search

rancher / dashboard

The Rancher UI
https://rancher.com
Apache License 2.0
461 stars 261 forks source link

rke2 custom deployment from rancher 2.6.7 with CIS Profile cis-1.6 doesn't use "true" as a default for protect-kernel-default #7331

Closed gaktive closed 1 year ago

gaktive commented 2 years ago

Internal reference: SURE-4172 Reported in 2.6.5 & 2.6.7

Issue description: When we use rke2 custom deployment from rancher 2.6.7 with CIS Profile cis-1.6, the protect-kernel-defaults is set to false.

- config:
 profile: cis-1.6
 protect-kernel-defaults: false

In the UI under Cluster Create, there's a checkbox for protect-kernel-defaults. We should have this checked if a CIS Profile was selected

screenshot-1.png

Repro steps:

gaktive commented 1 year ago

Upon chatting with @catherineluse, and referring to https://docs.ranchermanager.rancher.io/reference-guides/rancher-security/rancher-v2.6-hardening-guides/rke2-hardening-guide-with-cis-v1.6-benchmark, the steps to reproduce this follow the RKE2 Custom Template file to generate this.

It sounds like this may be an issue whereby the actual questions.yaml file in the RKE2 repo needs to be updated.

catherineluse commented 1 year ago

I was mistaken - this issue is about custom clusters, not cluster templates.

QA Template

What was fixed, or what changes have occurred

In the create/edit form for RKE2 custom clusters, when the user selects any Worker CIS Profile in the dropdown menu, the value "protect kernel defaults" is now set to true in the cluster YAML.

If the user selects "None" for the Worker CIS Profile, the "protect kernel defaults" should still be false in the cluster YAML.

Areas or cases that should be tested

This only affects custom RKE2 clusters.

Test that the default behavior is unchanged for clusters without a CIS profile selected

  1. Go to the cluster list in Cluster Management
  2. Click Create
  3. Click RKE2 and Custom
  4. In the cluster create form, click Edit as YAML
  5. Confirm that in YAML, by default,spec.rkeConfig.machineSelectorConfig[0].config["protect-kernel-defaults"] is false

Test that selecting a CIS profile sets "protect-kernel-defaults" to true

  1. Go back to the cluster create/edit form
  2. Click Worker CIS Profile > cis-1.5 (or 1.6)
  3. Click Edit as YAML
  4. Confirm that spec.rkeConfig.machineSelectorConfig[0].config["protect-kernel-defaults"] is true

Test that setting the CIS profile to "None" sets "protect-kernel-defaults" to false

  1. Go back to the cluster create/edit form
  2. Set Worker CIS Profile to None
  3. Click Edit as YAML
  4. Confirm that spec.rkeConfig.machineSelectorConfig[0].config["protect-kernel-defaults"] is false
Josh-Diamond commented 1 year ago

Ticket #7331 - Test Results - ✅

With Docker on a single-node instance:

Verified on rancher v2.7-830fa58ccecfb8915fc54862a9b19fdfeb2c0f8c-head:

Scenario Test Case Result
1. Default behavior for clusters w/o CIS profile selected expected to set "protect-kernel-defaults" to FALSE
2. Selecting a CIS profile sets "protect-kernel-defaults" to TRUE
3. Setting the CIS profile to "None" sets "protect-kernel-defaults" to FALSE

Scenario 1:

  1. Fresh install of rancher v2.7-head
  2. Provision a downstream RKE2 cluster w/o selecting CIS Profile
  3. View YAML and confirm "protect-kernel-defaults" is set to false
  4. Verified - "protect-kernel-defaults" is set to false

Scenario 2:

  1. Fresh install of rancher v2.7-head
  2. Provision a downstream RKE2 cluster, selecting CIS Profile
  3. View YAML and confirm "protect-kernel-defaults" is set to true
  4. Verified - "protect-kernel-defaults" is set to true

Scenario 3:

  1. Fresh install of rancher v2.7-head
  2. Provision a downstream RKE2 cluster, selecting None for CIS Profile
  3. View YAML and confirm "protect-kernel-defaults" is set to false
  4. Verified - "protect-kernel-defaults" is set to false