diff --git a/applications/openshift/api-server/api_server_bind_address/rule.yml b/applications/openshift/api-server/api_server_bind_address/rule.yml
index bf01dfa340c3..0c598a25e54e 100644
--- a/applications/openshift/api-server/api_server_bind_address/rule.yml
+++ b/applications/openshift/api-server/api_server_bind_address/rule.yml
@@ -11,13 +11,17 @@ title: Ensure that the bindAddress is set to a relevant secure port
 {{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
 {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}
 
-description: "The bindAddress is set by default to <tt>0.0.0.0:6443</tt>, and listening with TLS enabled."
+description: |-
+  The bindAddress is set by default to <tt>0.0.0.0:6443</tt> on IPv4 clusters
+  or <tt>[::]:6443</tt> on IPv6 and dual-stack clusters, and listening with
+  TLS enabled.
 
 rationale: |-
   The OpenShift API server is served over HTTPS with authentication and authorization;
-  the secure API endpoint is bound to <tt>0.0.0.0:6443</tt> by default. In OpenShift, the only
+  the secure API endpoint is bound to <tt>0.0.0.0:6443</tt> (IPv4) or
+  <tt>[::]:6443</tt> (IPv6/dual-stack) by default. In OpenShift, the only
   supported way to access the API server pod is through the load balancer and then through
-  the internal service.  The value is set by the bindAddress argument under the servingInfo
+  the internal service. The value is set by the bindAddress argument under the servingInfo
   parameter.
 
 identifiers:
@@ -38,7 +42,8 @@ ocil_clause: '<tt>bindAddress</tt> allows unsecure connections'
 ocil: |-
     Run the following command:
     <pre>oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.servingInfo["bindAddress"]'</pre>
-    The output should return <pre>0.0.0.0:6443</pre>.
+    The output should return <pre>0.0.0.0:6443</pre> on IPv4 single-stack clusters
+    or <pre>[::]:6443</pre> on IPv6 and dual-stack clusters.
 
 warnings:
 - general: |-
@@ -52,8 +57,4 @@ template:
     filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
     yamlpath: '.servingInfo["bindAddress"]'
     xccdf_variable: var_apiserver_bind_address
-    embedded_data: "true"
-    values:
-    - value: '(.+)'
-      operation: "pattern match"
-      type: "string"
+    regex_data: "true"
diff --git a/applications/openshift/api-server/var_apiserver_bind_address.var b/applications/openshift/api-server/var_apiserver_bind_address.var
index b5943ffe505c..0a6152d6b21b 100644
--- a/applications/openshift/api-server/var_apiserver_bind_address.var
+++ b/applications/openshift/api-server/var_apiserver_bind_address.var
@@ -2,13 +2,17 @@ documentation_complete: true
 
 title: 'Bind Address of secure API endpoint'
 
-description: 'Bind Address of secure API endpoint'
+description: |-
+    Regular expression matching the expected bind address
+    of the secure API endpoint. Accepts both IPv4 (0.0.0.0:6443)
+    and IPv6 ([::]:6443) wildcard addresses to support
+    single-stack and dual-stack clusters.
 
 type: string
 
-operator: equals
+operator: pattern match
 
 interactive: false
 
 options:
-    default: "0.0.0.0:6443"
+    default: "^(0\\.0\\.0\\.0:6443|\\[::\\]:6443)$"
