search

openshift / compliance-operator

Operator providing OpenShift cluster compliance checks
Apache License 2.0
109 stars 110 forks source link

false positive rule - api-server-no-adm-ctrl-plugins-disabled #796

Closed maratsal closed 2 years ago

maratsal commented 2 years ago

Not sure if this should be posted here, if it should go somewhere else please let me know.

It looks like api-server-no-adm-ctrl-plugins-disabled is false positive on the version 4.9.17 of OpenShift.

Compliance check of that rule is failing:

oc get compliancecheckresults ocp4-cis-tailored-api-server-no-adm-ctrl-plugins-disabled
NAME                                                        STATUS   SEVERITY
ocp4-cis-tailored-api-server-no-adm-ctrl-plugins-disabled   FAIL     medium

However manual checkup that is suggested doesn't show any disabled admission controllers.

oc -n openshift-kube-apiserver get configmap config -o json | jq -r '[.data."config.yaml" | fromjson | select(.apiServerArguments."disable-admission-plugins"!=["PodSecurity"] and .apiServerArguments."disable-admission-plugins"!=[]) | .apiServerArguments."disable-admission-plugins"]'
[
  null
]

or the full config map output:

[
  {
    "admission": {
      "pluginConfig": {
        "network.openshift.io/ExternalIPRanger": {
          "configuration": {
            "allowIngressIP": false,
            "apiVersion": "network.openshift.io/v1",
            "externalIPNetworkCIDRs": null,
            "kind": "ExternalIPRangerAdmissionConfig"
          },
          "location": ""
        },
        "network.openshift.io/RestrictedEndpointsAdmission": {
          "configuration": {
            "apiVersion": "network.openshift.io/v1",
            "kind": "RestrictedEndpointsAdmissionConfig",
            "restrictedCIDRs": [
              "10.128.0.0/14",
              "172.30.0.0/16"
            ]
          }
        }
      }
    },
    "apiServerArguments": {
      "allow-privileged": [
        "true"
      ],
      "anonymous-auth": [
        "true"
      ],
      "api-audiences": [
        "https://kubernetes.default.svc"
      ],
      "audit-log-format": [
        "json"
      ],
      "audit-log-maxbackup": [
        "10"
      ],
      "audit-log-maxsize": [
        "100"
      ],
      "audit-log-path": [
        "/var/log/kube-apiserver/audit.log"
      ],
      "audit-policy-file": [
        "/etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-audit-policies/policy.yaml"
      ],
      "authentication-token-webhook-config-file": [
        "/etc/kubernetes/static-pod-resources/secrets/webhook-authenticator/kubeConfig"
      ],
      "authentication-token-webhook-version": [
        "v1"
      ],
      "authorization-mode": [
        "Scope",
        "SystemMasters",
        "RBAC",
        "Node"
      ],
      "client-ca-file": [
        "/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt"
      ],
      "cloud-provider": [
        "aws"
      ],
      "enable-admission-plugins": [
        "CertificateApproval",
        "CertificateSigning",
        "CertificateSubjectRestriction",
        "DefaultIngressClass",
        "DefaultStorageClass",
        "DefaultTolerationSeconds",
        "LimitRanger",
        "MutatingAdmissionWebhook",
        "NamespaceLifecycle",
        "NodeRestriction",
        "OwnerReferencesPermissionEnforcement",
        "PersistentVolumeClaimResize",
        "PersistentVolumeLabel",
        "PodNodeSelector",
        "PodTolerationRestriction",
        "Priority",
        "ResourceQuota",
        "RuntimeClass",
        "ServiceAccount",
        "StorageObjectInUseProtection",
        "TaintNodesByCondition",
        "ValidatingAdmissionWebhook",
        "authorization.openshift.io/RestrictSubjectBindings",
        "authorization.openshift.io/ValidateRoleBindingRestriction",
        "config.openshift.io/DenyDeleteClusterConfiguration",
        "config.openshift.io/ValidateAPIServer",
        "config.openshift.io/ValidateAuthentication",
        "config.openshift.io/ValidateConsole",
        "config.openshift.io/ValidateFeatureGate",
        "config.openshift.io/ValidateImage",
        "config.openshift.io/ValidateOAuth",
        "config.openshift.io/ValidateProject",
        "config.openshift.io/ValidateScheduler",
        "image.openshift.io/ImagePolicy",
        "network.openshift.io/ExternalIPRanger",
        "network.openshift.io/RestrictedEndpointsAdmission",
        "quota.openshift.io/ClusterResourceQuota",
        "quota.openshift.io/ValidateClusterResourceQuota",
        "route.openshift.io/IngressAdmission",
        "scheduling.openshift.io/OriginPodNodeEnvironment",
        "security.openshift.io/DefaultSecurityContextConstraints",
        "security.openshift.io/SCCExecRestrictions",
        "security.openshift.io/SecurityContextConstraint",
        "security.openshift.io/ValidateSecurityContextConstraints"
      ],
      "enable-aggregator-routing": [
        "true"
      ],
      "enable-logs-handler": [
        "false"
      ],
      "enable-swagger-ui": [
        "true"
      ],
      "encryption-provider-config": [
        "/etc/kubernetes/static-pod-resources/secrets/encryption-config/encryption-config"
      ],
      "endpoint-reconciler-type": [
        "lease"
      ],
      "etcd-cafile": [
        "/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt"
      ],
      "etcd-certfile": [
        "/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.crt"
      ],
      "etcd-keyfile": [
        "/etc/kubernetes/static-pod-resources/secrets/etcd-client/tls.key"
      ],
      "etcd-prefix": [
        "kubernetes.io"
      ],
      "etcd-servers": [
        "https://10.0.159.51:2379",
        "https://10.0.164.136:2379",
        "https://10.0.194.165:2379",
        "https://localhost:2379"
      ],
      "event-ttl": [
        "3h"
      ],
      "feature-gates": [
        "APIPriorityAndFairness=true",
        "RotateKubeletServerCertificate=true",
        "SupportPodPidsLimit=true",
        "NodeDisruptionExclusion=true",
        "ServiceNodeExclusion=true",
        "DownwardAPIHugePages=true",
        "LegacyNodeRoleBehavior=false"
      ],
      "goaway-chance": [
        "0"
      ],
      "http2-max-streams-per-connection": [
        "2000"
      ],
      "insecure-port": [
        "0"
      ],
      "kubelet-certificate-authority": [
        "/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"
      ],
      "kubelet-client-certificate": [
        "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt"
      ],
      "kubelet-client-key": [
        "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key"
      ],
      "kubelet-preferred-address-types": [
        "InternalIP"
      ],
      "kubelet-read-only-port": [
        "0"
      ],
      "kubernetes-service-node-port": [
        "0"
      ],
      "max-mutating-requests-inflight": [
        "1000"
      ],
      "max-requests-inflight": [
        "3000"
      ],
      "min-request-timeout": [
        "3600"
      ],
      "proxy-client-cert-file": [
        "/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.crt"
      ],
      "proxy-client-key-file": [
        "/etc/kubernetes/static-pod-certs/secrets/aggregator-client/tls.key"
      ],
      "requestheader-allowed-names": [
        "kube-apiserver-proxy",
        "system:kube-apiserver-proxy",
        "system:openshift-aggregator"
      ],
      "requestheader-client-ca-file": [
        "/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"
      ],
      "requestheader-extra-headers-prefix": [
        "X-Remote-Extra-"
      ],
      "requestheader-group-headers": [
        "X-Remote-Group"
      ],
      "requestheader-username-headers": [
        "X-Remote-User"
      ],
      "service-account-issuer": [
        "https://kubernetes.default.svc"
      ],
      "service-account-jwks-uri": [
        "https://api-int.argotest.aws.salakhutdinov.com:6443/openid/v1/jwks"
      ],
      "service-account-lookup": [
        "true"
      ],
      "service-account-signing-key-file": [
        "/etc/kubernetes/static-pod-certs/secrets/bound-service-account-signing-key/service-account.key"
      ],
      "service-node-port-range": [
        "30000-32767"
      ],
      "shutdown-delay-duration": [
        "210s"
      ],
      "shutdown-send-retry-after": [
        "true"
      ],
      "storage-backend": [
        "etcd3"
      ],
      "storage-media-type": [
        "application/vnd.kubernetes.protobuf"
      ],
      "tls-cert-file": [
        "/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt"
      ],
      "tls-private-key-file": [
        "/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"
      ]
    },
    "apiVersion": "kubecontrolplane.config.openshift.io/v1",
    "authConfig": {
      "oauthMetadataFile": "/etc/kubernetes/static-pod-resources/configmaps/oauth-metadata/oauthMetadata"
    },
    "consolePublicURL": "",
    "corsAllowedOrigins": [
      "//127\\.0\\.0\\.1(:|$)",
      "//localhost(:|$)"
    ],
    "imagePolicyConfig": {
      "internalRegistryHostname": "image-registry.openshift-image-registry.svc:5000"
    },
    "kind": "KubeAPIServerConfig",
    "projectConfig": {
      "defaultNodeSelector": ""
    },
    "serviceAccountPublicKeyFiles": [
      "/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs",
      "/etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs"
    ],
    "servicesSubnet": "172.30.0.0/16",
    "servingInfo": {
      "bindAddress": "0.0.0.0:6443",
      "bindNetwork": "tcp4",
      "cipherSuites": [
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
      ],
      "minTLSVersion": "VersionTLS12",
      "namedCertificates": [
        {
          "certFile": "/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt",
          "keyFile": "/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key"
        },
        {
          "certFile": "/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt",
          "keyFile": "/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key"
        },
        {
          "certFile": "/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt",
          "keyFile": "/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key"
        },
        {
          "certFile": "/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt",
          "keyFile": "/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key"
        },
        {
          "certFile": "/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt",
          "keyFile": "/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key"
        }
      ]
    }
  }
]

and here is debug logs:

Title   Ensure all admission control plugins are enabled
Rule    xccdf_org.ssgproject.content_rule_api_server_no_adm_ctrl_plugins_disabled
Ident   CCE-83799-7
I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_api_server_no_adm_ctrl_plugins_disabled'.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4:def:1': Red Hat OpenShift Container Platform.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_node:def:1': Red Hat OpenShift Container Platform Node.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_node:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_6:def:1': Red Hat OpenShift Container Platform 4.6.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_6:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_7:def:1': Red Hat OpenShift Container Platform 4.7.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_7:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_8:def:1': Red Hat OpenShift Container Platform 4.8.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_8:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_9:def:1': Red Hat OpenShift Container Platform 4.9.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_9:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_10:def:1': Red Hat OpenShift Container Platform 4.10.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_10:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_11:def:1': Red Hat OpenShift Container Platform 4.11.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_11:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_12:def:1': Red Hat OpenShift Container Platform 4.12.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_12:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_13:def:1': Red Hat OpenShift Container Platform 4.13.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_13:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_14:def:1': Red Hat OpenShift Container Platform 4.14.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_14:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_15:def:1': Red Hat OpenShift Container Platform 4.15.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_15:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_16:def:1': Red Hat OpenShift Container Platform 4.16.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_16:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_17:def:1': Red Hat OpenShift Container Platform 4.17.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_17:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_18:def:1': Red Hat OpenShift Container Platform 4.18.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_18:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_aws:def:1': Red Hat OpenShift Container Platform 4 on AWS.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_aws:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_azure:def:1': Red Hat OpenShift Container Platform 4 on Azure.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_azure:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_gcp:def:1': Red Hat OpenShift Container Platform 4 on GCP.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_gcp:def:1' evaluated as false.
I: oscap: This rule requires an OCIL check. OCIL checks are not supported by OpenSCAP.
I: oscap: Skipping external variable oval:ssg-ocp_data_root:var:1.
I: oscap: Evaluating definition 'oval:ssg-api_server_no_adm_ctrl_plugins_disabled:def:1': Ensure all admission control plugins are enabled.
I: oscap:   Evaluating yamlfilecontent test 'oval:ssg-test_api_server_no_adm_ctrl_plugins_disabled:tst:1': In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#a5a0ee8f56426b587ba633ebb468d142ba47e4ee13d9676b12a8adb263566607' find only one object at path '[:]'..
I: oscap:     Querying yamlfilecontent object 'oval:ssg-object_api_server_no_adm_ctrl_plugins_disabled:obj:1', flags: 0.
I: oscap:     Creating new syschar for yamlfilecontent_object 'oval:ssg-object_api_server_no_adm_ctrl_plugins_disabled:obj:1'.
I: oscap:     Object 'oval:ssg-object_api_server_no_adm_ctrl_plugins_disabled:obj:1' references variable 'oval:ssg-api_server_no_adm_ctrl_plugins_disabled_file_location:var:1' in 'filepath' field.
I: oscap:     Querying variable 'oval:ssg-api_server_no_adm_ctrl_plugins_disabled_file_location:var:1'.
I: oscap:       Variable component references external_variable 'oval:ssg-ocp_data_root:var:1'
I: oscap:       Querying variable 'oval:ssg-ocp_data_root:var:1'.
I: oscap:       Variable 'oval:ssg-ocp_data_root:var:1' is not local, skipping.
I: oscap:       Variable 'oval:ssg-ocp_data_root:var:1' has values "/kubernetes-api-resources".
I: oscap:     Variable 'oval:ssg-api_server_no_adm_ctrl_plugins_disabled_file_location:var:1' has values "/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#a5a0ee8f56426b587ba633ebb468d142ba47e4ee13d9676b12a8adb263566607".
I: oscap:     I will run yamlfilecontent_probe_main:
I: oscap:     Opening file '/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#a5a0ee8f56426b587ba633ebb468d142ba47e4ee13d9676b12a8adb263566607'.
I: oscap:     Test 'oval:ssg-test_api_server_no_adm_ctrl_plugins_disabled:tst:1' requires that none of the objects defined by 'oval:ssg-object_api_server_no_adm_ctrl_plugins_disabled:obj:1' exist on the system.
I: oscap:     1 objects defined by 'oval:ssg-object_api_server_no_adm_ctrl_plugins_disabled:obj:1' exist on the system.
I: oscap:     Test 'oval:ssg-test_api_server_no_adm_ctrl_plugins_disabled:tst:1' does not contain any state to compare object with.
I: oscap:     All items matching object 'oval:ssg-object_api_server_no_adm_ctrl_plugins_disabled:obj:1' were collected. (flag=complete)
I: oscap:   Test 'oval:ssg-test_api_server_no_adm_ctrl_plugins_disabled:tst:1' evaluated as false.
I: oscap:   Evaluating file test 'oval:ssg-test_file_for_api_server_no_adm_ctrl_plugins_disabled:tst:1': Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#a5a0ee8f56426b587ba633ebb468d142ba47e4ee13d9676b12a8adb263566607')..
I: oscap:     Querying file object 'oval:ssg-object_file_for_api_server_no_adm_ctrl_plugins_disabled:obj:1', flags: 0.
I: oscap:     Creating new syschar for file_object 'oval:ssg-object_file_for_api_server_no_adm_ctrl_plugins_disabled:obj:1'.
I: oscap:     Object 'oval:ssg-object_file_for_api_server_no_adm_ctrl_plugins_disabled:obj:1' references variable 'oval:ssg-api_server_no_adm_ctrl_plugins_disabled_file_location:var:1' in 'filepath' field.
I: oscap:     Querying variable 'oval:ssg-api_server_no_adm_ctrl_plugins_disabled_file_location:var:1'.
I: oscap:     I will run file_probe_main:
I: oscap:     Opening file '/kubernetes-api-resources/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#a5a0ee8f56426b587ba633ebb468d142ba47e4ee13d9676b12a8adb263566607'.
I: oscap:     Test 'oval:ssg-test_file_for_api_server_no_adm_ctrl_plugins_disabled:tst:1' requires that only one object defined by 'oval:ssg-object_file_for_api_server_no_adm_ctrl_plugins_disabled:obj:1' exists on the system.
I: oscap:     1 objects defined by 'oval:ssg-object_file_for_api_server_no_adm_ctrl_plugins_disabled:obj:1' exist on the system.
I: oscap:     Test 'oval:ssg-test_file_for_api_server_no_adm_ctrl_plugins_disabled:tst:1' does not contain any state to compare object with.
I: oscap:     All items matching object 'oval:ssg-object_file_for_api_server_no_adm_ctrl_plugins_disabled:obj:1' were collected. (flag=complete)
I: oscap:   Test 'oval:ssg-test_file_for_api_server_no_adm_ctrl_plugins_disabled:tst:1' evaluated as true.
I: oscap: Definition 'oval:ssg-api_server_no_adm_ctrl_plugins_disabled:def:1' evaluated as false.
Result  fail
stujb commented 2 years ago

Think this is the same as this issue https://github.com/ComplianceAsCode/content/issues/8085

maratsal commented 2 years ago

Yes, it looks the same issue.

jhrozek commented 2 years ago

Content issues should be filed in the https://github.com/ComplianceAsCode/content repo.

alexisph commented 2 years ago

Same false positive on a v4.8.24 cluster.