False positive CIS controls

[alexisph]

Hello,

I'm using the compliance operator v0.1.49 on OCP v4.8.
I've noticed that after updating to v0.1.49 four false positives appeared:

oc get compliancecheckresults -A | grep FAIL
openshift-compliance   ocp4-cis-api-server-kubelet-client-cert                                          FAIL     high
openshift-compliance   ocp4-cis-api-server-kubelet-client-key                                           FAIL     high
openshift-compliance   ocp4-cis-kubelet-configure-tls-cert                                              FAIL     medium
openshift-compliance   ocp4-cis-kubelet-configure-tls-key                                               FAIL     medium

Proof:

ocp4-cis-api-server-kubelet-client-cert

Instructions: Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt

# actual result
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-certificate"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
]

ocp4-cis-api-server-kubelet-client-key

Instructions: Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
The output should return /etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key or /etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key

# actual result
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["kubelet-client-key"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
]

ocp4-cis-kubelet-configure-tls-cert

Instructions: Run the following command on the kubelet node(s):
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
Verify that a client certificate is configured.

# actual result
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
]

ocp4-cis-kubelet-configure-tls-key

Instructions: Run the following command on the kubelet node(s):
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
Verify that a client certificate is configured.

# actual result
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-key"]'
[
  "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
]

[jhrozek]

This is not an issue in the operator, but in the content, namely ComplianceAsCode/content#8853 and ComplianceAsCode/content#8833

[alexisph]

Hi. Thanks for linking the other two issues.
But, in any case, the compliance operator v0.1.49 was shipped with a buggy version of the CIS policies which cause the false positives. It is definitely an issue with the operator as well.