CMP-4284: Fix api_server_bind_address for IPv6 and dual-stack clusters#14753
Open
Vincent056 wants to merge 1 commit into
Open
CMP-4284: Fix api_server_bind_address for IPv6 and dual-stack clusters#14753Vincent056 wants to merge 1 commit into
Vincent056 wants to merge 1 commit into
Conversation
The rule previously hardcoded 0.0.0.0:6443 as the only accepted bindAddress, which fails on IPv6 single-stack and dual-stack clusters where the kube-apiserver binds to [::]:6443 instead. Switch from embedded_data with an equals comparison to regex_data with a pattern match variable, following the same pattern used by configure_network_policies. The variable now accepts both 0.0.0.0:6443 (IPv4) and [::]:6443 (IPv6/dual-stack).
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_bind_address'.
--- xccdf_org.ssgproject.content_rule_api_server_bind_address
+++ xccdf_org.ssgproject.content_rule_api_server_bind_address
@@ -3,7 +3,9 @@
Ensure that the bindAddress is set to a relevant secure port
[description]:
-The bindAddress is set by default to 0.0.0.0:6443, and listening with TLS enabled.
+The bindAddress is set by default to 0.0.0.0:6443 on IPv4 clusters
+or [::]:6443 on IPv6 and dual-stack clusters, and listening with
+TLS enabled.
[warning]:
This rule's check operates on the cluster configuration dump.
@@ -65,9 +67,10 @@
[rationale]:
The OpenShift API server is served over HTTPS with authentication and authorization;
-the secure API endpoint is bound to 0.0.0.0:6443 by default. In OpenShift, the only
+the secure API endpoint is bound to 0.0.0.0:6443 (IPv4) or
+[::]:6443 (IPv6/dual-stack) by default. In OpenShift, the only
supported way to access the API server pod is through the load balancer and then through
-the internal service. The value is set by the bindAddress argument under the servingInfo
+the internal service. The value is set by the bindAddress argument under the servingInfo
parameter.
[ident]:
OCIL for rule 'xccdf_org.ssgproject.content_rule_api_server_bind_address' differs.
--- ocil:ssg-api_server_bind_address_ocil:questionnaire:1
+++ ocil:ssg-api_server_bind_address_ocil:questionnaire:1
@@ -1,5 +1,6 @@
Run the following command:
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.servingInfo["bindAddress"]'
-The output should return 0.0.0.0:6443.
+The output should return 0.0.0.0:6443 on IPv4 single-stack clusters
+or [::]:6443 on IPv6 and dual-stack clusters.
Is it the case that <tt>bindAddress</tt> allows unsecure connections?
|
jan-cerny
added
CoreOS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
api_server_bind_addressto accept both0.0.0.0:6443(IPv4) and[::]:6443(IPv6/dual-stack) as valid bind addresses. Previously the rule hardcoded0.0.0.0:6443via an exact-match variable, causing failures on IPv6 single-stack and dual-stack clusters.embedded_datawith equals comparison toregex_datawith a pattern-match variable, following the same approach used byconfigure_network_policies.Rationale:
servingInfo.bindAddressto[::]:6443instead of0.0.0.0:6443(see CORS-4363). Both values mean "listen on all interfaces on the TLS port" and are security-equivalent. The rule should pass for either.Review Hints:
rule.ymlandvar_apiserver_bind_address.var. Review them together.configure_network_policies(xccdf_variable+regex_data), which is well-tested../build_product --datastream-only ocp4api_server_bind_address(STIG, CIS, PCI-DSS, moderate, high).