Merge pull request #13969 from rhmdnd/CMP-3580

yuumasato · web-flow · commit 48c698813326 · 2025-10-15T23:08:15.000+03:00
CMP-3580: Implement checks for unsupported API server configs
diff --git a/applications/openshift/api-server/api_server_kube_no_unsupported_config_overrides/rule.yml b/applications/openshift/api-server/api_server_kube_no_unsupported_config_overrides/rule.yml
@@ -0,0 +1,48 @@
+title: Ensure No Unsupported Configuration Overrides are Used
+
+platform: not ocp4-on-hypershift-hosted
+
+description: |-
+  Kubernetes API servers should not use unsupported configuration overrides that
+  can potentially compromise the security and stability of the cluster. This
+  rule checks that no unsupported configuration overrides are present in the
+  cluster API server configurations.
+
+rationale: |-
+  Unsupported configuration overrides can introduce security vulnerabilities,
+  performance issues, and unexpected behaviors in the cluster. They bypass the
+  standard configuration mechanisms and can potentially weaken the cluster's
+  security posture or introduce instability.
+
+severity: medium
+
+identifiers:
+  cce@ocp4: CCE-89304-0
+
+references:
+  cis@ocp4: 1.2.31
+
+{{% set jqfilter = '[.items[] | select(.spec.unsupportedConfigOverrides != null and .spec.unsupportedConfigOverrides != {}) | .metadata.name]' %}}
+
+ocil_clause: 'Unsupported Kubernetes API server configuration overrides are detected'
+
+ocil: |-
+  Run the following commands to check for unsupported configuration overrides:
+  <pre>$ oc get kubeapiserver/cluster -o jsonpath='{.spec.unsupportedConfigOverrides}'</pre>
+  Verify that these commands return an empty object or no output.
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting({'/apis/operator.openshift.io/v1/kubeapiservers': jqfilter}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: {{{ openshift_filtered_path('/apis/operator.openshift.io/v1/kubeapiservers', jqfilter) }}}
+    yamlpath: "[:]"
+    check_existence: "none_exist"
+    entity_check: "all"
+    values:
+      - value: "(.*?)"
+        operation: "pattern match"
diff --git a/applications/openshift/api-server/api_server_no_unsupported_config_overrides/rule.yml b/applications/openshift/api-server/api_server_no_unsupported_config_overrides/rule.yml
@@ -0,0 +1,48 @@
+title: Ensure No Unsupported Configuration Overrides are Used
+
+platform: not ocp4-on-hypershift-hosted
+
+description: |-
+  OpenShift API servers should not use unsupported configuration overrides that
+  can potentially compromise the security and stability of the cluster. This
+  rule checks that no unsupported configuration overrides are present in the
+  cluster API server configurations.
+
+rationale: |-
+  Unsupported configuration overrides can introduce security vulnerabilities,
+  performance issues, and unexpected behaviors in the cluster. They bypass the
+  standard configuration mechanisms and can potentially weaken the cluster's
+  security posture or introduce instability.
+
+severity: medium
+
+identifiers:
+  cce@ocp4: CCE-89950-0
+
+references:
+  cis@ocp4: 1.2.31
+
+{{% set jqfilter = '[.items[] | select(.spec.unsupportedConfigOverrides != null and .spec.unsupportedConfigOverrides != {}) | .metadata.name]' %}}
+
+ocil_clause: 'Unsupported OpenShift API server configuration overrides are detected'
+
+ocil: |-
+  Run the following commands to check for unsupported configuration overrides:
+  <pre>$ oc get openshiftapiserver/cluster -o jsonpath='{.spec.unsupportedConfigOverrides}'</pre>
+  Verify that these commands return an empty object or no output.
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting({'/apis/operator.openshift.io/v1/openshiftapiservers': jqfilter}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: {{{ openshift_filtered_path('/apis/operator.openshift.io/v1/openshiftapiservers', jqfilter) }}}
+    yamlpath: "[:]"
+    check_existence: "none_exist"
+    entity_check: "all"
+    values:
+      - value: "(.*?)"
+        operation: "pattern match"
diff --git a/controls/cis_ocp/section-1.yml b/controls/cis_ocp/section-1.yml
@@ -461,7 +461,9 @@ controls:
                 - id: 1.2.33
                   title: Ensure unsupported configuration overrides are not used
                   status: pending
-                  rules: []
+                  rules:
+                      - api_server_no_unsupported_config_overrides
+                      - api_server_kube_no_unsupported_config_overrides
                   levels:
                       - level_1
           - id: '1.3'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1559,7 +1559,6 @@ CCE-89293-5
 CCE-89294-3
 CCE-89295-0
 CCE-89303-2
-CCE-89304-0
 CCE-89305-7
 CCE-89308-1
 CCE-89310-7
@@ -1984,7 +1983,6 @@ CCE-89943-5
 CCE-89946-8
 CCE-89948-4
 CCE-89949-2
-CCE-89950-0
 CCE-89951-8
 CCE-89953-4
 CCE-89954-2
