CIS 4.2.6 rule appears to contradict implemention of rule in this repo

[stujb]

Description of problem:

The rule/remediation for CIS 4.2.6 seems to contradict what the CIS document says.

The CIS 4.2.6 rule from CIS_RedHat_OpenShift_Container_Platform_v4_Benchmark_v1.1.0_PDF.pdf is quite explicit in stating that protectKernelDefaults should NOT be enabled in the kubelet config eg the title of rule 4.2.6 says Ensure that the --protect-kernel-defaults argument is not set

However the rule implemented in the repo and by the openshift-compliance operator states that the protectKernelDefaults option should be enabled in the kubelet config. This seems to directly contradict what the CIS rule states.

Is this correct and if so why would this be the case ?

[JAORMX]

@stujb that is a wrong recommendation IMO. I was one of the authors of the Openshift CIS benchmark and didn't know that this had been changed... I'll try to get this corrected in the benchmark. The original CIS benchmark stated that protectKernelDefaults should be set; setting it in OpenShift was non-trivial [1], and I can see why they wanted to move away from that. However, I disagree with the rule as it ended up in the OCP benchmark.

[1] https://jaosorior.dev/2020/protectkerneldefaults-in-openshift/

[stujb]

Thanks for the clarification. Will implement the remediations on our clusters as per recommendations

[Mab879]

@yuumasato Is this still valid?

[yuumasato]

Last published OpenShift CIS with requirement for --protect-kernel-defaults flag was CIS 1.3.0. From OpenShift CIS 1.4.0 this requirement is no part of the benchmark anymore.