-
ocp4-cis-api-server-kubelet-client-cert
-
ocp4-cis-api-server-kubelet-client-key
-
ocp4-cis-kubelet-configure-tls-cert
-
ocp4-cis-kubelet-configure-tls-key
The Compliance Operator lets OKD administrators describe the required compliance state of a cluster and provides them with an overview of gaps and ways to remediate them.
These release notes track the development of the Compliance Operator in the OKD.
For an overview of the Compliance Operator, see Understanding the Compliance Operator.
The following advisory is available for the OpenShift Compliance Operator 0.1.53:
Previously, the ocp4-kubelet-enable-streaming-connections
rule contained an incorrect variable comparison, resulting in false positive scan results. Now, the Compliance Operator provides accurate scan results when setting streamingConnectionIdleTimeout
. (BZ#2069891)
Previously, group ownership for /etc/openvswitch/conf.db
was incorrect on IBM Z architectures, resulting in ocp4-cis-node-worker-file-groupowner-ovs-conf-db
check failures. Now, the check is marked NOT-APPLICABLE
on IBM Z architecture systems. (BZ#2072597)
Previously, the ocp4-cis-scc-limit-container-allowed-capabilities
rule reported in a FAIL
state due to incomplete data regarding the security context constraints (SCC) rules in the deployment. Now, the result is MANUAL
, which is consistent with other checks that require human intervention. (BZ#2077916)
Previously, the following rules failed to account for additional configuration paths for API servers and TLS certificates and keys, resulting in reported failures even if the certificates and keys were set properly:
ocp4-cis-api-server-kubelet-client-cert
ocp4-cis-api-server-kubelet-client-key
ocp4-cis-kubelet-configure-tls-cert
ocp4-cis-kubelet-configure-tls-key
Now, the rules report accurately and observe legacy file paths specified in the kubelet configuration file. (BZ#2079813)
Previously, the content_rule_oauth_or_oauthclient_inactivity_timeout
rule did not account for a configurable timeout set by the deployment when assessing compliance for timeouts. This resulted in the rule failing even if the timeout was valid. Now, the Compliance Operator uses the var_oauth_inactivity_timeout
variable to set valid timeout length. (BZ#2081952)
Previously, the Compliance Operator used administrative permissions on namespaces not labeled appropriately for privileged use, resulting in warning messages regarding pod security-level violations. Now, the Compliance Operator has appropriate namespace labels and permission adjustments to access results without violating permissions. (BZ#2088202)
Previously, applying auto remediations for rhcos4-high-master-sysctl-kernel-yama-ptrace-scope
and rhcos4-sysctl-kernel-core-pattern
resulted in subsequent failures of those rules in scan results, even though they were remediated. Now, the rules report PASS
accurately, even after remediations are applied.(BZ#2094382)
Previously, the Compliance Operator would fail in a CrashLoopBackoff
state because of out-of-memory exceptions. Now, the Compliance Operator is improved to handle large machine configuration data sets in memory and function correctly. (BZ#2094854)
When "debug":true
is set within the ScanSettingBinding
object, the pods generated by the ScanSettingBinding
object are not removed when that binding is deleted. As a workaround, run the following command to delete the remaining pods:
$ oc delete pods -l compliance.openshift.io/scan-name=ocp4-cis
The following advisory is available for the OpenShift Compliance Operator 0.1.52:
The FedRAMP high SCAP profile is now available for use in OKD environments. For more information, See Supported compliance profiles.
Previously, the OpenScap
container would crash due to a mount permission issue in a security environment where DAC_OVERRIDE
capability is dropped. Now, executable mount permissions are applied to all users. (BZ#2082151)
Previously, the compliance rule ocp4-configure-network-policies
could be configured as MANUAL
. Now, compliance rule ocp4-configure-network-policies
is set to AUTOMATIC
. (BZ#2072431)
Previously, the Cluster Autoscaler would fail to scale down because the Compliance Operator scan pods were never removed after a scan. Now, the pods are removed from each node by default unless explicitly saved for debugging purposes. (BZ#2075029)
Previously, applying the Compliance Operator to the KubeletConfig
would result in the node going into a NotReady
state due to unpausing the Machine Config Pools too early. Now, the Machine Config Pools are unpaused appropriately and the node operates correctly. (BZ#2071854)
Previously, the Machine Config Operator used base64
instead of url-encoded
code in the latest release, causing Compliance Operator remediation to fail. Now, the Compliance Operator checks encoding to handle both base64
and url-encoded
Machine Config code and the remediation applies correctly. (BZ#2082431)
When "debug":true
is set within the ScanSettingBinding
object, the pods generated by the ScanSettingBinding
object are not removed when that binding is deleted. As a workaround, run the following command to delete the remaining pods:
$ oc delete pods -l compliance.openshift.io/scan-name=ocp4-cis
The following advisory is available for the OpenShift Compliance Operator 0.1.49:
Previously, the openshift-compliance
content did not include platform-specific checks for network types. As a result, OVN- and SDN-specific checks would show as failed
instead of not-applicable
based on the network configuration. Now, new rules contain platform checks for networking rules, resulting in a more accurate assessment of network-specific checks. (BZ#1994609)
Previously, the ocp4-moderate-routes-protected-by-tls
rule incorrectly checked TLS settings that results in the rule failing the check, even if the connection secure SSL TLS protocol. Now, the check will properly evaluate TLS settings that are consistent with the networking guidance and profile recommendations. (BZ#2002695)
Previously, ocp-cis-configure-network-policies-namespace
used pagination when requesting namespaces. This caused the rule to fail because the deployments truncated lists of more than 500 namespaces. Now, the entire namespace list is requested, and the rule for checking configured network policies will work for deployments with more than 500 namespaces. (BZ#2038909)
Previously, remediations using the sshd jinja
macros were hard-coded to specific sshd configurations. As a result, the configurations were inconsistent with the content the rules were checking for and the check would fail. Now, the sshd configuration is parameterized and the rules apply successfully. (BZ#2049141)
Previously, the ocp4-cluster-version-operator-verify-integrity
always checked the first entry in the Cluter Version Operator (CVO) history. As a result, the upgrade would fail in situations where subsequent versions of {product-name} would be verified. Now, the compliance check result for ocp4-cluster-version-operator-verify-integrity
is able to detect verified versions and is accurate with the CVO history. (BZ#2053602)
Previously, the ocp4-api-server-no-adm-ctrl-plugins-disabled
rule did not check for a list of empty admission controller plug-ins. As a result, the rule would always fail, even if all admission plug-ins were enabled. Now, more robust checking of the ocp4-api-server-no-adm-ctrl-plugins-disabled
rule will accurately pass with all admission controller plug-ins enabled. (BZ#2058631)
Previously, scans did not contain platform checks for running against Linux worker nodes. As a result, running scans against worker nodes that were not Linux-based resulted in a never ending scan loop. Now, the scan will schedule appropriately based on platform type and labels and will completely successfully. (BZ#2056911)
The following advisory is available for the OpenShift Compliance Operator 0.1.48:
Previously, some rules associated with extended Open Vulnerability and Assessment Language (OVAL) definitions had a checkType
of None
. This was because the Compliance Operator was not processing extended OVAL definitions when parsing rules. With this update, content from extended OVAL definitions is parsed so that these rules now have a checkType
of either Node
or Platform
. (BZ#2040282)
Previously, a manually created MachineConfig
object for KubeletConfig
prevented a KubeletConfig
object from being generated for remediation, leaving the remediation in the Pending
state. With this release, a KubeletConfig
object is created by the remediation, regardless if there is a manually created MachineConfig
object for KubeletConfig
. As a result, KubeletConfig
remediations now work as expected. (BZ#2040401)
The following advisory is available for the OpenShift Compliance Operator 0.1.47:
The Compliance Operator now supports the following compliance benchmarks for the Payment Card Industry Data Security Standard (PCI DSS):
ocp4-pci-dss
ocp4-pci-dss-node
Additional rules and remediations for FedRAMP moderate impact level are added to the OCP4-moderate, OCP4-moderate-node, and rhcos4-moderate profiles.
Remediations for KubeletConfig are now available in node-level profiles.
Previously, if your cluster was running OKD 4.6 or earlier, remediations for USBGuard-related rules would fail for the moderate profile. This is because the remediations created by the Compliance Operator were based on an older version of USBGuard that did not support drop-in directories. Now, invalid remediations for USBGuard-related rules are not created for clusters running OKD 4.6. If your cluster is using OKD 4.6, you must manually create remediations for USBGuard-related rules.
Additionally, remediations are created only for rules that satisfy minimum version requirements. (BZ#1965511)
Previously, when rendering remediations, the compliance operator would check that the remediation was well-formed by using a regular expression that was too strict. As a result, some remediations, such as those that render sshd_config
, would not pass the regular expression check and therefore, were not created. The regular expression was found to be unnecessary and removed. Remediations now render correctly. (BZ#2033009)
The following advisory is available for the OpenShift Compliance Operator 0.1.44:
In this release, the strictNodeScan
option is now added to the ComplianceScan
, ComplianceSuite
and ScanSetting
CRs. This option defaults to true
which matches the previous behavior, where an error occurred if a scan was not able to be scheduled on a node. Setting the option to false
allows the Compliance Operator to be more permissive about scheduling scans. Environments with ephemeral nodes can set the strictNodeScan
value to false, which allows a compliance scan to proceed, even if some of the nodes in the cluster are not available for scheduling.
You can now customize the node that is used to schedule the result server workload by configuring the nodeSelector
and tolerations
attributes of the ScanSetting
object. These attributes are used to place the ResultServer
pod, the pod that is used to mount a PV storage volume and store the raw Asset Reporting Format (ARF) results. Previously, the nodeSelector
and the tolerations
parameters defaulted to selecting one of the control plane nodes and tolerating the node-role.kubernetes.io/master taint
. This did not work in environments where control plane nodes are not permitted to mount PVs. This feature provides a way for you to select the node and tolerate a different taint in those environments.
The Compliance Operator can now remediate KubeletConfig
objects.
A comment containing an error message is now added to help content developers differentiate between objects that do not exist in the cluster versus objects that cannot be fetched.
Rule objects now contain two new attributes, checkType
and description
. These attributes allow you to determine if the rule pertains to a node check or platform check, and also allow you to review what the rule does.
This enhancement removes the requirement that you have to extend an existing profile in order to create a tailored profile. This means the extends
field in the TailoredProfile
CRD is no longer mandatory. You can now select a list of rule objects to create a tailored profile. Note that you must select whether your profile applies to nodes or the platform by setting the compliance.openshift.io/product-type:
annotation or by setting the -node
suffix for the TailoredProfile
CR.
In this release, the Compliance Operator is now able to schedule scans on all nodes irrespective of their taints. Previously, the scan pods would only tolerated the node-role.kubernetes.io/master taint
, meaning that they would either ran on nodes with no taints or only on nodes with the node-role.kubernetes.io/master
taint. In deployments that use custom taints for their nodes, this resulted in the scans not being scheduled on those nodes. Now, the scan pods tolerate all node taints.
In this release, the Compliance Operator supports the following North American Electric Reliability Corporation (NERC) security profiles:
ocp4-nerc-cip
ocp4-nerc-cip-node
rhcos4-nerc-cip
In this release, the Compliance Operator supports the NIST 800-53 Moderate-Impact Baseline for the Red Hat OpenShift - Node level, ocp4-moderate-node, security profile.
In this release, the remediation template now allows multi-value variables.
With this update, the Compliance Operator can change remediations based on variables that are set in the compliance profile. This is useful for remediations that include deployment-specific values such as time outs, NTP server host names, or similar. Additionally, the ComplianceCheckResult
objects now use the label compliance.openshift.io/check-has-value
that lists the variables a check has used.
Previously, while performing a scan, an unexpected termination occurred in one of the scanner containers of the pods. In this release, the Compliance Operator uses the latest OpenSCAP version 1.3.5 to avoid a crash.
Previously, using autoReplyRemediations
to apply remediations triggered an update of the cluster nodes. This was disruptive if some of the remediations did not include all of the required input variables. Now, if a remediation is missing one or more required input variables, it is assigned a state of NeedsReview
. If one or more remediations are in a NeedsReview
state, the machine config pool remains paused, and the remediations are not applied until all of the required variables are set. This helps minimize disruption to the nodes.
The RBAC Role and Role Binding used for Prometheus metrics are changed to 'ClusterRole' and 'ClusterRoleBinding' to ensure that monitoring works without customization.
Previously, if an error occurred while parsing a profile, rules or variables objects were removed and deleted from the profile. Now, if an error occurs during parsing, the profileparser
annotates the object with a temporary annotation that prevents the object from being deleted until after parsing completes. (BZ#1988259)
Previously, an error occurred if titles or descriptions were missing from a tailored profile. Because the XCCDF standard requires titles and descriptions for tailored profiles, titles and descriptions are now required to be set in TailoredProfile
CRs.
Previously, when using tailored profiles, TailoredProfile
variable values were allowed to be set using only a specific selection set. This restriction is now removed, and TailoredProfile
variables can be set to any value.
The following advisory is available for the OpenShift Compliance Operator 0.1.39:
Previously, the Compliance Operator was unable to parse Payment Card Industry Data Security Standard (PCI DSS) references. Now, the Operator can parse compliance content that ships with PCI DSS profiles.
Previously, the Compliance Operator was unable to execute rules for AU-5 control in the moderate profile. Now, permission is added to the Operator so that it can read Prometheusrules.monitoring.coreos.com objects and run the rules that cover AU-5 control in the moderate profile.