Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CMP-2365: Fix check for rotating kubelet server certificates #11543

Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ description: |-
...
</pre>

This feature gate is enabled by default as of Kubernetes 1.12.

rationale: |-
Enabling kubelet certificate rotation causes the kubelet to both request
a serving certificate after bootstrapping its client credentials and rotate the
Expand Down Expand Up @@ -67,6 +69,10 @@ references:
pcidss: Req-2.2
srg: SRG-APP-000516-CTR-001325

# Since RotateKubeletServerCertificate is enabled by default, let's make sure
# it's not being disabled explicitly. If we only check for it to be enabled,
# we'll miss clusters that rely on the default and result in a false positive
# finding.
template:
name: yamlfile_value
vars:
Expand All @@ -75,7 +81,7 @@ template:
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: '[:]'
values:
- value: 'RotateKubeletServerCertificate=true'
- value: 'RotateKubeletServerCertificate=false'
type: "string"
operation: "pattern match"
entity_check: "at least one"
entity_check: "none satisfy"
Loading