CMP-3580: Implement checks for unsupported API server configs

rhmdnd · rhmdnd · commit 8e5eddb2012f · 2025-10-02T07:36:25.000-05:00
CIS has guidance that recommends checking Kubernetes and OpenShift API
servers for any unsupported configuration options (control 1.2.33 in
newer versions and 1.2.31 in recent versions). This commit adds two new
rules to check the API servers for unsupported configs so that users
have some automated way of checking this control, even though OpenShift
doesn't use this feature by default.
diff --git a/applications/openshift/api-server/api_server_kube_no_unsupported_config_overrides/rule.yml b/applications/openshift/api-server/api_server_kube_no_unsupported_config_overrides/rule.yml
@@ -0,0 +1,48 @@
+title: Ensure No Unsupported Configuration Overrides are Used
+
+platform: not ocp4-on-hypershift-hosted
+
+description: |-
+  Kubernetes API servers should not use unsupported configuration overrides that
+  can potentially compromise the security and stability of the cluster. This
+  rule checks that no unsupported configuration overrides are present in the
+  cluster API server configurations.
+
+rationale: |-
+  Unsupported configuration overrides can introduce security vulnerabilities,
+  performance issues, and unexpected behaviors in the cluster. They bypass the
+  standard configuration mechanisms and can potentially weaken the cluster's
+  security posture or introduce instability.
+
+severity: medium
+
+identifiers:
+  cce@ocp4: CCE-89304-0
+
+references:
+  cis@ocp4: 1.2.31
+
+{{% set jqfilter = '[.items[] | select(.spec.unsupportedConfigOverrides != null and .spec.unsupportedConfigOverrides != {}) | .metadata.name]' %}}
+
+ocil_clause: 'Unsupported Kubernetes API server configuration overrides are detected'
+
+ocil: |-
+  Run the following commands to check for unsupported configuration overrides:
+  <pre>$ oc get kubeapiserver/cluster -o jsonpath='{.spec.unsupportedConfigOverrides}'</pre>
+  Verify that these commands return an empty object or no output.
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting({'/apis/config.openshift.io/v1/kubeapiservers': jqfilter}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: {{{ openshift_filtered_path('/apis/config.openshift.io/v1/kubeapiservers', jqfilter) }}}
+    yamlpath: "[:]"
+    check_existence: "none_exist"
+    entity_check: "all"
+    values:
+      - value: "(.*?)"
+        operation: "pattern match"
diff --git a/applications/openshift/api-server/api_server_no_unsupported_config_overrides/rule.yml b/applications/openshift/api-server/api_server_no_unsupported_config_overrides/rule.yml
@@ -0,0 +1,48 @@
+title: Ensure No Unsupported Configuration Overrides are Used
+
+platform: not ocp4-on-hypershift-hosted
+
+description: |-
+  OpenShift API servers should not use unsupported configuration overrides that
+  can potentially compromise the security and stability of the cluster. This
+  rule checks that no unsupported configuration overrides are present in the
+  cluster API server configurations.
+
+rationale: |-
+  Unsupported configuration overrides can introduce security vulnerabilities,
+  performance issues, and unexpected behaviors in the cluster. They bypass the
+  standard configuration mechanisms and can potentially weaken the cluster's
+  security posture or introduce instability.
+
+severity: medium
+
+identifiers:
+  cce@ocp4: CCE-89950-0
+
+references:
+  cis@ocp4: 1.2.31
+
+{{% set jqfilter = '[.items[] | select(.spec.unsupportedConfigOverrides != null and .spec.unsupportedConfigOverrides != {}) | .metadata.name]' %}}
+
+ocil_clause: 'Unsupported OpenShift API server configuration overrides are detected'
+
+ocil: |-
+  Run the following commands to check for unsupported configuration overrides:
+  <pre>$ oc get openshiftapiserver/cluster -o jsonpath='{.spec.unsupportedConfigOverrides}'</pre>
+  Verify that these commands return an empty object or no output.
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting({'/apis/config.openshift.io/v1/openshiftapiservers': jqfilter}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: {{{ openshift_filtered_path('/apis/config.openshift.io/v1/openshiftapiservers', jqfilter) }}}
+    yamlpath: "[:]"
+    check_existence: "none_exist"
+    entity_check: "all"
+    values:
+      - value: "(.*?)"
+        operation: "pattern match"
diff --git a/controls/cis_ocp/section-1.yml b/controls/cis_ocp/section-1.yml
@@ -461,7 +461,9 @@ controls:
                 - id: 1.2.33
                   title: Ensure unsupported configuration overrides are not used
                   status: pending
-                  rules: []
+                  rules:
+                      - api_server_no_unsupported_config_overrides
+                      - api_server_kube_no_unsupported_config_overrides
                   levels:
                       - level_1
           - id: '1.3'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1561,7 +1561,6 @@ CCE-89293-5
 CCE-89294-3
 CCE-89295-0
 CCE-89303-2
-CCE-89304-0
 CCE-89305-7
 CCE-89308-1
 CCE-89310-7
@@ -1986,7 +1985,6 @@ CCE-89943-5
 CCE-89946-8
 CCE-89948-4
 CCE-89949-2
-CCE-89950-0
 CCE-89951-8
 CCE-89953-4
 CCE-89954-2
