CMP-3580: Implement checks for unsupported API server configs #13969

rhmdnd · 2025-10-02T04:25:17Z

CIS has guidance that recommends checking Kubernetes and OpenShift API
servers for any unsupported configuration options (control 1.2.33 in
newer versions and 1.2.31 in recent versions). This commit adds two new
rules to check the API servers for unsupported configs so that users
have some automated way of checking this control, even though OpenShift
doesn't use this feature by default.

rhmdnd · 2025-10-02T04:34:28Z

/test 4.18-e2e-aws-ocp4-cis

rhmdnd · 2025-10-02T12:33:55Z

controls/cis_ocp/section-1.yml

-                  rules: []
+                  rules:
+                      - api_server_no_unsupported_config_overrides
+                      - api_server_kube_no_unsupported_config_overrides


Strange - these didn't get picked up in the OCP4 cis testing.

Adding in the platform.

The rule still didn't show up in the test's artifacts.
Could it be that it is still not using the PR sources to build? Although I see the following in the logs:

2025/10/02 14:00:23 Using content image: registry.build09.ci.openshift.org/ci-op-pcld3z78/pipeline@sha256:4e75e0a42dd7be2834916360232767bee51f2b9d5af9f06b7e492c31c1ba0502

The rule is getting build and put in the datastream, but it still doesn't seem to run in CI.

Looks like we're passing the content image from the PR correctly - https://github.com/openshift/release/blob/master/ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.18.yaml#L225

@rhmdnd component doesn't seem to be used anywhere. Regardless, --content-image=$CONTENT_IMAGE seems correct.
From the logs:

+ go test . '-run=^TestPlatformCompliance$' -test-type=platform -content-image=registry.build11.ci.openshift.org/ci-op-mv6gph1y/pipeline@sha256:01d6114df7283f8cb722b017747c4de25eb5f42baa6d761eb34b6de17d0793f8 -content-directory=/go/src/github.com/ComplianceAsCode/content

This PR looks good to me, @rhmdnd
But would you like to use this PR as testing grounds to understand why it doesn't show up in the tests?

rhmdnd · 2025-10-02T12:37:12Z

/test 4.18-e2e-aws-ocp4-cis

yuumasato · 2025-10-13T11:44:45Z

@rhmdnd On an OCP 4.20 the rule is falling. When I probe manually I get this:

$ oc get kubeapiserver cluster -o yaml | grep unsupported 
  unsupportedConfigOverrides: null
$  oc get kubeapiserver cluster -o jsonpath={.spec.unsupportedConfigOverrides}
null

So the key seems to exist, its value is null though.

yuumasato · 2025-10-13T12:55:32Z

I get the same unsupportedConfigOverrides: null result on OCP 4.19.

yuumasato · 2025-10-13T13:23:59Z

This is what I get in the logs:

14926 D: oscap: Message received. [oscap(3):oscap(7fc023377940):oval_probe_ext.c:579:oval_probe_comm]
14927 D: oscap: name=(null), value=0x7fbfbc01ea10 [oscap(3):oscap(7fc023377940):seap-message.c:71:SEAP_msg_free]
14928 I: oscap: Test 'oval:ssg-test_file_for_api_server_kube_no_unsupported_config_overrides:tst:1' requires that only one object defined by 'oval:ssg-object_file_for_api_server_kube_no_unsupported_config_overrides:obj:1' exists on the system. [oscap(3):oscap(7fc023377940):oval_resultTest.c:912:_oval_result_test_evaluate_items]
14929 I: oscap: 0 objects defined by 'oval:ssg-object_file_for_api_server_kube_no_unsupported_config_overrides:obj:1' exist on the system. [oscap(3):oscap(7fc023377940):oval_resultTest.c:918:_oval_result_test_evaluate_items]
14930 I: oscap: Test 'oval:ssg-test_file_for_api_server_kube_no_unsupported_config_overrides:tst:1' does not contain any state to compare object with. [oscap(3):oscap(7fc023377940):oval_resultTest.c:920:_oval_result_test_evaluate_items]
14931 I: oscap: No item matching object 'oval:ssg-object_file_for_api_server_kube_no_unsupported_config_overrides:obj:1' was found on the system. (flag=does not exist) [oscap(3):oscap(7fc023377940):oval_resultTest.c:954:_oval_result_test_evaluate_items]
14932 I: oscap: Test 'oval:ssg-test_file_for_api_server_kube_no_unsupported_config_overrides:tst:1' evaluated as false. [oscap(3):oscap(7fc023377940):oval_resultTest.c:1164:oval_result_test_eval]
14933 I: oscap: Definition 'oval:ssg-api_server_kube_no_unsupported_config_overrides:def:1' evaluated as false. [oscap(3):oscap(7fc023377940):oval_resultDefinition.c:170:oval_result_definition_eval]
14934 Result^M    fail

applications/openshift/api-server/api_server_kube_no_unsupported_config_overrides/rule.yml

applications/openshift/api-server/api_server_no_unsupported_config_overrides/rule.yml

CIS has guidance that recommends checking Kubernetes and OpenShift API servers for any unsupported configuration options (control 1.2.33 in newer versions and 1.2.31 in recent versions). This commit adds two new rules to check the API servers for unsupported configs so that users have some automated way of checking this control, even though OpenShift doesn't use this feature by default.

rhmdnd · 2025-10-14T18:46:59Z

/test 4.18-e2e-aws-ocp4-cis

openshift-ci · 2025-10-14T20:24:41Z

@rhmdnd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.18-e2e-aws-ocp4-cis	`aa80d2f`	link	true	`/test 4.18-e2e-aws-ocp4-cis`
ci/prow/e2e-aws-openshift-node-compliance	`aa80d2f`	link	true	`/test e2e-aws-openshift-node-compliance`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

yuumasato · 2025-10-15T19:34:42Z

Rules are passing when tested manually.
But the ocp4-cis and platform-compliance tests are still not showing the new unsupported-override rules.

rhmdnd requested review from Anna-Koudelkova, Vincent056, xiaojiey and yuumasato October 2, 2025 04:27

jan-cerny added the OpenShift OpenShift product related. label Oct 2, 2025

rhmdnd commented Oct 2, 2025

View reviewed changes

rhmdnd force-pushed the CMP-3580 branch from ab4e912 to 8e5eddb Compare October 2, 2025 12:36

yuumasato self-assigned this Oct 2, 2025

yuumasato added this to the 0.1.79 milestone Oct 2, 2025

yuumasato requested changes Oct 13, 2025

View reviewed changes

applications/openshift/api-server/api_server_kube_no_unsupported_config_overrides/rule.yml Outdated Show resolved Hide resolved

applications/openshift/api-server/api_server_no_unsupported_config_overrides/rule.yml Outdated Show resolved Hide resolved

rhmdnd force-pushed the CMP-3580 branch from 8e5eddb to aa80d2f Compare October 14, 2025 18:46

yuumasato approved these changes Oct 15, 2025

View reviewed changes

yuumasato merged commit 48c6988 into ComplianceAsCode:master Oct 15, 2025
134 of 137 checks passed

sync-cac-oscal-bot bot mentioned this pull request Oct 15, 2025

Auto-generated PR from CAC 13969 ComplianceAsCode/oscal-content#99

Merged

CMP-3580: Implement checks for unsupported API server configs #13969

CMP-3580: Implement checks for unsupported API server configs #13969

Conversation

rhmdnd commented Oct 2, 2025

Uh oh!

rhmdnd commented Oct 2, 2025

Uh oh!

rhmdnd Oct 2, 2025

Choose a reason for hiding this comment

Uh oh!

rhmdnd Oct 2, 2025

Choose a reason for hiding this comment

Uh oh!

yuumasato Oct 13, 2025

Choose a reason for hiding this comment

Uh oh!

rhmdnd Oct 15, 2025

Choose a reason for hiding this comment

Uh oh!

rhmdnd Oct 15, 2025

Choose a reason for hiding this comment

Uh oh!

yuumasato Oct 15, 2025

Choose a reason for hiding this comment

Uh oh!

yuumasato Oct 15, 2025

Choose a reason for hiding this comment

Uh oh!

rhmdnd commented Oct 2, 2025

Uh oh!

yuumasato commented Oct 13, 2025

Uh oh!

yuumasato commented Oct 13, 2025

Uh oh!

yuumasato commented Oct 13, 2025

Uh oh!

Uh oh!

Uh oh!

rhmdnd commented Oct 14, 2025

Uh oh!

openshift-ci bot commented Oct 14, 2025

Uh oh!

yuumasato commented Oct 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

yuumasato commented Oct 15, 2025 •

edited

Loading