Merge pull request #12220 from rhmdnd/CMP-2196-update-ingress-operato…

…r-ciphers CMP 2196 update ingress operator ciphers
ComplianceAsCode · Aug 30, 2024 · 0e3e668 · 0e3e668
2 parents f02f47f + 3c24d28
commit 0e3e668
Show file tree

Hide file tree

Showing 8 changed files with 38 additions and 4 deletions.
diff --git a/...shift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml b/...shift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml
@@ -11,6 +11,12 @@ spec:
       ciphers:
       - ECDHE-ECDSA-AES128-GCM-SHA256
       - ECDHE-RSA-AES128-GCM-SHA256
+      - ECDHE-ECDSA-CHACHA20-POLY1305
       - ECDHE-RSA-AES256-GCM-SHA384
+      - ECDHE-RSA-CHACHA20-POLY1305
+      - ECDHE-ECDSA-AES256-GCM-SHA384
+      - TLS_AES_128_GCM_SHA256
+      - TLS_AES_256_GCM_SHA384
+      - TLS_CHACHA20_POLY1305_SHA256
       minTLSVersion: VersionTLS12
     type: Custom
diff --git a/...ications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml b/...ications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml
@@ -18,24 +18,36 @@ severity: medium
 #    cce@ocp4:
 
 references:
-  cis@ocp4: 4.2.13
+  cis@ocp4: 4.2.12
 
-ocil_clause: "TLS cipher suite configuration is not configured"
+ocil_clause: "Ingress controller TLS cipher suite configuration is incomplete or possibly insecure"
 
 ocil: |-
   Run the following command on the kubelet nodes(s):
-  {{% raw %}}<pre>oc -n openshift-ingress-operator patch ingresscontroller/default --type merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384"],"minTLSVersion":"VersionTLS12"} } } }'</pre>{{% endraw %}}
+  <pre>oc -n openshift-ingress-operator patch ingresscontroller/default --type merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305"],"minTLSVersion":"VersionTLS12"} } } }'</pre>
 
 warnings:
 - general: |-
     {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default") | indent(4) }}}
 
+# Recommended ciphers
+# ECDHE-ECDSA-AES128-GCM-SHA256
+# ECDHE-ECDSA-CHACHA20-POLY1305
+# ECDHE-ECDSA-AES256-GCM-SHA384
+# TLS_CHACHA20_POLY1305_SHA256
+# TLS_AES_128_GCM_SHA256
+# TLS_AES_256_GCM_SHA384
+#
+# Secure ciphers
+# ECDHE-RSA-AES128-GCM-SHA256
+# ECDHE-RSA-AES256-GCM-SHA384
+# ECDHE-RSA-CHACHA20-POLY1305
 template:
   name: yamlfile_value
   vars:
     ocp_data: "true"
     filepath: '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default'
     yamlpath: ".status.tlsProfile.ciphers[:]"
     values:
-    - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|AES256-GCM-SHA384|AES128-GCM-SHA256)$'
+    - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$'
       operation: 'pattern match'
diff --git a/controls/cis_ocp_1_4_0/section-4.yml b/controls/cis_ocp_1_4_0/section-4.yml
@@ -158,5 +158,6 @@ controls:
       status: automated
       rules:
         - kubelet_configure_tls_cipher_suites
+        - kubelet_configure_tls_cipher_suites_ingresscontroller
       levels: [ level_1, ]
 
diff --git a/tests/assertions/ocp4/ocp4-cis-4.12.yml b/tests/assertions/ocp4/ocp4-cis-4.12.yml
@@ -89,6 +89,9 @@ rule_results:
   e2e-cis-api-server-kubelet-client-key-pre-4-9:
     default_result: NOT-APPLICABLE
     result_after_remediation: NOT-APPLICABLE
+  e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller:
+    default_result: FAIL
+    result_after_remediation: PASS
   e2e-cis-api-server-oauth-https-serving-cert:
     default_result: PASS
     result_after_remediation: PASS

diff --git a/tests/assertions/ocp4/ocp4-cis-4.13.yml b/tests/assertions/ocp4/ocp4-cis-4.13.yml
@@ -87,6 +87,9 @@ rule_results:
   e2e-cis-api-server-kubelet-client-key-pre-4-9:
     default_result: NOT-APPLICABLE
     result_after_remediation: NOT-APPLICABLE
+  e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller:
+    default_result: FAIL
+    result_after_remediation: PASS
   e2e-cis-api-server-oauth-https-serving-cert:
     default_result: PASS
     result_after_remediation: PASS

diff --git a/tests/assertions/ocp4/ocp4-cis-4.14.yml b/tests/assertions/ocp4/ocp4-cis-4.14.yml
@@ -87,6 +87,9 @@ rule_results:
   e2e-cis-api-server-kubelet-client-key-pre-4-9:
     default_result: NOT-APPLICABLE
     result_after_remediation: NOT-APPLICABLE
+  e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller:
+    default_result: FAIL
+    result_after_remediation: PASS
   e2e-cis-api-server-oauth-https-serving-cert:
     default_result: PASS
     result_after_remediation: PASS

diff --git a/tests/assertions/ocp4/ocp4-cis-4.15.yml b/tests/assertions/ocp4/ocp4-cis-4.15.yml
@@ -89,6 +89,9 @@ rule_results:
   e2e-cis-api-server-kubelet-client-key-pre-4-9:
     default_result: NOT-APPLICABLE
     result_after_remediation: NOT-APPLICABLE
+  e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller:
+    default_result: FAIL
+    result_after_remediation: PASS
   e2e-cis-api-server-oauth-https-serving-cert:
     default_result: PASS
     result_after_remediation: PASS

diff --git a/tests/assertions/ocp4/ocp4-cis-4.16.yml b/tests/assertions/ocp4/ocp4-cis-4.16.yml
@@ -207,6 +207,9 @@ rule_results:
   e2e-cis-kubelet-disable-readonly-port:
     default_result: PASS
     result_after_remediation: PASS
+  e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller:
+    default_result: FAIL
+    result_after_remediation: PASS
   e2e-cis-ocp-allowed-registries:
     default_result: FAIL
   e2e-cis-ocp-allowed-registries-for-import: