Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EKS: Provide assessments and rules for CIS section 3 #7977

Merged
merged 2 commits into from
Dec 15, 2021
Merged

EKS: Provide assessments and rules for CIS section 3 #7977

merged 2 commits into from
Dec 15, 2021

Conversation

JAORMX
Copy link
Contributor

@JAORMX JAORMX commented Dec 9, 2021

Most of these already had automation in OpenShift, so we're just
re-using it.

Some required a new rule (e.g. kubelet_read_only_port_secured).

While for other controls, we re-introduced a rule that had been
previously deleted (e.g. kubelet_disable_hostname_override).

Signed-off-by: Juan Antonio Osorio Robles jaosorior@redhat.com

@JAORMX JAORMX changed the title EKS: Provide assessments and rules for CIS section 3 WIP: EKS: Provide assessments and rules for CIS section 3 Dec 9, 2021
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Dec 9, 2021
@JAORMX JAORMX requested review from rhmdnd and Vincent056 December 9, 2021 10:47
@JAORMX JAORMX force-pushed the eks-cis-3 branch 3 times, most recently from 047bae6 to 2a33680 Compare December 9, 2021 13:52
@JAORMX JAORMX changed the title WIP: EKS: Provide assessments and rules for CIS section 3 EKS: Provide assessments and rules for CIS section 3 Dec 9, 2021
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Dec 9, 2021
@JAORMX
Copy link
Contributor Author

JAORMX commented Dec 9, 2021

/retest

1 similar comment
@JAORMX
Copy link
Contributor Author

JAORMX commented Dec 9, 2021

/retest

Vincent056
Vincent056 reviewed Dec 9, 2021
View reviewed changes
applications/openshift/kubelet/kubelet_enable_cert_rotation/tests/cert_rotation_enabled.pass.sh Outdated
do
mkdir -p $(dirname $path)
echo $kubeconfig > $path
cat $path
Copy link
Contributor

@Vincent056 Vincent056 Dec 9, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was cat $path for testing haha

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lol oops! let me remove it!

Vincent056
Vincent056 approved these changes Dec 9, 2021
View reviewed changes
Copy link
Contributor

@Vincent056 Vincent056 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@Vincent056
Copy link
Contributor

/retest

rhmdnd
rhmdnd reviewed Dec 9, 2021
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I only have one question about DRYing things up, but that can certainly be addressed in a follow separate review.

applications/openshift/kubelet/kubelet_enable_cert_rotation/rule.yml
{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
{{%- else %}}
{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
{{%- endif %}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if there is a way to reduce this duplication across rules.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might need an enhancement in ComplianceAsCode to be able to set product-wide variables. that would be useful.

@JAORMX
EKS: Provide assessments and rules for CIS section 3
e0ceaf5 
Most of these already had automation in OpenShift, so we're just
re-using it.

Some required a new rule (e.g. `kubelet_read_only_port_secured`).

While for other controls, we re-introduced a rule that had been
previously deleted (e.g. `kubelet_disable_hostname_override`).

Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
@JAORMX
OCP/EKS: Add unit tests for kubelet_enable_cert_rotation
fed2b22 
Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
@JAORMX
Copy link
Contributor Author

JAORMX commented Dec 13, 2021

/retest

2 similar comments
@JAORMX
Copy link
Contributor Author

JAORMX commented Dec 13, 2021

/retest

@JAORMX
Copy link
Contributor Author

JAORMX commented Dec 14, 2021

/retest

@openshift-ci
Copy link

openshift-ci bot commented Dec 14, 2021

@JAORMX: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ocp4-moderate-node fed2b22 link true /test e2e-aws-ocp4-moderate-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

Vincent056
Vincent056 approved these changes Dec 15, 2021
View reviewed changes
Copy link
Contributor

@Vincent056 Vincent056 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@JAORMX JAORMX merged commit ed704f2 into ComplianceAsCode:master Dec 15, 2021
@yuumasato yuumasato added this to the 0.1.60 milestone Jan 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhmdnd rhmdnd rhmdnd left review comments

@Vincent056 Vincent056 Vincent056 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.1.60
Development

Successfully merging this pull request may close these issues.
4 participants
@JAORMX @Vincent056 @rhmdnd @yuumasato