OCP4: deprecating two api_server rules

[Vincent056]

This pr removes api_server_insecure_port and api_server_api_priority_gate_enabled from any of the OCP profiles because we no longer support those applicable OCP versions.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11758
This image was built from commit: f4bcb76

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11758

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11758 make deploy-local

[rhmdnd]

/test

[openshift-ci]

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

• /test 4.13-e2e-aws-ocp4-cis
• /test 4.13-e2e-aws-ocp4-cis-node
• /test 4.13-e2e-aws-ocp4-e8
• /test 4.13-e2e-aws-ocp4-high
• /test 4.13-e2e-aws-ocp4-high-node
• /test 4.13-e2e-aws-ocp4-moderate
• /test 4.13-e2e-aws-ocp4-moderate-node
• /test 4.13-e2e-aws-ocp4-pci-dss
• /test 4.13-e2e-aws-ocp4-pci-dss-node
• /test 4.13-e2e-aws-ocp4-stig
• /test 4.13-e2e-aws-ocp4-stig-node
• /test 4.13-e2e-aws-rhcos4-e8
• /test 4.13-e2e-aws-rhcos4-high
• /test 4.13-e2e-aws-rhcos4-moderate
• /test 4.13-e2e-aws-rhcos4-stig
• /test 4.13-images
• /test 4.14-images
• /test 4.15-e2e-aws-ocp4-cis
• /test 4.15-e2e-aws-ocp4-cis-node
• /test 4.15-e2e-aws-ocp4-e8
• /test 4.15-e2e-aws-ocp4-high
• /test 4.15-e2e-aws-ocp4-high-node
• /test 4.15-e2e-aws-ocp4-moderate
• /test 4.15-e2e-aws-ocp4-moderate-node
• /test 4.15-e2e-aws-ocp4-pci-dss
• /test 4.15-e2e-aws-ocp4-pci-dss-node
• /test 4.15-e2e-aws-ocp4-stig
• /test 4.15-e2e-aws-ocp4-stig-node
• /test 4.15-e2e-aws-rhcos4-e8
• /test 4.15-e2e-aws-rhcos4-high
• /test 4.15-e2e-aws-rhcos4-moderate
• /test 4.15-e2e-aws-rhcos4-stig
• /test 4.15-images
• /test 4.16-e2e-aws-ocp4-cis
• /test 4.16-e2e-aws-ocp4-cis-node
• /test 4.16-e2e-aws-ocp4-e8
• /test 4.16-e2e-aws-ocp4-high
• /test 4.16-e2e-aws-ocp4-high-node
• /test 4.16-e2e-aws-ocp4-moderate
• /test 4.16-e2e-aws-ocp4-moderate-node
• /test 4.16-e2e-aws-ocp4-pci-dss
• /test 4.16-e2e-aws-ocp4-pci-dss-node
• /test 4.16-e2e-aws-ocp4-stig
• /test 4.16-e2e-aws-ocp4-stig-node
• /test 4.16-e2e-aws-rhcos4-e8
• /test 4.16-e2e-aws-rhcos4-high
• /test 4.16-e2e-aws-rhcos4-moderate
• /test 4.16-e2e-aws-rhcos4-stig
• /test 4.16-images
• /test e2e-aws-ocp4-cis
• /test e2e-aws-ocp4-cis-node
• /test e2e-aws-ocp4-e8
• /test e2e-aws-ocp4-high
• /test e2e-aws-ocp4-high-node
• /test e2e-aws-ocp4-moderate
• /test e2e-aws-ocp4-moderate-node
• /test e2e-aws-ocp4-pci-dss
• /test e2e-aws-ocp4-pci-dss-node
• /test e2e-aws-ocp4-stig
• /test e2e-aws-ocp4-stig-node
• /test e2e-aws-rhcos4-e8
• /test e2e-aws-rhcos4-high
• /test e2e-aws-rhcos4-moderate
• /test e2e-aws-rhcos4-stig
• /test images

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-ComplianceAsCode-content-master-4.13-images
• pull-ci-ComplianceAsCode-content-master-4.14-images
• pull-ci-ComplianceAsCode-content-master-4.15-images
• pull-ci-ComplianceAsCode-content-master-4.16-images
• pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rhmdnd]

Thanks for confirming @yuumasato. @Vincent056 - apologies for preemptively suggesting we revert the STIG rule association.

This should be all we need, in addition to what's already proposed:

diff --git a/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml b/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml
index 7b5d85ddd8..916f315783 100644
--- a/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml
+++ b/controls/srg_ctr/SRG-APP-000516-CTR-001325.yml
@@ -17,7 +17,6 @@ controls:
   - api_server_admission_control_plugin_service_account
   - api_server_anonymous_auth
   - api_server_api_priority_flowschema_catch_all
-  - api_server_api_priority_gate_enabled
   - api_server_audit_log_maxbackup
   - api_server_audit_log_maxsize
   - api_server_audit_log_path
@@ -30,7 +29,6 @@ controls:
   - api_server_etcd_key
   - api_server_https_for_kubelet_conn
   - api_server_insecure_bind_address
-  - api_server_insecure_port
   - api_server_kubelet_certificate_authority
   - api_server_kubelet_client_cert
   - api_server_kubelet_client_cert_pre_4_9

[xiaojiey]

/hold for test

[xiaojiey]

@Vincent056 Seems the annotations also need to be updated.

##1. rule upstream-ocp4-api-server-api-priority-gate-enabled
% oc get rule upstream-ocp4-api-server-api-priority-gate-enabled -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4582qs",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig,upstream-ocp4-stig-v1r1",
  "compliance.openshift.io/rule": "api-server-api-priority-gate-enabled",
  "control.compliance.openshift.io/CIS-OCP": "1.2.9",
  "control.compliance.openshift.io/NERC-CIP": "CIP-003-8 R6;CIP-004-6 R3;CIP-007-3 R6.1",
  "control.compliance.openshift.io/NIST-800-53": "CM-6;CM-6(1)",
  "control.compliance.openshift.io/PCI-DSS": "Req-2.2",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,1.2.9",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,CIS-OCP"
}
% oc get profile ocp4-cis -o yaml | grep api-server-api-priority-gate-enabled
- ocp4-api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-cis -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-api-priority-gate-enabled
- upstream-ocp4-api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-nerc-cip -o yaml | grep api-server-api-priority-gate-enabled
###2. rule upstream-ocp4-api-server-insecure-port
% oc get rule upstream-ocp4-api-server-insecure-port -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4582qs",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig,upstream-ocp4-stig-v1r1",
  "compliance.openshift.io/rule": "api-server-insecure-port",
  "control.compliance.openshift.io/CIS-OCP": "1.2.17",
  "control.compliance.openshift.io/NERC-CIP": "CIP-003-8 R6;CIP-004-6 R3;CIP-007-3 R6.1",
  "control.compliance.openshift.io/NIST-800-53": "CM-6;CM-6(1)",
  "control.compliance.openshift.io/PCI-DSS": "Req-2.2;Req-2.3",
  "policies.open-cluster-management.io/controls": "CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1,CM-6,CM-6(1),Req-2.2,Req-2.3,1.2.17",
  "policies.open-cluster-management.io/standards": "NERC-CIP,NIST-800-53,PCI-DSS,CIS-OCP"
}
% oc get profile ocp4-cis -o yaml | grep api-server-insecure-port                      
- ocp4-api-server-insecure-port
% oc get profile upstream-ocp4-cis -o yaml | grep api-server-insecure-port
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-insecure-port
- upstream-ocp4-api-server-insecure-port
% oc get profile upstream-ocp4-nerc-cip -o yaml | grep pi-server-insecure-port             
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-insecure-port   

[xiaojiey]

@Vincent056 Per the test result, the control.compliance.openshift.io/PCI-DSS and policies.open-cluster-management.io/standards for rule upstream-ocp4-api-server-api-priority-gate-enabled should also be removed. Besides, could you please also update status in OCPBUGS-34982? Thanks.

% oc get rule upstream-ocp4-api-server-insecure-port -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4957mp",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig-v1r1,upstream-ocp4-stig",
  "compliance.openshift.io/rule": "api-server-insecure-port"
}
xiyuan@xiyuan-mac extended % oc get rule upstream-ocp4-api-server-api-priority-gate-enabled -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4957mp",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig,upstream-ocp4-stig-v1r1",
  "compliance.openshift.io/rule": "api-server-api-priority-gate-enabled",
  "control.compliance.openshift.io/PCI-DSS": "Req-2.2",
  "policies.open-cluster-management.io/controls": "Req-2.2",
  "policies.open-cluster-management.io/standards": "PCI-DSS"
}

% oc get profile upstream-ocp4-cis  -o yaml | grep api-server-insecure-port
% oc get profile upstream-ocp4-cis  -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-insecure-port            
% oc get profile upstream-ocp4-cis-1-4 -o yaml | grep api-server-insecure-port
% oc get profile upstream-ocp4-cis-1-4 -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-api-priority-gate-enabled
- upstream-ocp4-api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-insecure-port            
- upstream-ocp4-api-server-insecure-port

[yuumasato]

@Vincent056 I think you need to rebase this PR. More profiles select these rules on latest master.

$ grep -r api_server_insecure_port api_server_api_priority_gate_enabled  controls/ products/ocp4/ products/rhcos4/
grep: api_server_api_priority_gate_enabled: No such file or directory
controls/srg_ctr/SRG-APP-000516-CTR-001325.yml:  - api_server_insecure_port
controls/cis_ocp_1_4_0/section-1.yml:        - api_server_insecure_port
controls/nist_ocp4.yml:  - api_server_insecure_port
controls/nist_ocp4.yml:  - api_server_insecure_port
controls/pcidss_4_ocp4.yml:        - api_server_insecure_port
controls/pcidss_ocp4.yml:    - api_server_insecure_port
products/ocp4/profiles/stig-v1r1.profile:    - api_server_insecure_port

grep -r  api_server_api_priority_gate_enabled  controls/ products/ocp4/ products/rhcos4/
controls/srg_ctr/SRG-APP-000516-CTR-001325.yml:  - api_server_api_priority_gate_enabled
controls/cis_ocp_1_4_0/section-1.yml:        - api_server_api_priority_gate_enabled
controls/nist_ocp4.yml:  - api_server_api_priority_gate_enabled
controls/nist_ocp4.yml:  - api_server_api_priority_gate_enabled
products/ocp4/profiles/stig-v1r1.profile:    - api_server_api_priority_gate_enabled

[jan-cerny]

ping

[xiaojiey]

@Vincent056 Should the PCI-DSS control info get removed from the annotations? I didn't find the rule api-server-api-priority-gate-enabled in pci-dss profile.

% oc get rule upstream-ocp4-api-server-api-priority-gate-enabled -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4xqxc2",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig-v1r1,upstream-ocp4-stig",
  "compliance.openshift.io/rule": "api-server-api-priority-gate-enabled",
  "control.compliance.openshift.io/PCI-DSS": "Req-2.2",
  "control.compliance.openshift.io/STIG": "SRG-APP-000516-CTR-001325",
  "policies.open-cluster-management.io/controls": "Req-2.2,SRG-APP-000516-CTR-001325",
  "policies.open-cluster-management.io/standards": "PCI-DSS,STIG"
}
% oc get rule upstream-ocp4-api-server-insecure-port -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4xqxc2",
  "compliance.openshift.io/profiles": "upstream-ocp4-stig,upstream-ocp4-stig-v1r1",
  "compliance.openshift.io/rule": "api-server-insecure-port",
  "control.compliance.openshift.io/STIG": "SRG-APP-000516-CTR-001325",
  "policies.open-cluster-management.io/controls": "SRG-APP-000516-CTR-001325",
  "policies.open-cluster-management.io/standards": "STIG"
}
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-api-priority-gate-enabled
- upstream-ocp4-api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-stig -o yaml | grep api-server-insecure-port 
- upstream-ocp4-api-server-insecure-port
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-api-priority-gate-enabled
% oc get profile upstream-ocp4-pci-dss -o yaml | grep api-server-insecure-port            
% oc get profile upstream-ocp4-cis-1-4 -o yaml | grep api-server-insecure-port
% oc get profile upstream-ocp4-cis-1-4 -o yaml | grep api-server-api-priority-gate-enabled
%

[codeclimate]

Code Climate has analyzed commit f4bcb76 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[rhmdnd]

/lgtm

[yuumasato]

/retest