From f6d6794e3eda8d47599e1bdf8f7cfa0dcd9f3582 Mon Sep 17 00:00:00 2001
From: sluetze <13255307+sluetze@users.noreply.github.com>
Date: Thu, 19 Dec 2024 11:31:24 +0100
Subject: [PATCH] retire old tls cipher suites rules
---
.../kubernetes/shared.yml | 18 --------
.../rule.yml | 41 -------------------
.../tests/ocp4/e2e.yml | 3 --
.../kubernetes/shared.yml | 17 --------
.../rule.yml | 41 -------------------
.../tests/ocp4/e2e.yml | 3 --
products/ocp4/profiles/default.profile | 2 -
7 files changed, 125 deletions(-)
delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml
delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml
delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml
delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml
delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml
delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml
deleted file mode 100644
index 9e4baaee31e..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-# platform = multi_platform_ocp
-apiVersion: operator.openshift.io/v1
-kind: KubeAPIServer
-metadata:
- name: cluster
-spec:
- unsupportedConfigOverrides:
- servingInfo:
- cipherSuites:
- - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- - TLS_RSA_WITH_AES_256_GCM_SHA384
- - TLS_RSA_WITH_AES_128_GCM_SHA256
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml
deleted file mode 100644
index 4825a381724..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-documentation_complete: true
-
-
-title: "Ensure that the Kubernetes API Server Operator only makes use of Strong Cryptographic Ciphers"
-
-description: |-
- Ensure that the Kubernetes API Server Operator is configured to only use strong cryptographic ciphers.
-
-rationale: |-
- TLS ciphers have had a number of known vulnerabilities and weaknesses,
- which can reduce the protection provided by them. By default Kubernetes
- supports a number of TLS ciphersuites including some that have security
- concerns, weakening the protection provided.
-
-severity: medium
-
-#identifiers:
-# cce@ocp4:
-
-references:
- cis@ocp4: 4.2.13
-
-ocil_clause: "TLS cipher suite configuration is not configured"
-
-ocil: |-
- Run the following comman on the kubelete nodes(s):
- {{% raw %}}oc patch kubeapiservers.operator.openshift.io cluster --type merge -p '{"spec":{"unsupportedConfigOverrides":{"servingInfo":{"cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256"]} } } }'{{% endraw %}}
-
-warnings:
-- general: |-
- {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/kubeapiservers/cluster") | indent(4) }}}
-
-template:
- name: yamlfile_value
- vars:
- ocp_data: "true"
- filepath: '/apis/operator.openshift.io/v1/kubeapiservers/cluster'
- yamlpath: ".spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]"
- values:
- - value: '^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$'
- operation: 'pattern match'
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml
deleted file mode 100644
index fd9b313e87b..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: FAIL
-result_after_remediation: PASS
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml
deleted file mode 100644
index 6d184aaef73..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-# platform = multi_platform_ocp
-apiVersion: operator.openshift.io/v1kind: OpenShiftAPIServer
-metadata:
- name: cluster
-spec:
- unsupportedConfigOverrides:
- servingInfo:
- cipherSuites:
- - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- - TLS_RSA_WITH_AES_256_GCM_SHA384
- - TLS_RSA_WITH_AES_128_GCM_SHA256
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml
deleted file mode 100644
index 0b1423ac3ac..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-documentation_complete: true
-
-
-title: "Ensure that the OpenShift API Server Operator only makes use of Strong Cryptographic Ciphers"
-
-description: |-
- Ensure that the OpenShift API Server Operator is configured to only use strong cryptographic ciphers.
-
-rationale: |-
- TLS ciphers have had a number of known vulnerabilities and weaknesses,
- which can reduce the protection provided by them. By default Kubernetes
- supports a number of TLS ciphersuites including some that have security
- concerns, weakening the protection provided.
-
-severity: medium
-
-#identifiers:
-# cce@ocp4:
-
-references:
- cis@ocp4: 4.2.13
-
-ocil_clause: "TLS cipher suite configuration is not configured"
-
-ocil: |-
- Run the following command on the kubelet node(s):
- {{% raw %}}oc patch openshiftapiservers.operator.openshift.io cluster --type merge -p '{"spec":{"unsupportedConfigOverrides":{"servingInfo":{"cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256"] } } } }'{{% endraw %}}
-
-warnings:
-- general: |-
- {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/openshiftapiservers/cluster") | indent(4) }}}
-
-template:
- name: yamlfile_value
- vars:
- ocp_data: "true"
- filepath: '/apis/operator.openshift.io/v1/openshiftapiservers/cluster'
- yamlpath: ".spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]"
- values:
- - value: '^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$'
- operation: 'pattern match'
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml
deleted file mode 100644
index fd9b313e87b..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: FAIL
-result_after_remediation: PASS
diff --git a/products/ocp4/profiles/default.profile b/products/ocp4/profiles/default.profile
index aa4a79e4196..90bdb14c781 100644
--- a/products/ocp4/profiles/default.profile
+++ b/products/ocp4/profiles/default.profile
@@ -25,7 +25,6 @@ selections:
- file_permissions_var_lib_etcd
- file_owner_openvswitch
- file_permissions_openvswitch
- - kubelet_configure_tls_cipher_suites_openshiftapiserver_operator
- file_groupowner_ovs_conf_db_lock_not_s390x
- oauth_inactivity_timeout
- kubelet_eviction_thresholds_set_soft_nodefs_inodesfree
@@ -56,7 +55,6 @@ selections:
- file_owner_pod_logs
- project_config_has_template
- kubelet_eviction_thresholds_set_soft_imagefs_available
- - kubelet_configure_tls_cipher_suites_kubeapiserver_operator
- file_groupowner_ovs_sys_id_conf_not_s390x
- ingress_controller_tls_security_profile_custom_min_tls_version
- kubelet_read_only_port_secured