoolSelector:
-            matchLabels:
-                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-        kubeletConfig:
-            makeIPTablesUtilChains: true
-    </pre>
-rationale: |-
-    The kubelet should automatically configure the firewall settings to allow access and
-    networking traffic through. This ensures that when a pod or container is running that
-    the correct ports are configured as well as removing the ports when a pod or
-    container is no longer in existence.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot modify the firewall settings'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains </pre>
-    The output should return <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.7
-    cis@ocp4: 4.2.7
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".makeIPTablesUtilChains"
-        values:
-         - value: "true"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_protect_kernel_defaults/rule.yml b/applications/openshift/kubelet/kubelet_enable_protect_kernel_defaults/rule.yml
index e79535acd1c..196ee2ef7e1 100644
--- a/applications/openshift/kubelet/kubelet_enable_protect_kernel_defaults/rule.yml
+++ b/applications/openshift/kubelet/kubelet_enable_protect_kernel_defaults/rule.yml
@@ -105,10 +105,10 @@ references:
   srg: SRG-APP-000516-CTR-001325
 
 template:
-  name: yamlfile_value
-  vars:
-    filepath: {{{ kubeletconf_path }}}
-    yamlpath: ".protectKernelDefaults"
-    values:
-     - value: "true"
-       operation: "equals"
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.protectKernelDefaults"
+        values:
+         - value: "true"
+           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_server_cert_rotation/rule.yml b/applications/openshift/kubelet/kubelet_enable_server_cert_rotation/rule.yml
index 9615b0a3517..776272c3a14 100644
--- a/applications/openshift/kubelet/kubelet_enable_server_cert_rotation/rule.yml
+++ b/applications/openshift/kubelet/kubelet_enable_server_cert_rotation/rule.yml
@@ -2,14 +2,14 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 {{%- if product == "eks" %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- else %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- endif %}}
 
+platform: {{{ product }}}-node
+
 title: 'kubelet - Enable Server Certificate Rotation'
 
 description: |-
@@ -43,10 +43,11 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.serverTLSBootstrap"
+        values:
+         - value: "true"
+           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_server_cert_rotation_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_enable_server_cert_rotation_deprecated/rule.yml
deleted file mode 100644
index 1184826cfed..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_server_cert_rotation_deprecated/rule.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}-node
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Enable Server Certificate Rotation'
-
-description: |-
-    To enable the kubelet to rotate server certificates, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    featureGates:
-    ...
-      RotateKubeletServerCertificate: true
-    ...
-    </pre>
-
-rationale: |-
-    Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-    in certificate renewal as well as ensures confidentiality and integrity.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot rotate server certificate'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ sudo grep RotateKubeletServerCertificate {{{ kubeletconf_path }}}</pre>
-    The output should return <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.11
-    cis@ocp4: 4.2.12
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        filepath: {{{ kubeletconf_path }}}
-        yamlpath: ".featureGates.RotateKubeletServerCertificate"
-        values:
-         - value: "true"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_server_cert_rotation_master/rule.yml b/applications/openshift/kubelet/kubelet_enable_server_cert_rotation_master/rule.yml
deleted file mode 100644
index f3571d2274e..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_server_cert_rotation_master/rule.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Enable Server Certificate Rotation'
-
-description: |-
-    To enable the kubelet to rotate server certificates, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    serverTLSBootstrap: true
-    </pre>
-
-rationale: |-
-    Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-    in certificate renewal as well as ensures confidentiality and integrity.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot rotate server certificate'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap' done</pre>
-    The output should return <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.11
-    cis@ocp4: 4.2.12
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".serverTLSBootstrap"
-        values:
-         - value: "true"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_server_cert_rotation_worker/rule.yml b/applications/openshift/kubelet/kubelet_enable_server_cert_rotation_worker/rule.yml
deleted file mode 100644
index 738b8db8a9a..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_server_cert_rotation_worker/rule.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks" %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Enable Server Certificate Rotation'
-
-description: |-
-    To enable the kubelet to rotate server certificates, edit the kubelet configuration
-    file <tt>{{{ kubeletconf_path }}}</tt>
-    on the kubelet node(s) and set the below parameter:
-    <pre>
-    serverTLSBootstrap: true
-    </pre>
-
-rationale: |-
-    Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-    in certificate renewal as well as ensures confidentiality and integrity.
-
-severity: medium
-
-ocil_clause: 'the kubelet cannot rotate server certificate'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done</pre>
-    The output should return <tt>true</tt>.
-
-references:
-    cis@eks: 3.2.11
-    cis@ocp4: 4.2.12
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".serverTLSBootstrap"
-        values:
-         - value: "true"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections/kubernetes/shared.yml
index 5ebeba9d0f4..4333a344322 100644
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections/kubernetes/shared.yml
@@ -1,5 +1,3 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig',parameter='streamingConnectionIdleTimeout', value='var_streaming_connection_timeouts', role='var_role_worker') }}}
----
-{{{ kubelet_config(path='kubeletConfig',parameter='streamingConnectionIdleTimeout', value='var_streaming_connection_timeouts', role='var_role_master') }}}
+{{{ kubelet_config(path='kubeletConfig',parameter='streamingConnectionIdleTimeout', value='var_streaming_connection_timeouts') }}}
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml
index 0551fd8c1ac..4d5bfaa7bc9 100644
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml
+++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml
@@ -2,8 +2,6 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 title: 'kubelet - Do Not Disable Streaming Timeouts'
 
 description: |-
@@ -32,12 +30,14 @@ rationale: |-
 
 severity: medium
 
+platform: {{{ product }}}-node
+
 ocil_clause: 'the streaming connection timeouts are not disabled'
 
 ocil: |-
     Run the following command on the kubelet node(s):
     <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done</pre>
-    The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.
+    The output should not return <tt>0</tt>.
 
 identifiers:
     cce@ocp4: CCE-84097-5
@@ -49,9 +49,12 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.streamingConnectionIdleTimeout"
+        check_existence: "all_exist"
+        values:
+         - value: "0s"
+           operation: "not equal"
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections/tests/match.pass.sh b/applications/openshift/kubelet/kubelet_enable_streaming_connections/tests/match.pass.sh
index aec5d85679e..b84b1d4335e 100644
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections/tests/match.pass.sh
+++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections/tests/match.pass.sh
@@ -1,459 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "4h0m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":5,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionHard":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionSoft":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections/tests/nomatch.fail.sh b/applications/openshift/kubelet/kubelet_enable_streaming_connections/tests/nomatch.fail.sh
index 027b7f90c66..82a62511dba 100644
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections/tests/nomatch.fail.sh
+++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections/tests/nomatch.fail.sh
@@ -1,459 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "6m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":0,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/match.pass.sh b/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/match.pass.sh
deleted file mode 100644
index d604913864c..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/match.pass.sh
+++ /dev/null
@@ -1,98 +0,0 @@
-#!/bin/bash
-# remediation = none
-# variables = var_streaming_connection_timeouts=5m0s
-
-yum install -y jq
-
-mkdir -p "/etc/kubernetes"
-
-cat << EOF > /etc/kubernetes/kubelet.conf
-{
-  "kind": "KubeletConfiguration",
-  "apiVersion": "kubelet.config.k8s.io/v1beta1",
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "0s",
-  "fileCheckFrequency": "0s",
-  "httpCheckFrequency": "0s",
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "cacheTTL": "0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "webhook": {
-      "cacheAuthorizedTTL": "0s",
-      "cacheUnauthorizedTTL": "0s"
-    }
-  },
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "0s",
-  "nodeStatusReportFrequency": "0s",
-  "imageMinimumGCAge": "0s",
-  "volumeStatsAggPeriod": "0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupDriver": "systemd",
-  "cpuManagerReconcilePeriod": "0s",
-  "runtimeRequestTimeout": "0s",
-  "maxPods": 250,
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionPressureTransitionPeriod": "0s",
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureDisk": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationOpenStack": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "LegacyNodeRoleBehavior": false,
-    "NodeDisruptionExclusion": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true,
-    "ServiceNodeExclusion": true,
-    "SupportPodPidsLimit": true
-  },
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "systemReserved": {
-    "ephemeral-storage": "1Gi"
-  },
-  "logging": {
-    "flushFrequency": 0,
-    "verbosity": 0,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "shutdownGracePeriod": "5m",
-  "shutdownGracePeriodCriticalPods": "0s"
-}
-EOF
-
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/notmatch.fail.sh b/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/notmatch.fail.sh
deleted file mode 100644
index 1d130f85d4a..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/notmatch.fail.sh
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/bin/bash
-# remediation = none
-
-yum install -y jq
-
-mkdir -p "/etc/kubernetes"
-
-cat << EOF > /etc/kubernetes/kubelet.conf
-{
-  "kind": "KubeletConfiguration",
-  "apiVersion": "kubelet.config.k8s.io/v1beta1",
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "0s",
-  "fileCheckFrequency": "0s",
-  "httpCheckFrequency": "0s",
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "cacheTTL": "0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "webhook": {
-      "cacheAuthorizedTTL": "0s",
-      "cacheUnauthorizedTTL": "0s"
-    }
-  },
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "0s",
-  "nodeStatusUpdateFrequency": "0s",
-  "nodeStatusReportFrequency": "0s",
-  "imageMinimumGCAge": "0s",
-  "volumeStatsAggPeriod": "0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupDriver": "systemd",
-  "cpuManagerReconcilePeriod": "0s",
-  "runtimeRequestTimeout": "0s",
-  "maxPods": 250,
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionPressureTransitionPeriod": "0s",
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureDisk": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationOpenStack": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "LegacyNodeRoleBehavior": false,
-    "NodeDisruptionExclusion": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true,
-    "ServiceNodeExclusion": true,
-    "SupportPodPidsLimit": true
-  },
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "systemReserved": {
-    "ephemeral-storage": "1Gi"
-  },
-  "logging": {
-    "flushFrequency": 0,
-    "verbosity": 0,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s"
-}
-EOF
-
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/notset.fail.sh b/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/notset.fail.sh
deleted file mode 100644
index 7283bd5697d..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/notset.fail.sh
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/bin/bash
-# remediation = none
-
-yum install -y jq
-
-mkdir -p "/etc/kubernetes"
-
-cat << EOF > /etc/kubernetes/kubelet.conf
-{
-  "kind": "KubeletConfiguration",
-  "apiVersion": "kubelet.config.k8s.io/v1beta1",
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "0s",
-  "fileCheckFrequency": "0s",
-  "httpCheckFrequency": "0s",
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "cacheTTL": "0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "webhook": {
-      "cacheAuthorizedTTL": "0s",
-      "cacheUnauthorizedTTL": "0s"
-    }
-  },
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "nodeStatusUpdateFrequency": "0s",
-  "nodeStatusReportFrequency": "0s",
-  "imageMinimumGCAge": "0s",
-  "volumeStatsAggPeriod": "0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupDriver": "systemd",
-  "cpuManagerReconcilePeriod": "0s",
-  "runtimeRequestTimeout": "0s",
-  "maxPods": 250,
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionPressureTransitionPeriod": "0s",
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureDisk": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationOpenStack": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "LegacyNodeRoleBehavior": false,
-    "NodeDisruptionExclusion": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true,
-    "ServiceNodeExclusion": true,
-    "SupportPodPidsLimit": true
-  },
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "systemReserved": {
-    "ephemeral-storage": "1Gi"
-  },
-  "logging": {
-    "flushFrequency": 0,
-    "verbosity": 0,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s"
-}
-EOF
-
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/ocp4/e2e.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/ocp4/e2e.yml
deleted file mode 100644
index 42126728741..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections_deprecated/tests/ocp4/e2e.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-default_result: FAIL
-result_after_remediation: PASS
-
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections_master/rule.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections_master/rule.yml
deleted file mode 100644
index 20d41232dcc..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections_master/rule.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-title: 'kubelet - Do Not Disable Streaming Timeouts'
-
-description: |-
-    Timeouts for streaming connections should not be disabled as they help to prevent
-    denial-of-service attacks.
-    To configure streaming connection timeouts
-    To set the <tt>streamingConnectionIdleTimeout</tt> option for the kubelet,
-    create a <tt>KubeletConfig</tt> option along these lines:
-    <pre>
-    apiVersion: machineconfiguration.openshift.io/v1
-    kind: KubeletConfig
-    metadata:
-       name: kubelet-config-$pool
-    spec:
-        machineConfigPoolSelector:
-            matchLabels:
-                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-        kubeletConfig:
-            streamingConnectionIdleTimeout: {{{ xccdf_value("var_streaming_connection_timeouts") }}}
-    </pre>
-
-rationale: |-
-    Ensuring connections have timeouts helps to protect against denial-of-service attacks as
-    well as disconnect inactive connections. In addition, setting connections timeouts helps
-    to prevent from running out of ephemeral ports.
-
-severity: medium
-
-ocil_clause: 'the streaming connection timeouts are not disabled'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done</pre>
-    The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.
-
-
-
-references:
-    cis@eks: 3.2.5
-    cis@ocp4: 4.2.5
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".streamingConnectionIdleTimeout"
-        check_existence: "all_exist"
-        xccdf_variable: var_streaming_connection_timeouts
diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections_worker/rule.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections_worker/rule.yml
deleted file mode 100644
index 7c302f0c3b9..00000000000
--- a/applications/openshift/kubelet/kubelet_enable_streaming_connections_worker/rule.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-title: 'kubelet - Do Not Disable Streaming Timeouts'
-
-description: |-
-    Timeouts for streaming connections should not be disabled as they help to prevent
-    denial-of-service attacks.
-    To configure streaming connection timeouts
-    To set the <tt>streamingConnectionIdleTimeout</tt> option for the kubelet,
-    create a <tt>KubeletConfig</tt> option along these lines:
-    <pre>
-    apiVersion: machineconfiguration.openshift.io/v1
-    kind: KubeletConfig
-    metadata:
-       name: kubelet-config-$pool
-    spec:
-        machineConfigPoolSelector:
-            matchLabels:
-                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
-        kubeletConfig:
-            streamingConnectionIdleTimeout: {{{ xccdf_value("var_streaming_connection_timeouts") }}}
-    </pre>
-
-rationale: |-
-    Ensuring connections have timeouts helps to protect against denial-of-service attacks as
-    well as disconnect inactive connections. In addition, setting connections timeouts helps
-    to prevent from running out of ephemeral ports.
-
-severity: medium
-
-ocil_clause: 'the streaming connection timeouts are not disabled'
-
-ocil: |-
-    Run the following command on the kubelet node(s):
-    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done</pre>
-    The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.
-
-
-
-references:
-    cis@eks: 3.2.5
-    cis@ocp4: 4.2.5
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-    srg: SRG-APP-000516-CTR-001325
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".streamingConnectionIdleTimeout"
-        check_existence: "all_exist"
-        xccdf_variable: var_streaming_connection_timeouts
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/kubernetes/shared.yml
index c4a998a5b2c..f0b622261ae 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/kubernetes/shared.yml
@@ -1,9 +1,5 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='imagefs.available', value='var_kubelet_evictionhard_imagefs_available', role='var_role_worker') }}}
+{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='imagefs.available', value='var_kubelet_evictionhard_imagefs_available') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_worker') }}}
----
-{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='imagefs.available', value='var_kubelet_evictionhard_imagefs_available', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s') }}}
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/rule.yml
index 9facd486673..c19110c6343 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/rule.yml
@@ -59,16 +59,20 @@ references:
   nist: CM-6,CM-6(1)
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
+
 ocil_clause: '<tt>imagefs.available</tt> is not set in <tt>evictionHard</tt> section'
 
 ocil: |-
   Run the following command on the kubelet node(s):
   <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.available"'; done</pre>
   and make sure it outputs a value.
-
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+  name: yamlfile_value
+  vars:
+    filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+    yamlpath: ".kubeletconfig.evictionHard['imagefs.available']"
+    check_existence: "all_exist"
+    values:
+    - value: "^.+$"
+      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/tests/match.pass.sh b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/tests/match.pass.sh
index 5fb002427f7..b84b1d4335e 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/tests/match.pass.sh
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/tests/match.pass.sh
@@ -1,459 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":5,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionHard":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionSoft":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/tests/nomatch.fail.sh b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/tests/nomatch.fail.sh
index f26a8170e1f..ce3c83159be 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/tests/nomatch.fail.sh
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/tests/nomatch.fail.sh
@@ -1,453 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":0,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated/rule.yml
deleted file mode 100644
index 779db9166a4..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated/rule.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.available</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-
-ocil_clause: '<tt>imagefs.available</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionHard."imagefs.available"' /host/etc/kubernetes/kubelet.conf</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".evictionHard['imagefs.available']"
-    check_existence: "only_one_exists"
-    values:
-      - value: ".*"
-        operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available_master/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available_master/rule.yml
deleted file mode 100644
index 6c689ee4c90..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available_master/rule.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.available</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  cis@ocp4: 1.3.1
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>imagefs.available</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_master
-    yamlpath: ".evictionHard['imagefs.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available_worker/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available_worker/rule.yml
deleted file mode 100644
index 0dc472c0c0b..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available_worker/rule.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.available</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  cis@ocp4: 1.3.1
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>imagefs.available</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.available"'; done</pre>
-  and make sure it outputs a value.
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_worker
-    yamlpath: ".evictionHard['imagefs.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/kubernetes/shared.yml
index a3fe953b51b..80535cb7d92 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/kubernetes/shared.yml
@@ -1,9 +1,5 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='imagefs.inodesFree', value='var_kubelet_evictionhard_imagefs_inodesfree', role='var_role_worker') }}}
+{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='imagefs.inodesFree', value='var_kubelet_evictionhard_imagefs_inodesfree') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_worker') }}}
----
-{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='imagefs.inodesFree', value='var_kubelet_evictionhard_imagefs_inodesfree', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s') }}}
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml
index 7a944178c09..02feecef8a5 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml
@@ -2,7 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-
 title: 'Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree'
 
 description: |-
@@ -56,8 +55,10 @@ identifiers:
 
 references:
   nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
+  nist: CM-6,CM-6(1)
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
 
 ocil_clause: '<tt>imagefs.inodesFree</tt> is not set in <tt>evictionHard</tt> section'
 
@@ -66,9 +67,12 @@ ocil: |-
   <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.inodesFree"'; done</pre>
   and make sure it outputs a value.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+  name: yamlfile_value
+  vars:
+    filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+    yamlpath: ".kubeletconfig.evictionHard['imagefs.inodesFree']"
+    check_existence: "all_exist"
+    values:
+    - value: "^.+$"
+      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated/rule.yml
deleted file mode 100644
index 3ae0e366ee5..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated/rule.yml
+++ /dev/null
@@ -1,70 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.inodesFree</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-ocil_clause: '<tt>imagefs.inodesFree</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionHard."imagefs.inodesFree"' /host/etc/kubernetes/kubelet.conf</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".evictionHard['imagefs.inodesFree']"
-    check_existence: "only_one_exists"
-    values:
-      - value: ".*"
-        operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master/rule.yml
deleted file mode 100644
index 58691274e9a..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master/rule.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.inodesFree</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  cis@ocp4: 1.3.1
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>imagefs.inodesFree</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.inodesFree"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_master
-    yamlpath: ".evictionHard['imagefs.inodesFree']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker/rule.yml
deleted file mode 100644
index b9886cc235c..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker/rule.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.inodesFree</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  cis@ocp4: 1.3.1
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>imagefs.inodesFree</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.inodesFree"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_worker
-    yamlpath: ".evictionHard['imagefs.inodesFree']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/kubernetes/shared.yml
index 14e5fd2f1b1..ea875548374 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/kubernetes/shared.yml
@@ -1,9 +1,5 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='memory.available', value='var_kubelet_evictionhard_memory_available', role='var_role_worker') }}}
+{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='memory.available', value='var_kubelet_evictionhard_memory_available') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_worker') }}}
----
-{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='memory.available', value='var_kubelet_evictionhard_memory_available', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s') }}}
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/rule.yml
index 03d390fde63..86dd6ca5c03 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/rule.yml
@@ -2,7 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-
 title: 'Ensure Eviction threshold Settings Are Set - evictionHard: memory.available'
 
 description: |-
@@ -60,6 +59,7 @@ references:
   nist: CM-6,CM-6(1)
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
 
 ocil_clause: '<tt>memory.available</tt> is not set in <tt>evictionHard</tt> section'
 
@@ -68,9 +68,12 @@ ocil: |-
   <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."memory.available"'; done</pre>
   and make sure it outputs a value.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+  name: yamlfile_value
+  vars:
+    filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+    yamlpath: ".kubeletconfig.evictionHard['memory.available']"
+    check_existence: "all_exist"
+    values:
+    - value: "^.+$"
+      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/tests/match.pass.sh b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/tests/match.pass.sh
index 76585d480a8..b84b1d4335e 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/tests/match.pass.sh
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/tests/match.pass.sh
@@ -1,461 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "10%",
-    "imagefs.inodesfree": "5%",
-    "memory.available": "100Mi",
-    "nodefs.available": "5%",
-    "nodefs.inodesFree": "4%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "10%",
-    "imagefs.inodesfree": "5%",
-    "memory.available": "100Mi",
-    "nodefs.available": "5%",
-    "nodefs.inodesFree": "4%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":5,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionHard":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionSoft":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/tests/nomatch.fail.sh b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/tests/nomatch.fail.sh
index f26a8170e1f..ce3c83159be 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/tests/nomatch.fail.sh
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/tests/nomatch.fail.sh
@@ -1,453 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":0,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available_deprecated/rule.yml
deleted file mode 100644
index 4e747feeeca..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available_deprecated/rule.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: memory.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>memory.available</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-
-ocil_clause: '<tt>memory.available</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionHard."memory.available"' /host/etc/kubernetes/kubelet.conf</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".evictionHard['memory.available']"
-    check_existence: "only_one_exists"
-    values:
-      - value: ".*"
-        operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available_master/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available_master/rule.yml
deleted file mode 100644
index b0e3427563b..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available_master/rule.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: memory.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>memory.available</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  cis@ocp4: 1.3.1
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>memory.available</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."memory.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_master
-    yamlpath: ".evictionHard['memory.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available_worker/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available_worker/rule.yml
deleted file mode 100644
index 93819773e0c..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available_worker/rule.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: memory.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>memory.available</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  cis@ocp4: 1.3.1
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>memory.available</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."memory.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_worker
-    yamlpath: ".evictionHard['memory.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/kubernetes/shared.yml
index 6709d41e780..f175bb39c50 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/kubernetes/shared.yml
@@ -1,9 +1,5 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='nodefs.available', value='var_kubelet_evictionhard_nodefs_available', role='var_role_worker') }}}
+{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='nodefs.available', value='var_kubelet_evictionhard_nodefs_available') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_worker') }}}
----
-{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='nodefs.available', value='var_kubelet_evictionhard_nodefs_available', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s') }}}
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/rule.yml
index 835f5477ab9..8ce908775ff 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/rule.yml
@@ -59,6 +59,7 @@ references:
   nist: CM-6,CM-6(1)
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
 
 ocil_clause: '<tt>nodefs.available</tt> is not set in <tt>evictionHard</tt> section'
 
@@ -67,9 +68,12 @@ ocil: |-
   <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.available"'; done</pre>
   and make sure it outputs a value.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+  name: yamlfile_value
+  vars:
+    filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+    yamlpath: ".kubeletconfig.evictionHard['nodefs.available']"
+    check_existence: "all_exist"
+    values:
+    - value: "^.+$"
+      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/tests/match.pass.sh b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/tests/match.pass.sh
index ac210403110..b84b1d4335e 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/tests/match.pass.sh
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/tests/match.pass.sh
@@ -1,461 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "10%",
-    "imagefs.inodesfree": "5%",
-    "memory.available": "200Mi",
-    "nodefs.available": "10%",
-    "nodefs.inodesFree": "4%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "10%",
-    "imagefs.inodesfree": "5%",
-    "memory.available": "200Mi",
-    "nodefs.available": "10%",
-    "nodefs.inodesFree": "4%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":5,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionHard":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionSoft":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/tests/nomatch.fail.sh b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/tests/nomatch.fail.sh
index f26a8170e1f..ce3c83159be 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/tests/nomatch.fail.sh
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/tests/nomatch.fail.sh
@@ -1,453 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":0,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated/rule.yml
deleted file mode 100644
index 840e5b430c3..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated/rule.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.available</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-
-ocil_clause: '<tt>nodefs.available</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionHard."nodefs.available"' /host/etc/kubernetes/kubelet.conf</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".evictionHard['nodefs.available']"
-    check_existence: "only_one_exists"
-    values:
-      - value: ".*"
-        operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available_master/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available_master/rule.yml
deleted file mode 100644
index 188738e39b9..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available_master/rule.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.available</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  cis@ocp4: 1.3.1
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>nodefs.available</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_master
-    yamlpath: ".evictionHard['nodefs.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
-
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available_worker/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available_worker/rule.yml
deleted file mode 100644
index 9d3f22c161e..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available_worker/rule.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.available</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  cis@ocp4: 1.3.1
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>nodefs.available</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_worker
-    yamlpath: ".evictionHard['nodefs.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/kubernetes/shared.yml
index 7f81a6d3df0..e0b04645fdf 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/kubernetes/shared.yml
@@ -1,9 +1,5 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='nodefs.inodesFree', value='var_kubelet_evictionhard_nodefs_inodesfree', role='var_role_worker') }}}
+{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='nodefs.inodesFree', value='var_kubelet_evictionhard_nodefs_inodesfree') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_worker') }}}
----
-{{{ kubelet_config(path='kubeletConfig.evictionHard',parameter='nodefs.inodesFree', value='var_kubelet_evictionhard_nodefs_inodesfree', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s') }}}
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/rule.yml
index 78f7806e489..49263c6de83 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/rule.yml
@@ -59,6 +59,8 @@ references:
   nist: CM-6,CM-6(1)
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
+
 ocil_clause: '<tt>nodefs.inodesFree</tt> is not set in <tt>evictionHard</tt> section'
 
 ocil: |-
@@ -66,9 +68,12 @@ ocil: |-
   <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.inodesFree"'; done</pre>
   and make sure it outputs a value.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+  name: yamlfile_value
+  vars:
+    filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+    yamlpath: ".kubeletconfig.evictionHard['nodefs.inodesFree']"
+    check_existence: "all_exist"
+    values:
+    - value: "^.+$"
+      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/tests/match.pass.sh b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/tests/match.pass.sh
index 75e0bc08433..b84b1d4335e 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/tests/match.pass.sh
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/tests/match.pass.sh
@@ -1,461 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "10%",
-    "imagefs.inodesfree": "5%",
-    "memory.available": "200Mi",
-    "nodefs.available": "5%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "10%",
-    "imagefs.inodesfree": "5%",
-    "memory.available": "200Mi",
-    "nodefs.available": "5%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":5,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionHard":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionSoft":{"imagefs.available":"15%","imagefs.inodesfree":"15%","memory.available":"100Mi","nodefs.available":"10%","nodefs.inodesFree":"5%"},"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/tests/nomatch.fail.sh b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/tests/nomatch.fail.sh
index f26a8170e1f..ce3c83159be 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/tests/nomatch.fail.sh
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/tests/nomatch.fail.sh
@@ -1,453 +1,8 @@
 #!/bin/bash
 # remediation = none
 
-kube_apipath="/kubernetes-api-resources"
-ocp_apipath="/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver"
-api_path_worker="/kubeletconfig/role/worker"
-api_path_master="/kubeletconfig/role/master"
+mkdir -p "/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig"
 
-mkdir -p "$kube_apipath/apis/config.openshift.io/v1/clusteroperators/"
-mkdir -p "$kube_apipath/kubeletconfig/role"
-
-cat << EOF > $kube_apipath$ocp_apipath
-{
-   "apiVersion":"config.openshift.io/v1",
-   "kind":"ClusterOperator",
-   "metadata":{
-      "annotations":{
-         "exclude.release.openshift.io/internal-openshift-hosted":"true",
-         "include.release.openshift.io/self-managed-high-availability":"true",
-         "include.release.openshift.io/single-node-developer":"true"
-      },
-      "creationTimestamp":"2022-08-10T00:56:27Z",
-      "generation":1,
-      "name":"openshift-apiserver",
-      "ownerReferences":[
-         {
-            "apiVersion":"config.openshift.io/v1",
-            "kind":"ClusterVersion",
-            "name":"version",
-            "uid":"c28a5c07-152f-4fec-b51e-c53f64585841"
-         }
-      ],
-      "resourceVersion":"26181",
-      "uid":"f8b3e53e-fe06-466e-9842-2cad5ef1659f"
-   },
-   "spec":{
-      
-   },
-   "status":{
-      "conditions":[
-         {
-            "lastTransitionTime":"2022-08-10T01:03:54Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Degraded"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:11:26Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"False",
-            "type":"Progressing"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:14:55Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Available"
-         },
-         {
-            "lastTransitionTime":"2022-08-10T01:01:44Z",
-            "message":"All is well",
-            "reason":"AsExpected",
-            "status":"True",
-            "type":"Upgradeable"
-         }
-      ],
-      "extension":null,
-      "relatedObjects":[
-         {
-            "group":"operator.openshift.io",
-            "name":"cluster",
-            "resource":"openshiftapiservers"
-         },
-         {
-            "group":"",
-            "name":"openshift-config",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-config-managed",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-apiserver",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"openshift-etcd-operator",
-            "resource":"namespaces"
-         },
-         {
-            "group":"",
-            "name":"host-etcd-2",
-            "namespace":"openshift-etcd",
-            "resource":"endpoints"
-         },
-         {
-            "group":"controlplane.operator.openshift.io",
-            "name":"",
-            "namespace":"openshift-apiserver",
-            "resource":"podnetworkconnectivitychecks"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.apps.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.authorization.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.build.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.image.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.project.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.quota.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.route.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.security.openshift.io",
-            "resource":"apiservices"
-         },
-         {
-            "group":"apiregistration.k8s.io",
-            "name":"v1.template.openshift.io",
-            "resource":"apiservices"
-         }
-      ],
-      "versions":[
-         {
-            "name":"operator",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         },
-         {
-            "name":"openshift-apiserver",
-            "version":"4.11.0-0.ci-2022-08-08-193848"
-         }
-      ]
-   }
-}
-EOF
-
-cat << EOF > $kube_apipath$api_path_worker
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
-EOF
-
-
-cat << EOF > $kube_apipath$api_path_master
-{
-  "enableServer": true,
-  "staticPodPath": "/etc/kubernetes/manifests",
-  "syncFrequency": "1m0s",
-  "fileCheckFrequency": "20s",
-  "httpCheckFrequency": "20s",
-  "address": "0.0.0.0",
-  "port": 10250,
-  "tlsCipherSuites": [
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  ],
-  "tlsMinVersion": "VersionTLS12",
-  "rotateCertificates": true,
-  "serverTLSBootstrap": true,
-  "authentication": {
-    "x509": {
-      "clientCAFile": "/etc/kubernetes/kubelet-ca.crt"
-    },
-    "webhook": {
-      "enabled": true,
-      "cacheTTL": "2m0s"
-    },
-    "anonymous": {
-      "enabled": false
-    }
-  },
-  "authorization": {
-    "mode": "Webhook",
-    "webhook": {
-      "cacheAuthorizedTTL": "5m0s",
-      "cacheUnauthorizedTTL": "30s"
-    }
-  },
-  "registryPullQPS": 5,
-  "registryBurst": 10,
-  "eventRecordQPS": 5,
-  "eventBurst": 10,
-  "enableDebuggingHandlers": true,
-  "healthzPort": 10248,
-  "healthzBindAddress": "127.0.0.1",
-  "oomScoreAdj": -999,
-  "clusterDomain": "cluster.local",
-  "clusterDNS": [
-    "172.30.0.10"
-  ],
-  "streamingConnectionIdleTimeout": "5m0s",
-  "nodeStatusUpdateFrequency": "10s",
-  "nodeStatusReportFrequency": "5m0s",
-  "nodeLeaseDurationSeconds": 40,
-  "imageMinimumGCAge": "2m0s",
-  "imageGCHighThresholdPercent": 85,
-  "imageGCLowThresholdPercent": 80,
-  "volumeStatsAggPeriod": "1m0s",
-  "systemCgroups": "/system.slice",
-  "cgroupRoot": "/",
-  "cgroupsPerQOS": true,
-  "cgroupDriver": "systemd",
-  "cpuManagerPolicy": "none",
-  "cpuManagerReconcilePeriod": "10s",
-  "memoryManagerPolicy": "None",
-  "topologyManagerPolicy": "none",
-  "topologyManagerScope": "container",
-  "runtimeRequestTimeout": "2m0s",
-  "hairpinMode": "promiscuous-bridge",
-  "maxPods": 250,
-  "podPidsLimit": 4096,
-  "resolvConf": "/etc/resolv.conf",
-  "cpuCFSQuota": true,
-  "cpuCFSQuotaPeriod": "100ms",
-  "nodeStatusMaxImages": 50,
-  "maxOpenFiles": 1000000,
-  "contentType": "application/vnd.kubernetes.protobuf",
-  "kubeAPIQPS": 50,
-  "kubeAPIBurst": 100,
-  "serializeImagePulls": false,
-  "evictionHard": {
-    "imagefs.available": "15%",
-    "memory.available": "100Mi",
-    "nodefs.available": "15%",
-    "nodefs.inodesFree": "5%"
-  },
-  "evictionPressureTransitionPeriod": "5m0s",
-  "enableControllerAttachDetach": true,
-  "makeIPTablesUtilChains": true,
-  "iptablesMasqueradeBit": 14,
-  "iptablesDropBit": 15,
-  "featureGates": {
-    "APIPriorityAndFairness": true,
-    "CSIMigrationAWS": false,
-    "CSIMigrationAzureFile": false,
-    "CSIMigrationGCE": false,
-    "CSIMigrationvSphere": false,
-    "DownwardAPIHugePages": true,
-    "PodSecurity": true,
-    "RotateKubeletServerCertificate": true
-  },
-  "failSwapOn": true,
-  "memorySwap": {},
-  "containerLogMaxSize": "50Mi",
-  "containerLogMaxFiles": 5,
-  "configMapAndSecretChangeDetectionStrategy": "Watch",
-  "systemReserved": {
-    "cpu": "500m",
-    "memory": "1Gi"
-  },
-  "enforceNodeAllocatable": [
-    "pods"
-  ],
-  "volumePluginDir": "/etc/kubernetes/kubelet-plugins/volume/exec",
-  "logging": {
-    "format": "text",
-    "flushFrequency": 5000000000,
-    "verbosity": 2,
-    "options": {
-      "json": {
-        "infoBufferSize": "0"
-      }
-    }
-  },
-  "enableSystemLogHandler": true,
-  "shutdownGracePeriod": "0s",
-  "shutdownGracePeriodCriticalPods": "0s",
-  "enableProfilingHandler": true,
-  "enableDebugFlagsHandler": true,
-  "seccompDefault": false,
-  "memoryThrottlingFactor": 0.8,
-  "registerWithTaints": [
-    {
-      "key": "node-role.kubernetes.io/master",
-      "effect": "NoSchedule"
-    }
-  ],
-  "registerNode": true,
-  "kind": "KubeletConfiguration"
-}
+cat << EOF > /etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig/openscap-kubeletconfig
+{"kubeletconfig":{"enableServer":true,"staticPodPath":"/etc/kubernetes/manifests","syncFrequency":"1m0s","fileCheckFrequency":"20s","httpCheckFrequency":"20s","address":"0.0.0.0","port":10250,"tlsCipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"],"tlsMinVersion":"VersionTLS12","rotateCertificates":true,"serverTLSBootstrap":true,"authentication":{"x509":{"clientCAFile":"/etc/kubernetes/kubelet-ca.crt"},"webhook":{"enabled":true,"cacheTTL":"2m0s"},"anonymous":{"enabled":false}},"authorization":{"mode":"Webhook","webhook":{"cacheAuthorizedTTL":"5m0s","cacheUnauthorizedTTL":"30s"}},"registryPullQPS":5,"registryBurst":10,"eventRecordQPS":0,"eventBurst":10,"enableDebuggingHandlers":true,"healthzPort":10248,"healthzBindAddress":"127.0.0.1","oomScoreAdj":-999,"clusterDomain":"cluster.local","clusterDNS":["172.30.0.10"],"streamingConnectionIdleTimeout":"4h0m0s","nodeStatusUpdateFrequency":"10s","nodeStatusReportFrequency":"5m0s","nodeLeaseDurationSeconds":40,"imageMinimumGCAge":"2m0s","imageGCHighThresholdPercent":85,"imageGCLowThresholdPercent":80,"volumeStatsAggPeriod":"1m0s","systemCgroups":"/system.slice","cgroupRoot":"/","cgroupsPerQOS":true,"cgroupDriver":"systemd","cpuManagerPolicy":"none","cpuManagerReconcilePeriod":"10s","memoryManagerPolicy":"None","topologyManagerPolicy":"none","topologyManagerScope":"container","runtimeRequestTimeout":"2m0s","hairpinMode":"promiscuous-bridge","maxPods":250,"podPidsLimit":4096,"resolvConf":"/etc/resolv.conf","cpuCFSQuota":true,"cpuCFSQuotaPeriod":"100ms","nodeStatusMaxImages":50,"maxOpenFiles":1000000,"contentType":"application/vnd.kubernetes.protobuf","kubeAPIQPS":50,"kubeAPIBurst":100,"serializeImagePulls":false,"evictionPressureTransitionPeriod":"5m0s","enableControllerAttachDetach":true,"makeIPTablesUtilChains":true,"iptablesMasqueradeBit":14,"iptablesDropBit":15,"featureGates":{"APIPriorityAndFairness":true,"CSIMigrationAzureFile":false,"CSIMigrationvSphere":false,"DownwardAPIHugePages":true,"RotateKubeletServerCertificate":true},"failSwapOn":true,"memorySwap":{},"containerLogMaxSize":"50Mi","containerLogMaxFiles":5,"configMapAndSecretChangeDetectionStrategy":"Watch","systemReserved":{"cpu":"500m","ephemeral-storage":"1Gi","memory":"1Gi"},"enforceNodeAllocatable":["pods"],"volumePluginDir":"/etc/kubernetes/kubelet-plugins/volume/exec","providerID":"aws:///us-west-1b/i-0b15fe350572ea633","logging":{"format":"text","flushFrequency":5000000000,"verbosity":2,"options":{"json":{"infoBufferSize":"0"}}},"enableSystemLogHandler":true,"shutdownGracePeriod":"0s","shutdownGracePeriodCriticalPods":"0s","enableProfilingHandler":true,"enableDebugFlagsHandler":true,"seccompDefault":false,"memoryThrottlingFactor":0.8,"registerWithTaints":[{"key":"node-role.kubernetes.io/master","effect":"NoSchedule"}],"registerNode":true,"localStorageCapacityIsolation":true}}
 EOF
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated/rule.yml
deleted file mode 100644
index 742a645a5e8..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated/rule.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.inodesFree</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-
-ocil_clause: '<tt>nodefs.inodesFree</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionHard."nodefs.inodesFree"' /host/etc/kubernetes/kubelet.conf</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".evictionHard['nodefs.inodesFree']"
-    check_existence: "only_one_exists"
-    values:
-      - value: ".*"
-        operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master/rule.yml
deleted file mode 100644
index 91f9d900813..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master/rule.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.inodesFree</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  cis@ocp4: 1.3.1
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>nodefs.inodesFree</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.inodesFree"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_master
-    yamlpath: ".evictionHard['nodefs.inodesFree']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker/rule.yml
deleted file mode 100644
index bd69f4449f4..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker/rule.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.inodesFree</tt> setting of the <tt>evictionHard</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  cis@ocp4: 1.3.1
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  nist: CM-6,CM-6(1)
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>nodefs.inodesFree</tt> is not set in <tt>evictionHard</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.inodesFree"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_worker
-    yamlpath: ".evictionHard['nodefs.inodesFree']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/kubernetes/shared.yml
index 980ecb7bf54..3ef1f6da7ce 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/kubernetes/shared.yml
@@ -1,13 +1,7 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='imagefs.available', value='var_kubelet_evictionsoft_imagefs_available', role='var_role_worker') }}}
+{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='imagefs.available', value='var_kubelet_evictionsoft_imagefs_available') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='imagefs.available', value='"1m30s"', role='var_role_worker') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='imagefs.available', value='"1m30s"') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_worker') }}}
----
-{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='imagefs.available', value='var_kubelet_evictionsoft_imagefs_available', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='imagefs.available', value='"1m30s"', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s') }}}
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/rule.yml
index bc8c7e6a3fc..9d94a8fb41f 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/rule.yml
@@ -58,6 +58,8 @@ references:
   nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
+
 ocil_clause: '<tt>imagefs.available</tt> is not set in <tt>evictionSoft</tt> section'
 
 ocil: |-
@@ -65,9 +67,12 @@ ocil: |-
   <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.available"'; done</pre>
   and make sure it outputs a value.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+  name: yamlfile_value
+  vars:
+    filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+    yamlpath: ".kubeletconfig.evictionSoft['imagefs.available']"
+    check_existence: "all_exist"
+    values:
+    - value: "^.+$"
+      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated/rule.yml
deleted file mode 100644
index 5720f65e9ff..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated/rule.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.available</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-
-ocil_clause: '<tt>imagefs.available</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionSoft."imagefs.available"' /host/etc/kubernetes/kubelet.conf</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".evictionSoft['imagefs.available']"
-    check_existence: "only_one_exists"
-    values:
-      - value: ".*"
-        operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available_master/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available_master/rule.yml
deleted file mode 100644
index a824a3a6195..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available_master/rule.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.available</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>imagefs.available</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_master
-    yamlpath: ".evictionSoft['imagefs.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available_worker/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available_worker/rule.yml
deleted file mode 100644
index cd0ac2f9c0d..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available_worker/rule.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.available</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>imagefs.available</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_worker
-    yamlpath: ".evictionSoft['imagefs.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
-
-
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/kubernetes/shared.yml
index 2321287276a..55c84d9219e 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/kubernetes/shared.yml
@@ -1,13 +1,7 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='imagefs.inodesFree', value='var_kubelet_evictionsoft_imagefs_inodesfree', role='var_role_worker') }}}
+{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='imagefs.inodesFree', value='var_kubelet_evictionsoft_imagefs_inodesfree') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='imagefs.inodesFree', value='"1m30s"', role='var_role_worker') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='imagefs.inodesFree', value='"1m30s"') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_worker') }}}
----
-{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='imagefs.inodesFree', value='var_kubelet_evictionsoft_imagefs_inodesfree', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='imagefs.inodesFree', value='"1m30s"', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s') }}}
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/rule.yml
index 55883b5cfcc..64ae64d6ea8 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/rule.yml
@@ -57,6 +57,8 @@ references:
   nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
+
 ocil_clause: '<tt>imagefs.inodesFree</tt> is not set in <tt>evictionSoft</tt> section'
 
 ocil: |-
@@ -64,9 +66,12 @@ ocil: |-
   <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.inodesFree"'; done</pre>
   and make sure it outputs a value.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+  name: yamlfile_value
+  vars:
+    filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+    yamlpath: ".kubeletconfig.evictionSoft['imagefs.inodesFree']"
+    check_existence: "all_exist"
+    values:
+    - value: "^.+$"
+      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated/rule.yml
deleted file mode 100644
index 2bc94d57e10..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated/rule.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.inodesFree</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-
-ocil_clause: '<tt>imagefs.inodesFree</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionSoft."imagefs.inodesFree"' /host/etc/kubernetes/kubelet.conf</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".evictionSoft['imagefs.inodesFree']"
-    check_existence: "only_one_exists"
-    values:
-      - value: ".*"
-        operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master/rule.yml
deleted file mode 100644
index 3eaa1d5d891..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master/rule.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.inodesFree</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>imagefs.inodesFree</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.inodesFree"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_master
-    yamlpath: ".evictionSoft['imagefs.inodesFree']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker/rule.yml
deleted file mode 100644
index 7eb996e8753..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker/rule.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>imagefs.inodesFree</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  srg: SRG-APP-000516-CTR-001325
-
-ocil_clause: '<tt>imagefs.inodesFree</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.inodesFree"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_worker
-    yamlpath: ".evictionSoft['imagefs.inodesFree']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
-
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/kubernetes/shared.yml
index e5e5214807a..6f074d37875 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/kubernetes/shared.yml
@@ -1,13 +1,7 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='memory.available', value='var_kubelet_evictionsoft_memory_available', role='var_role_worker') }}}
+{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='memory.available', value='var_kubelet_evictionsoft_memory_available') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='memory.available', value='"1m30s"', role='var_role_worker') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='memory.available', value='"1m30s"') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_worker') }}}
----
-{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='memory.available', value='var_kubelet_evictionsoft_memory_available', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='memory.available', value='"1m30s"', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s') }}}
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml
index 9ed2d372de2..6ade333e1be 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml
@@ -57,6 +57,7 @@ references:
   nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
 
 ocil_clause: '<tt>memory.available</tt> is not set in <tt>evictionSoft</tt> section'
 
@@ -65,9 +66,12 @@ ocil: |-
   <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."memory.available"'; done</pre>
   and make sure it outputs a value.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+  name: yamlfile_value
+  vars:
+    filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+    yamlpath: ".kubeletconfig.evictionSoft['memory.available']"
+    check_existence: "all_exist"
+    values:
+    - value: "^.+$"
+      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available_deprecated/rule.yml
deleted file mode 100644
index 259fbf2d60b..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available_deprecated/rule.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>memory.available</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-
-ocil_clause: '<tt>memory.available</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionSoft."memory.available"' /host/etc/kubernetes/kubelet.conf</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".evictionSoft['memory.available']"
-    check_existence: "only_one_exists"
-    values:
-      - value: ".*"
-        operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available_master/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available_master/rule.yml
deleted file mode 100644
index 0a13a1e2fb1..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available_master/rule.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>memory.available</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>memory.available</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."memory.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_master
-    yamlpath: ".evictionSoft['memory.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
-
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available_worker/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available_worker/rule.yml
deleted file mode 100644
index ac319196f7b..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available_worker/rule.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>memory.available</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>memory.available</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."memory.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_worker
-    yamlpath: ".evictionSoft['memory.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
-
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/kubernetes/shared.yml
index 0137387e3c7..6e1ace0a3f5 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/kubernetes/shared.yml
@@ -1,13 +1,7 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='nodefs.available', value='var_kubelet_evictionsoft_nodefs_available', role='var_role_worker') }}}
+{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='nodefs.available', value='var_kubelet_evictionsoft_nodefs_available') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='nodefs.available', value='"1m30s"', role='var_role_worker') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='nodefs.available', value='"1m30s"') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_worker') }}}
----
-{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='nodefs.available', value='var_kubelet_evictionsoft_nodefs_available', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='nodefs.available', value='"1m30s"', role='var_role_master') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s') }}}
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/rule.yml
index e988aab2f88..a394c314b9b 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/rule.yml
@@ -57,6 +57,7 @@ references:
   nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
 
 ocil_clause: '<tt>nodefs.available</tt> is not set in <tt>evictionSoft</tt> section'
 
@@ -65,9 +66,10 @@ ocil: |-
   <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.available"'; done</pre>
   and make sure it outputs a value.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+  name: yamlfile_value
+  vars:
+    filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+    yamlpath: ".kubeletconfig.evictionSoft['nodefs.available']"
+    check_existence: "all_exist"
+    xccdf_variable: var_event_record_qps
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated/rule.yml
deleted file mode 100644
index b88ac3a4f77..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated/rule.yml
+++ /dev/null
@@ -1,70 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.available</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-ocil_clause: '<tt>nodefs.available</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionSoft."nodefs.available"' /host/etc/kubernetes/kubelet.conf</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".evictionSoft['nodefs.available']"
-    check_existence: "only_one_exists"
-    values:
-      - value: ".*"
-        operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available_master/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available_master/rule.yml
deleted file mode 100644
index a455fb98a3c..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available_master/rule.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.available</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>nodefs.available</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_master
-    yamlpath: ".evictionSoft['nodefs.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
-
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available_worker/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available_worker/rule.yml
deleted file mode 100644
index 5542448583f..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available_worker/rule.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.available</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>nodefs.available</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.available"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_worker
-    yamlpath: ".evictionSoft['nodefs.available']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
-
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/kubernetes/shared.yml
index 671a07f7c61..b4e97572f04 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/kubernetes/shared.yml
@@ -1,13 +1,7 @@
 ---
 # platform = multi_platform_ocp
-{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='nodefs.inodesFree', value='var_kubelet_evictionsoft_nodefs_inodesfree', role='var_role_master') }}}
+{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='nodefs.inodesFree', value='var_kubelet_evictionsoft_nodefs_inodesfree') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='nodefs.inodesFree', value='"1m30s"', role='var_role_master') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='nodefs.inodesFree', value='"1m30s"') }}}
 ---
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_master') }}}
----
-{{{ kubelet_config(path='kubeletConfig.evictionSoft',parameter='nodefs.inodesFree', value='var_kubelet_evictionsoft_nodefs_inodesfree', role='var_role_worker') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig.evictionSoftGracePeriod',parameter='nodefs.inodesFree', value='"1m30s"', role='var_role_worker') }}}
----
-{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s', role='var_role_worker') }}}
+{{{ kubelet_config_fixed(path='kubeletConfig',parameter='evictionPressureTransitionPeriod', value='0s') }}}
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/rule.yml
index 4ae242aa683..f046bf43f88 100644
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/rule.yml
+++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/rule.yml
@@ -2,7 +2,6 @@ documentation_complete: true
 
 prodtype: ocp4
 
-
 title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree'
 
 description: |-
@@ -58,6 +57,7 @@ references:
   nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
   srg: SRG-APP-000516-CTR-001325
 
+platform: ocp4-node
 
 ocil_clause: '<tt>nodefs.inodesFree</tt> is not set in <tt>evictionSoft</tt> section'
 
@@ -66,9 +66,12 @@ ocil: |-
   <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.inodesFree"'; done</pre>
   and make sure it outputs a value.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
+  name: yamlfile_value
+  vars:
+    filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+    yamlpath: ".kubeletconfig.evictionSoft['nodefs.inodesFree']"
+    check_existence: "all_exist"
+    values:
+    - value: "^.+$"
+      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated/rule.yml
deleted file mode 100644
index 7e560556abc..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated/rule.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-platform: ocp4-node
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.inodesFree</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-
-ocil_clause: '<tt>nodefs.inodesFree</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionSoft."nodefs.inodesFree"' /host/etc/kubernetes/kubelet.conf</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: /etc/kubernetes/kubelet.conf
-    yamlpath: ".evictionSoft['nodefs.inodesFree']"
-    check_existence: "only_one_exists"
-    values:
-      - value: ".*"
-        operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master/rule.yml
deleted file mode 100644
index a2f64417bf4..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master/rule.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.inodesFree</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>nodefs.inodesFree</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.inodesFree"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_master
-    yamlpath: ".evictionSoft['nodefs.inodesFree']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker/rule.yml
deleted file mode 100644
index a9e80c90eb0..00000000000
--- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker/rule.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-
-title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree'
-
-description: |-
-  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
-
-  <ul>
-    <li>Container garbage collection: Removes terminated containers.</li>
-    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
-  </ul>
-
-  <p>
-  Container garbage collection can be performed using eviction thresholds.
-  Image garbage collection relies on disk usage as reported by cAdvisor on the
-  node to decide which images to remove from the node.
-  </p>
-
-  <p>
-  The OpenShift administrator can configure how OpenShift Container Platform
-  performs garbage collection by creating a kubeletConfig object for each
-  Machine Config Pool using any combination of the following:
-  </p>
-
-  <ul>
-    <li>soft eviction for containers</li>
-    <li>hard eviction for containers</li>
-    <li>eviction for images</li>
-  </ul>
-
-  <p>
-  To configure, follow the directions in
-  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
-              text="the documentation") }}}
-  </p>
-
-  <p>
-  This rule pertains to the <tt>nodefs.inodesFree</tt> setting of the <tt>evictionSoft</tt>
-  section.
-  </p>
-
-rationale: |-
-  Garbage collection is important to ensure sufficient resource availability
-  and avoiding degraded performance and availability. In the worst case, the
-  system might crash or just be unusable for a long period of time.
-  Based on your system resources and tests, choose an appropriate threshold
-  value to activate garbage collection.
-
-severity: medium
-
-references:
-  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-  srg: SRG-APP-000516-CTR-001325
-
-
-ocil_clause: '<tt>nodefs.inodesFree</tt> is not set in <tt>evictionSoft</tt> section'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.inodesFree"'; done</pre>
-  and make sure it outputs a value.
-
-template:
-  name: yamlfile_value
-  vars:
-    ocp_data: "true"
-    filepath: '/kubeletconfig/role'
-    filepath_suffix: var_role_worker
-    yamlpath: ".evictionSoft['nodefs.inodesFree']"
-    check_existence: "all_exist"
-    values:
-    - value: "^.+$"
-      operation: "pattern match"
-
diff --git a/applications/openshift/kubelet/kubelet_read_only_port_secured/rule.yml b/applications/openshift/kubelet/kubelet_read_only_port_secured/rule.yml
index bf8cf352a4f..4c0e0d372c9 100644
--- a/applications/openshift/kubelet/kubelet_read_only_port_secured/rule.yml
+++ b/applications/openshift/kubelet/kubelet_read_only_port_secured/rule.yml
@@ -2,11 +2,10 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 {{%- if product == "eks"  %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- else %}}
+platform: ocp4-node
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- endif %}}
 
@@ -34,10 +33,11 @@ references:
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.readOnlyPort"
+        values:
+         - value: "0"
+           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_read_only_port_secured_deprecated/rule.yml b/applications/openshift/kubelet/kubelet_read_only_port_secured_deprecated/rule.yml
deleted file mode 100644
index 1bf9bc7805e..00000000000
--- a/applications/openshift/kubelet/kubelet_read_only_port_secured_deprecated/rule.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}-node
-
-{{%- if product == "eks"  %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Ensure that the --read-only-port is secured'
-
-description: |-
-  Disable the read-only port.
-
-rationale: |-
-  The Kubelet process provides a read-only API in addition to the main Kubelet API.
-  Unauthenticated access is provided to this read-only API which could possibly retrieve
-  potentially sensitive information about the cluster.
-
-severity: medium
-
-ocil_clause: 'readOnlyPort is not secured'
-
-ocil: |-
-  First, SSH to the relevant node.
-
-  Open the Kubelet config file:
-
-    cat {{{ kubeletconf_path }}}
-
-  Verify that the "readOnlyPort" argument exists and is set to 0
-
-references:
-    cis@eks: 3.2.4
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-
-template:
-  name: yamlfile_value
-  vars:
-    filepath: {{{ kubeletconf_path }}}
-    yamlpath: ".readOnlyPort"
-    values:
-      - value: "0"
-        operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_read_only_port_secured_master/rule.yml b/applications/openshift/kubelet/kubelet_read_only_port_secured_master/rule.yml
deleted file mode 100644
index 7d277a6d0c2..00000000000
--- a/applications/openshift/kubelet/kubelet_read_only_port_secured_master/rule.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks"  %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Ensure that the --read-only-port is secured'
-
-description: |-
-  Disable the read-only port.
-
-rationale: |-
-  The Kubelet process provides a read-only API in addition to the main Kubelet API.
-  Unauthenticated access is provided to this read-only API which could possibly retrieve
-  potentially sensitive information about the cluster.
-
-severity: medium
-
-ocil_clause: 'readOnlyPort is not secured'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done</pre>
-  and make sure it outputs 0.
-
-references:
-    cis@eks: 3.2.4
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_master
-        yamlpath: ".readOnlyPort"
-        values:
-         - value: "0"
-           operation: "equals"
diff --git a/applications/openshift/kubelet/kubelet_read_only_port_secured_worker/rule.yml b/applications/openshift/kubelet/kubelet_read_only_port_secured_worker/rule.yml
deleted file mode 100644
index 1d578f31e4d..00000000000
--- a/applications/openshift/kubelet/kubelet_read_only_port_secured_worker/rule.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-documentation_complete: true
-
-prodtype: eks,ocp4
-
-platform: {{{ product }}}
-
-{{%- if product == "eks"  %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
-{{%- else %}}
-{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
-{{%- endif %}}
-
-title: 'kubelet - Ensure that the --read-only-port is secured'
-
-description: |-
-  Disable the read-only port.
-
-rationale: |-
-  The Kubelet process provides a read-only API in addition to the main Kubelet API.
-  Unauthenticated access is provided to this read-only API which could possibly retrieve
-  potentially sensitive information about the cluster.
-
-severity: medium
-
-ocil_clause: 'readOnlyPort is not secured'
-
-ocil: |-
-  Run the following command on the kubelet node(s):
-  <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done</pre>
-  and make sure it outputs 0.
-
-references:
-    cis@eks: 3.2.4
-    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
-    nist: CM-6,CM-6(1)
-
-template:
-    name: yamlfile_value
-    vars:
-        ocp_data: "true"
-        filepath: '/kubeletconfig/role'
-        filepath_suffix: var_role_worker
-        yamlpath: ".readOnlyPort"
-        values:
-         - value: "0"
-           operation: "equals"
diff --git a/shared/macros/10-kubernetes.jinja b/shared/macros/10-kubernetes.jinja
index 3118ad00a29..9363476fab0 100644
--- a/shared/macros/10-kubernetes.jinja
+++ b/shared/macros/10-kubernetes.jinja
@@ -695,12 +695,9 @@ spec:
      - parameter (String): name of the variable to be set
      - value (String): xccdf vairable name to that varaiable
 #}}
-{{%- macro kubelet_config(path='', parameter='', value='', role='') -%}}
+{{%- macro kubelet_config(path='', parameter='', value='') -%}}
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.{{{ role }}}}}"
 spec:
 {{{ expand_yaml_path(path, parameter) }}}: {{.{{{ value }}}}}
 {{%- endmacro -%}}
@@ -712,12 +709,9 @@ spec:
      - parameter (String): name of the variable to be set
      - value (String): the fixed value to that varaiable
 #}}
-{{%- macro kubelet_config_fixed(path='', parameter='', value='', role='') -%}}
+{{%- macro kubelet_config_fixed(path='', parameter='', value='') -%}}
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
-metadata:
-  annotations:
-    complianceascode.io/node-role: "{{.{{{ role }}}}}"
 spec:
 {{{ expand_yaml_path(path, parameter) }}}: {{{ value }}}
 {{%- endmacro -%}}
diff --git a/shared/templates/kubelet_combine/oval.template b/shared/templates/kubelet_combine/oval.template
deleted file mode 100644
index 271ae274f99..00000000000
--- a/shared/templates/kubelet_combine/oval.template
+++ /dev/null
@@ -1,10 +0,0 @@
-<def-group oval_version="5.11">
-  <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("The combined kubeletconfig check") }}}
-
-    <criteria operator="AND">
-      <extend_definition comment="check kubeletconfig worker" definition_ref="{{{ rule_id }}}_worker" />
-      <extend_definition comment="check kubeletconfig master" definition_ref="{{{ rule_id }}}_master" />
-    </criteria>
-  </definition>
-</def-group>
diff --git a/shared/templates/kubelet_combine/template.py b/shared/templates/kubelet_combine/template.py
deleted file mode 100644
index b68590ca431..00000000000
--- a/shared/templates/kubelet_combine/template.py
+++ /dev/null
@@ -1,5 +0,0 @@
-from ssg.utils import parse_template_boolean_value
-
-
-def preprocess(data, lang):
-    return data
diff --git a/shared/templates/kubelet_combine/template.yml b/shared/templates/kubelet_combine/template.yml
deleted file mode 100644
index 2f6f2d2c7cb..00000000000
--- a/shared/templates/kubelet_combine/template.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-supported_languages:
-  - oval