Update assertions for ingress controller TLS check #12361

rhmdnd · 2024-09-03T16:09:39Z

We recently incorporated a new rule into the CIS profile that checks
ingress controller TLS configs:

We added it to the CIS profile, but didn't update the assertions in the
moderate or high profiles, which is causing periodic CI to fail. This
commit adds the assertion to the moderate and high test files so we're
checking it in subsequent CI runs.

github-actions · 2024-09-03T16:11:00Z

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

rhmdnd · 2024-09-03T16:14:28Z

/test

openshift-ci · 2024-09-03T16:14:34Z

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

/test 4.12-e2e-aws-ocp4-cis
/test 4.12-e2e-aws-ocp4-cis-node
/test 4.12-e2e-aws-ocp4-e8
/test 4.12-e2e-aws-ocp4-high
/test 4.12-e2e-aws-ocp4-high-node
/test 4.12-e2e-aws-ocp4-moderate
/test 4.12-e2e-aws-ocp4-moderate-node
/test 4.12-e2e-aws-ocp4-pci-dss
/test 4.12-e2e-aws-ocp4-pci-dss-4-0
/test 4.12-e2e-aws-ocp4-pci-dss-node
/test 4.12-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.12-e2e-aws-ocp4-stig
/test 4.12-e2e-aws-ocp4-stig-node
/test 4.12-e2e-aws-rhcos4-e8
/test 4.12-e2e-aws-rhcos4-high
/test 4.12-e2e-aws-rhcos4-moderate
/test 4.12-e2e-aws-rhcos4-stig
/test 4.12-images
/test 4.13-e2e-aws-ocp4-bsi
/test 4.13-e2e-aws-ocp4-bsi-node
/test 4.13-e2e-aws-ocp4-cis
/test 4.13-e2e-aws-ocp4-cis-node
/test 4.13-e2e-aws-ocp4-e8
/test 4.13-e2e-aws-ocp4-high
/test 4.13-e2e-aws-ocp4-high-node
/test 4.13-e2e-aws-ocp4-moderate
/test 4.13-e2e-aws-ocp4-moderate-node
/test 4.13-e2e-aws-ocp4-pci-dss
/test 4.13-e2e-aws-ocp4-pci-dss-4-0
/test 4.13-e2e-aws-ocp4-pci-dss-node
/test 4.13-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.13-e2e-aws-ocp4-stig
/test 4.13-e2e-aws-ocp4-stig-node
/test 4.13-e2e-aws-rhcos4-bsi
/test 4.13-e2e-aws-rhcos4-e8
/test 4.13-e2e-aws-rhcos4-high
/test 4.13-e2e-aws-rhcos4-moderate
/test 4.13-e2e-aws-rhcos4-stig
/test 4.13-images
/test 4.14-e2e-aws-ocp4-bsi
/test 4.14-e2e-aws-ocp4-bsi-node
/test 4.14-e2e-aws-ocp4-pci-dss-4-0
/test 4.14-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.14-e2e-aws-rhcos4-bsi
/test 4.14-images
/test 4.15-e2e-aws-ocp4-bsi
/test 4.15-e2e-aws-ocp4-bsi-node
/test 4.15-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis-node
/test 4.15-e2e-aws-ocp4-e8
/test 4.15-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high-node
/test 4.15-e2e-aws-ocp4-moderate
/test 4.15-e2e-aws-ocp4-moderate-node
/test 4.15-e2e-aws-ocp4-pci-dss
/test 4.15-e2e-aws-ocp4-pci-dss-4-0
/test 4.15-e2e-aws-ocp4-pci-dss-node
/test 4.15-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.15-e2e-aws-ocp4-stig
/test 4.15-e2e-aws-ocp4-stig-node
/test 4.15-e2e-aws-rhcos4-bsi
/test 4.15-e2e-aws-rhcos4-e8
/test 4.15-e2e-aws-rhcos4-high
/test 4.15-e2e-aws-rhcos4-moderate
/test 4.15-e2e-aws-rhcos4-stig
/test 4.15-e2e-rosa-ocp4-cis-node
/test 4.15-e2e-rosa-ocp4-pci-dss-node
/test 4.15-images
/test 4.16-e2e-aws-ocp4-bsi
/test 4.16-e2e-aws-ocp4-bsi-node
/test 4.16-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis-node
/test 4.16-e2e-aws-ocp4-e8
/test 4.16-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high-node
/test 4.16-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate-node
/test 4.16-e2e-aws-ocp4-pci-dss
/test 4.16-e2e-aws-ocp4-pci-dss-4-0
/test 4.16-e2e-aws-ocp4-pci-dss-node
/test 4.16-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.16-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig-node
/test 4.16-e2e-aws-rhcos4-bsi
/test 4.16-e2e-aws-rhcos4-e8
/test 4.16-e2e-aws-rhcos4-high
/test 4.16-e2e-aws-rhcos4-moderate
/test 4.16-e2e-aws-rhcos4-stig
/test 4.16-images
/test 4.17-e2e-aws-ocp4-bsi
/test 4.17-e2e-aws-ocp4-bsi-node
/test 4.17-e2e-aws-ocp4-cis
/test 4.17-e2e-aws-ocp4-cis-node
/test 4.17-e2e-aws-ocp4-e8
/test 4.17-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-high-node
/test 4.17-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-moderate-node
/test 4.17-e2e-aws-ocp4-pci-dss
/test 4.17-e2e-aws-ocp4-pci-dss-4-0
/test 4.17-e2e-aws-ocp4-pci-dss-node
/test 4.17-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.17-e2e-aws-ocp4-stig
/test 4.17-e2e-aws-ocp4-stig-node
/test 4.17-e2e-aws-rhcos4-bsi
/test 4.17-e2e-aws-rhcos4-e8
/test 4.17-e2e-aws-rhcos4-high
/test 4.17-e2e-aws-rhcos4-moderate
/test 4.17-e2e-aws-rhcos4-stig
/test 4.17-images
/test e2e-aws-ocp4-bsi
/test e2e-aws-ocp4-bsi-node
/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-e8
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-high-node
/test e2e-aws-ocp4-moderate
/test e2e-aws-ocp4-moderate-node
/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-4-0
/test e2e-aws-ocp4-pci-dss-node
/test e2e-aws-ocp4-pci-dss-node-4-0
/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-bsi
/test e2e-aws-rhcos4-e8
/test e2e-aws-rhcos4-high
/test e2e-aws-rhcos4-moderate
/test e2e-aws-rhcos4-stig
/test images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-ComplianceAsCode-content-master-4.12-images
pull-ci-ComplianceAsCode-content-master-4.13-images
pull-ci-ComplianceAsCode-content-master-4.14-images
pull-ci-ComplianceAsCode-content-master-4.15-images
pull-ci-ComplianceAsCode-content-master-4.16-images
pull-ci-ComplianceAsCode-content-master-4.17-images
pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

rhmdnd · 2024-09-03T16:23:58Z

/test 4.13-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-high
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-moderate
/test 4.13-e2e-aws-ocp4-moderate
/test 4.15-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-moderate

github-actions · 2024-09-03T16:30:22Z

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12361
This image was built from commit: 5f2fca1

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12361

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12361 make deploy-local

yuumasato

I think we are missing the same assertion for PCI-DSS, they also extend CIS profiles.

yuumasato · 2024-09-03T17:11:50Z

/test 4.16-e2e-aws-ocp4-pci-dss-4-0
/test 4.16-e2e-aws-ocp4-pci-dss

yuumasato · 2024-09-03T17:12:41Z

I think we are missing the same assertion for PCI-DSS, they also extend CIS profiles.

Nevermind, I see them on #12362

yuumasato · 2024-09-03T17:16:30Z

Actually, the ocp4-pci-dss-4-0.4.XX.yml are missing the rule:
See for example:
https://github.com/ComplianceAsCode/content/blob/4ec18f4229ccef0a7019da13f7ce29bcd0cf1c79/tests/assertions/ocp4/ocp4-pci-dss-4-0-4.16.yml

yuumasato · 2024-09-03T21:13:06Z

    helpers.go:872: Result - Name: e2e-pci-dss-4-0-kubelet-configure-tls-cipher-suites-ingresscontroller - Status: FAIL - Severity: medium
    helpers.go:879: E2E-Error: e2e-pci-dss-4-0-kubelet-configure-tls-cipher-suites-ingresscontroller: Rule assertion missing

We recently incorporated a new rule into the CIS profile that checks ingress controller TLS configs: ComplianceAsCode#12220 We added it to the CIS profile, but didn't update the assertions in the moderate or high profiles, which is causing periodic CI to fail. This commit adds the assertion to the moderate and high test files so we're checking it in subsequent CI runs.

rhmdnd · 2024-09-03T22:37:18Z

/test 4.13-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-high
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-moderate
/test 4.13-e2e-aws-ocp4-moderate
/test 4.15-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-moderate

codeclimate · 2024-09-03T23:17:33Z

Code Climate has analyzed commit 5f2fca1 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.

openshift-ci · 2024-09-04T00:18:22Z

@rhmdnd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.16-e2e-aws-ocp4-pci-dss-4-0	`4ec18f4`	link	true	`/test 4.16-e2e-aws-ocp4-pci-dss-4-0`
ci/prow/4.16-e2e-aws-ocp4-pci-dss	`4ec18f4`	link	true	`/test 4.16-e2e-aws-ocp4-pci-dss`
ci/prow/e2e-aws-ocp4-moderate	`5f2fca1`	link	true	`/test e2e-aws-ocp4-moderate`
ci/prow/4.17-e2e-aws-ocp4-moderate	`5f2fca1`	link	true	`/test 4.17-e2e-aws-ocp4-moderate`
ci/prow/4.17-e2e-aws-ocp4-high	`5f2fca1`	link	true	`/test 4.17-e2e-aws-ocp4-high`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

yuumasato

/lgtm

rhmdnd force-pushed the update-assertions-for-ingress-operator-rule branch from 7d0345d to 4ec18f4 Compare September 3, 2024 16:14

rhmdnd requested a review from yuumasato September 3, 2024 16:22

yuumasato self-assigned this Sep 3, 2024

yuumasato reviewed Sep 3, 2024

View reviewed changes

rhmdnd added this to the 0.1.75 milestone Sep 3, 2024

rhmdnd force-pushed the update-assertions-for-ingress-operator-rule branch from 4ec18f4 to 5f2fca1 Compare September 3, 2024 22:36

marcusburghardt added the OpenShift OpenShift product related. label Sep 4, 2024

yuumasato approved these changes Sep 4, 2024

View reviewed changes

yuumasato merged commit d7020ee into ComplianceAsCode:master Sep 4, 2024
107 of 110 checks passed

yuumasato mentioned this pull request Sep 9, 2024

PCI-DSS-4-0: Add cipher suite ingress controller assertion #12371

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update assertions for ingress controller TLS check #12361

Update assertions for ingress controller TLS check #12361

rhmdnd commented Sep 3, 2024

github-actions bot commented Sep 3, 2024

rhmdnd commented Sep 3, 2024

openshift-ci bot commented Sep 3, 2024

rhmdnd commented Sep 3, 2024

github-actions bot commented Sep 3, 2024 •

edited

Loading

yuumasato left a comment

yuumasato commented Sep 3, 2024

yuumasato commented Sep 3, 2024

yuumasato commented Sep 3, 2024

yuumasato commented Sep 3, 2024

rhmdnd commented Sep 3, 2024

codeclimate bot commented Sep 3, 2024

openshift-ci bot commented Sep 4, 2024

yuumasato left a comment

Update assertions for ingress controller TLS check #12361

Update assertions for ingress controller TLS check #12361

Conversation

rhmdnd commented Sep 3, 2024

github-actions bot commented Sep 3, 2024

rhmdnd commented Sep 3, 2024

openshift-ci bot commented Sep 3, 2024

rhmdnd commented Sep 3, 2024

github-actions bot commented Sep 3, 2024 • edited Loading

yuumasato left a comment

Choose a reason for hiding this comment

yuumasato commented Sep 3, 2024

yuumasato commented Sep 3, 2024

yuumasato commented Sep 3, 2024

yuumasato commented Sep 3, 2024

rhmdnd commented Sep 3, 2024

codeclimate bot commented Sep 3, 2024

openshift-ci bot commented Sep 4, 2024

yuumasato left a comment

Choose a reason for hiding this comment

github-actions bot commented Sep 3, 2024 •

edited

Loading