From fed5ec297de17c0dc29164fcbc49cc8cc367c2d6 Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Mon, 1 Jun 2026 09:23:47 -0700 Subject: [PATCH] Fix api_server_bind_address to support IPv6 and dual-stack clusters The rule previously hardcoded 0.0.0.0:6443 as the only accepted bindAddress, which fails on IPv6 single-stack and dual-stack clusters where the kube-apiserver binds to [::]:6443 instead. Switch from embedded_data with an equals comparison to regex_data with a pattern match variable, following the same pattern used by configure_network_policies. The variable now accepts both 0.0.0.0:6443 (IPv4) and [::]:6443 (IPv6/dual-stack). --- .../api_server_bind_address/rule.yml | 19 ++++++++++--------- .../api-server/var_apiserver_bind_address.var | 10 +++++++--- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/applications/openshift/api-server/api_server_bind_address/rule.yml b/applications/openshift/api-server/api_server_bind_address/rule.yml index bf01dfa340c3..0c598a25e54e 100644 --- a/applications/openshift/api-server/api_server_bind_address/rule.yml +++ b/applications/openshift/api-server/api_server_bind_address/rule.yml @@ -11,13 +11,17 @@ title: Ensure that the bindAddress is set to a relevant secure port {{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}} {{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}} -description: "The bindAddress is set by default to 0.0.0.0:6443, and listening with TLS enabled." +description: |- + The bindAddress is set by default to 0.0.0.0:6443 on IPv4 clusters + or [::]:6443 on IPv6 and dual-stack clusters, and listening with + TLS enabled. rationale: |- The OpenShift API server is served over HTTPS with authentication and authorization; - the secure API endpoint is bound to 0.0.0.0:6443 by default. In OpenShift, the only + the secure API endpoint is bound to 0.0.0.0:6443 (IPv4) or + [::]:6443 (IPv6/dual-stack) by default. In OpenShift, the only supported way to access the API server pod is through the load balancer and then through - the internal service. The value is set by the bindAddress argument under the servingInfo + the internal service. The value is set by the bindAddress argument under the servingInfo parameter. identifiers: @@ -38,7 +42,8 @@ ocil_clause: 'bindAddress allows unsecure connections' ocil: |- Run the following command: 
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.servingInfo["bindAddress"]'
- The output should return 
0.0.0.0:6443
. + The output should return 
0.0.0.0:6443
on IPv4 single-stack clusters + or 
[::]:6443
on IPv6 and dual-stack clusters. warnings: - general: |- @@ -52,8 +57,4 @@ template: filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} yamlpath: '.servingInfo["bindAddress"]' xccdf_variable: var_apiserver_bind_address - embedded_data: "true" - values: - - value: '(.+)' - operation: "pattern match" - type: "string" + regex_data: "true" diff --git a/applications/openshift/api-server/var_apiserver_bind_address.var b/applications/openshift/api-server/var_apiserver_bind_address.var index b5943ffe505c..0a6152d6b21b 100644 --- a/applications/openshift/api-server/var_apiserver_bind_address.var +++ b/applications/openshift/api-server/var_apiserver_bind_address.var @@ -2,13 +2,17 @@ documentation_complete: true title: 'Bind Address of secure API endpoint' -description: 'Bind Address of secure API endpoint' +description: |- + Regular expression matching the expected bind address + of the secure API endpoint. Accepts both IPv4 (0.0.0.0:6443) + and IPv6 ([::]:6443) wildcard addresses to support + single-stack and dual-stack clusters. type: string -operator: equals +operator: pattern match interactive: false options: - default: "0.0.0.0:6443" + default: "^(0\\.0\\.0\\.0:6443|\\[::\\]:6443)$"