Skip to content

CMP-3536: Add profile stability for OCP4 CIS profiles #13805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CMP-3536: Add profile stability for OCP4 CIS profiles #13805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 105 additions & 0 deletions tests/data/profile_stability/ocp4/cis-node.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
etcd_unique_ca
file_groupowner_cni_conf
file_groupowner_controller_manager_kubeconfig
file_groupowner_etcd_data_dir
file_groupowner_etcd_data_files
file_groupowner_etcd_member
file_groupowner_etcd_pki_cert_files
file_groupowner_ip_allocations
file_groupowner_kube_apiserver
file_groupowner_kube_controller_manager
file_groupowner_kube_scheduler
file_groupowner_kubelet_conf
file_groupowner_master_admin_kubeconfigs
file_groupowner_multus_conf
file_groupowner_openshift_pki_cert_files
file_groupowner_openshift_pki_key_files
file_groupowner_openshift_sdn_cniserver_config
file_groupowner_ovn_cni_server_sock
file_groupowner_ovn_db_files
file_groupowner_ovs_conf_db_hugetlbfs
file_groupowner_ovs_conf_db_lock
file_groupowner_ovs_conf_db_lock_hugetlbfs
file_groupowner_ovs_conf_db_lock_openvswitch
file_groupowner_ovs_conf_db_openvswitch
file_groupowner_ovs_pid
file_groupowner_ovs_sys_id_conf
file_groupowner_ovs_sys_id_conf_hugetlbfs
file_groupowner_ovs_sys_id_conf_openvswitch
file_groupowner_ovs_vswitchd_pid
file_groupowner_ovsdb_server_pid
file_groupowner_scheduler_kubeconfig
file_groupowner_worker_ca
file_groupowner_worker_kubeconfig
file_groupowner_worker_service
file_owner_cni_conf
file_owner_controller_manager_kubeconfig
file_owner_etcd_data_dir
file_owner_etcd_data_files
file_owner_etcd_member
file_owner_etcd_pki_cert_files
file_owner_ip_allocations
file_owner_kube_apiserver
file_owner_kube_controller_manager
file_owner_kube_scheduler
file_owner_kubelet
file_owner_kubelet_conf
file_owner_master_admin_kubeconfigs
file_owner_multus_conf
file_owner_openshift_pki_cert_files
file_owner_openshift_pki_key_files
file_owner_openshift_sdn_cniserver_config
file_owner_ovn_cni_server_sock
file_owner_ovn_db_files
file_owner_ovs_conf_db
file_owner_ovs_conf_db_lock
file_owner_ovs_pid
file_owner_ovs_sys_id_conf
file_owner_ovs_vswitchd_pid
file_owner_ovsdb_server_pid
file_owner_scheduler_kubeconfig
file_owner_worker_ca
file_owner_worker_kubeconfig
file_owner_worker_service
file_permissions_cni_conf
file_permissions_controller_manager_kubeconfig
file_permissions_etcd_data_dir
file_permissions_etcd_data_files
file_permissions_etcd_member
file_permissions_etcd_pki_cert_files
file_permissions_ip_allocations
file_permissions_kube_apiserver
file_permissions_kube_controller_manager
file_permissions_kubelet_conf
file_permissions_master_admin_kubeconfigs
file_permissions_multus_conf
file_permissions_openshift_pki_cert_files
file_permissions_openshift_pki_key_files
file_permissions_ovn_cni_server_sock
file_permissions_ovn_db_files
file_permissions_ovs_conf_db
file_permissions_ovs_conf_db_lock
file_permissions_ovs_pid
file_permissions_ovs_sys_id_conf
file_permissions_ovs_vswitchd_pid
file_permissions_ovsdb_server_pid
file_permissions_scheduler
file_permissions_scheduler_kubeconfig
file_permissions_worker_ca
file_permissions_worker_kubeconfig
file_permissions_worker_service
file_perms_openshift_sdn_cniserver_config
kubelet_anonymous_auth
kubelet_authorization_mode
kubelet_configure_client_ca
kubelet_configure_event_creation
kubelet_configure_tls_cipher_suites
kubelet_enable_cert_rotation
kubelet_enable_client_cert_rotation
kubelet_enable_iptables_util_chains
kubelet_enable_server_cert_rotation
kubelet_enable_streaming_connections
kubelet_eviction_thresholds_set_hard_imagefs_available
kubelet_eviction_thresholds_set_hard_memory_available
kubelet_eviction_thresholds_set_hard_nodefs_available
kubelet_eviction_thresholds_set_hard_nodefs_inodesfree

Check failure on line 105 in tests/data/profile_stability/ocp4/cis-node.profile

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed Controls and Profiles Files 

105:55 [new-line-at-end-of-file] no new line character at the end of file
101 changes: 101 additions & 0 deletions tests/data/profile_stability/ocp4/cis.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
accounts_restrict_service_account_tokens
accounts_unique_service_account
api_server_admission_control_plugin_alwaysadmit
api_server_admission_control_plugin_alwayspullimages
api_server_admission_control_plugin_namespacelifecycle
api_server_admission_control_plugin_noderestriction
api_server_admission_control_plugin_scc
api_server_admission_control_plugin_service_account
api_server_anonymous_auth
api_server_api_priority_gate_enabled
api_server_audit_log_maxbackup
api_server_audit_log_maxsize
api_server_audit_log_path
api_server_auth_mode_no_aa
api_server_auth_mode_rbac
api_server_basic_auth
api_server_bind_address
api_server_client_ca
api_server_encryption_provider_cipher
api_server_etcd_ca
api_server_etcd_cert
api_server_etcd_key
api_server_https_for_kubelet_conn
api_server_insecure_bind_address
api_server_insecure_port
api_server_kubelet_certificate_authority
api_server_kubelet_client_cert
api_server_kubelet_client_cert_pre_4_9
api_server_kubelet_client_key
api_server_kubelet_client_key_pre_4_9
api_server_oauth_https_serving_cert
api_server_openshift_https_serving_cert
api_server_profiling_protected_by_rbac
api_server_request_timeout
api_server_service_account_lookup
api_server_service_account_public_key
api_server_tls_cert
api_server_tls_cipher_suites
api_server_tls_private_key
api_server_tls_security_profile_custom_min_tls_version
api_server_tls_security_profile_not_old
api_server_token_auth
audit_log_forwarding_enabled
audit_log_forwarding_webhook
audit_logging_enabled
audit_profile_set
configure_network_policies
configure_network_policies_hypershift_hosted
configure_network_policies_namespaces
controller_insecure_port_disabled
controller_secure_port
controller_service_account_ca
controller_service_account_private_key
controller_use_service_account
etcd_auto_tls
etcd_cert_file
etcd_client_cert_auth
etcd_key_file
etcd_peer_auto_tls
etcd_peer_cert_file
etcd_peer_client_cert_auth
etcd_peer_key_file
file_groupowner_proxy_kubeconfig
file_owner_proxy_kubeconfig
file_permissions_proxy_kubeconfig
general_apply_scc
general_default_namespace_use
general_default_seccomp_profile
general_namespaces_in_use
idp_is_configured
kubeadmin_removed
kubelet_configure_tls_cert
kubelet_configure_tls_cipher_suites_ingresscontroller
kubelet_configure_tls_key
kubelet_disable_readonly_port
ocp_allowed_registries
ocp_allowed_registries_for_import
ocp_api_server_audit_log_maxbackup
ocp_api_server_audit_log_maxsize
ocp_insecure_allowed_registries_for_import
ocp_insecure_registries
openshift_api_server_audit_log_path
rbac_debug_role_protects_pprof
rbac_least_privilege
rbac_limit_cluster_admin
rbac_limit_secrets_access
rbac_pod_creation_access
rbac_wildcard_use
scc_drop_container_capabilities
scc_limit_container_allowed_capabilities
scc_limit_ipc_namespace
scc_limit_net_raw_capability
scc_limit_network_namespace
scc_limit_privilege_escalation
scc_limit_privileged_containers
scc_limit_process_id_namespace
scc_limit_root_containers
scheduler_profiling_protected_by_rbac
scheduler_service_protected_by_rbac
secrets_consider_external_storage
secrets_no_environment_variables
Loading