Skip to content

Commit b78807f

Browse files
rhmdndrhmdnd
committed
Add profile stability for OCP4 CIS profiles
We've reimplemented a variant of this testing in the ocp4e2e suite, but using the profile stability testing here saves us some resources and relies on some common tooling that already exists for other products. Let's reuse it for OCP/RHCOS profile stability.
1 parent 6bea364 commit b78807f

File tree

2 files changed

+206
-0
lines changed

2 files changed

+206
-0
lines changed

tests/data/profile_stability/ocp4/cis-node.profile

Lines changed: 105 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,105 @@
1+
etcd_unique_ca
2+
file_groupowner_cni_conf
3+
file_groupowner_controller_manager_kubeconfig
4+
file_groupowner_etcd_data_dir
5+
file_groupowner_etcd_data_files
6+
file_groupowner_etcd_member
7+
file_groupowner_etcd_pki_cert_files
8+
file_groupowner_ip_allocations
9+
file_groupowner_kube_apiserver
10+
file_groupowner_kube_controller_manager
11+
file_groupowner_kube_scheduler
12+
file_groupowner_kubelet_conf
13+
file_groupowner_master_admin_kubeconfigs
14+
file_groupowner_multus_conf
15+
file_groupowner_openshift_pki_cert_files
16+
file_groupowner_openshift_pki_key_files
17+
file_groupowner_openshift_sdn_cniserver_config
18+
file_groupowner_ovn_cni_server_sock
19+
file_groupowner_ovn_db_files
20+
file_groupowner_ovs_conf_db_hugetlbfs
21+
file_groupowner_ovs_conf_db_lock
22+
file_groupowner_ovs_conf_db_lock_hugetlbfs
23+
file_groupowner_ovs_conf_db_lock_openvswitch
24+
file_groupowner_ovs_conf_db_openvswitch
25+
file_groupowner_ovs_pid
26+
file_groupowner_ovs_sys_id_conf
27+
file_groupowner_ovs_sys_id_conf_hugetlbfs
28+
file_groupowner_ovs_sys_id_conf_openvswitch
29+
file_groupowner_ovs_vswitchd_pid
30+
file_groupowner_ovsdb_server_pid
31+
file_groupowner_scheduler_kubeconfig
32+
file_groupowner_worker_ca
33+
file_groupowner_worker_kubeconfig
34+
file_groupowner_worker_service
35+
file_owner_cni_conf
36+
file_owner_controller_manager_kubeconfig
37+
file_owner_etcd_data_dir
38+
file_owner_etcd_data_files
39+
file_owner_etcd_member
40+
file_owner_etcd_pki_cert_files
41+
file_owner_ip_allocations
42+
file_owner_kube_apiserver
43+
file_owner_kube_controller_manager
44+
file_owner_kube_scheduler
45+
file_owner_kubelet
46+
file_owner_kubelet_conf
47+
file_owner_master_admin_kubeconfigs
48+
file_owner_multus_conf
49+
file_owner_openshift_pki_cert_files
50+
file_owner_openshift_pki_key_files
51+
file_owner_openshift_sdn_cniserver_config
52+
file_owner_ovn_cni_server_sock
53+
file_owner_ovn_db_files
54+
file_owner_ovs_conf_db
55+
file_owner_ovs_conf_db_lock
56+
file_owner_ovs_pid
57+
file_owner_ovs_sys_id_conf
58+
file_owner_ovs_vswitchd_pid
59+
file_owner_ovsdb_server_pid
60+
file_owner_scheduler_kubeconfig
61+
file_owner_worker_ca
62+
file_owner_worker_kubeconfig
63+
file_owner_worker_service
64+
file_permissions_cni_conf
65+
file_permissions_controller_manager_kubeconfig
66+
file_permissions_etcd_data_dir
67+
file_permissions_etcd_data_files
68+
file_permissions_etcd_member
69+
file_permissions_etcd_pki_cert_files
70+
file_permissions_ip_allocations
71+
file_permissions_kube_apiserver
72+
file_permissions_kube_controller_manager
73+
file_permissions_kubelet_conf
74+
file_permissions_master_admin_kubeconfigs
75+
file_permissions_multus_conf
76+
file_permissions_openshift_pki_cert_files
77+
file_permissions_openshift_pki_key_files
78+
file_permissions_ovn_cni_server_sock
79+
file_permissions_ovn_db_files
80+
file_permissions_ovs_conf_db
81+
file_permissions_ovs_conf_db_lock
82+
file_permissions_ovs_pid
83+
file_permissions_ovs_sys_id_conf
84+
file_permissions_ovs_vswitchd_pid
85+
file_permissions_ovsdb_server_pid
86+
file_permissions_scheduler
87+
file_permissions_scheduler_kubeconfig
88+
file_permissions_worker_ca
89+
file_permissions_worker_kubeconfig
90+
file_permissions_worker_service
91+
file_perms_openshift_sdn_cniserver_config
92+
kubelet_anonymous_auth
93+
kubelet_authorization_mode
94+
kubelet_configure_client_ca
95+
kubelet_configure_event_creation
96+
kubelet_configure_tls_cipher_suites
97+
kubelet_enable_cert_rotation
98+
kubelet_enable_client_cert_rotation
99+
kubelet_enable_iptables_util_chains
100+
kubelet_enable_server_cert_rotation
101+
kubelet_enable_streaming_connections
102+
kubelet_eviction_thresholds_set_hard_imagefs_available
103+
kubelet_eviction_thresholds_set_hard_memory_available
104+
kubelet_eviction_thresholds_set_hard_nodefs_available
105+
kubelet_eviction_thresholds_set_hard_nodefs_inodesfree

tests/data/profile_stability/ocp4/cis.profile

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,101 @@
1+
accounts_restrict_service_account_tokens
2+
accounts_unique_service_account
3+
api_server_admission_control_plugin_alwaysadmit
4+
api_server_admission_control_plugin_alwayspullimages
5+
api_server_admission_control_plugin_namespacelifecycle
6+
api_server_admission_control_plugin_noderestriction
7+
api_server_admission_control_plugin_scc
8+
api_server_admission_control_plugin_service_account
9+
api_server_anonymous_auth
10+
api_server_api_priority_gate_enabled
11+
api_server_audit_log_maxbackup
12+
api_server_audit_log_maxsize
13+
api_server_audit_log_path
14+
api_server_auth_mode_no_aa
15+
api_server_auth_mode_rbac
16+
api_server_basic_auth
17+
api_server_bind_address
18+
api_server_client_ca
19+
api_server_encryption_provider_cipher
20+
api_server_etcd_ca
21+
api_server_etcd_cert
22+
api_server_etcd_key
23+
api_server_https_for_kubelet_conn
24+
api_server_insecure_bind_address
25+
api_server_insecure_port
26+
api_server_kubelet_certificate_authority
27+
api_server_kubelet_client_cert
28+
api_server_kubelet_client_cert_pre_4_9
29+
api_server_kubelet_client_key
30+
api_server_kubelet_client_key_pre_4_9
31+
api_server_oauth_https_serving_cert
32+
api_server_openshift_https_serving_cert
33+
api_server_profiling_protected_by_rbac
34+
api_server_request_timeout
35+
api_server_service_account_lookup
36+
api_server_service_account_public_key
37+
api_server_tls_cert
38+
api_server_tls_cipher_suites
39+
api_server_tls_private_key
40+
api_server_tls_security_profile_custom_min_tls_version
41+
api_server_tls_security_profile_not_old
42+
api_server_token_auth
43+
audit_log_forwarding_enabled
44+
audit_log_forwarding_webhook
45+
audit_logging_enabled
46+
audit_profile_set
47+
configure_network_policies
48+
configure_network_policies_hypershift_hosted
49+
configure_network_policies_namespaces
50+
controller_insecure_port_disabled
51+
controller_secure_port
52+
controller_service_account_ca
53+
controller_service_account_private_key
54+
controller_use_service_account
55+
etcd_auto_tls
56+
etcd_cert_file
57+
etcd_client_cert_auth
58+
etcd_key_file
59+
etcd_peer_auto_tls
60+
etcd_peer_cert_file
61+
etcd_peer_client_cert_auth
62+
etcd_peer_key_file
63+
file_groupowner_proxy_kubeconfig
64+
file_owner_proxy_kubeconfig
65+
file_permissions_proxy_kubeconfig
66+
general_apply_scc
67+
general_default_namespace_use
68+
general_default_seccomp_profile
69+
general_namespaces_in_use
70+
idp_is_configured
71+
kubeadmin_removed
72+
kubelet_configure_tls_cert
73+
kubelet_configure_tls_cipher_suites_ingresscontroller
74+
kubelet_configure_tls_key
75+
kubelet_disable_readonly_port
76+
ocp_allowed_registries
77+
ocp_allowed_registries_for_import
78+
ocp_api_server_audit_log_maxbackup
79+
ocp_api_server_audit_log_maxsize
80+
ocp_insecure_allowed_registries_for_import
81+
ocp_insecure_registries
82+
openshift_api_server_audit_log_path
83+
rbac_debug_role_protects_pprof
84+
rbac_least_privilege
85+
rbac_limit_cluster_admin
86+
rbac_limit_secrets_access
87+
rbac_pod_creation_access
88+
rbac_wildcard_use
89+
scc_drop_container_capabilities
90+
scc_limit_container_allowed_capabilities
91+
scc_limit_ipc_namespace
92+
scc_limit_net_raw_capability
93+
scc_limit_network_namespace
94+
scc_limit_privilege_escalation
95+
scc_limit_privileged_containers
96+
scc_limit_process_id_namespace
97+
scc_limit_root_containers
98+
scheduler_profiling_protected_by_rbac
99+
scheduler_service_protected_by_rbac
100+
secrets_consider_external_storage
101+
secrets_no_environment_variables

0 commit comments

Comments
 (0)