Skip to content

CMP-4284: Fix api_server_bind_address for IPv6 and dual-stack clusters #14753

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Vincent056 wants to merge 1 commit into
base: master
Choose a base branch
from
+17 −12
Open

CMP-4284: Fix api_server_bind_address for IPv6 and dual-stack clusters #14753

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 10 additions & 9 deletions applications/openshift/api-server/api_server_bind_address/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,17 @@ title: Ensure that the bindAddress is set to a relevant secure port
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: "The bindAddress is set by default to <tt>0.0.0.0:6443</tt>, and listening with TLS enabled."
description: |-
The bindAddress is set by default to <tt>0.0.0.0:6443</tt> on IPv4 clusters
or <tt>[::]:6443</tt> on IPv6 and dual-stack clusters, and listening with
TLS enabled.

rationale: |-
The OpenShift API server is served over HTTPS with authentication and authorization;
the secure API endpoint is bound to <tt>0.0.0.0:6443</tt> by default. In OpenShift, the only
the secure API endpoint is bound to <tt>0.0.0.0:6443</tt> (IPv4) or
<tt>[::]:6443</tt> (IPv6/dual-stack) by default. In OpenShift, the only
supported way to access the API server pod is through the load balancer and then through
the internal service. The value is set by the bindAddress argument under the servingInfo
the internal service. The value is set by the bindAddress argument under the servingInfo
parameter.

identifiers:
Expand All @@ -38,7 +42,8 @@ ocil_clause: '<tt>bindAddress</tt> allows unsecure connections'
ocil: |-
Run the following command:
<pre>oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.servingInfo["bindAddress"]'</pre>
The output should return <pre>0.0.0.0:6443</pre>.
The output should return <pre>0.0.0.0:6443</pre> on IPv4 single-stack clusters
or <pre>[::]:6443</pre> on IPv6 and dual-stack clusters.

warnings:
- general: |-
Expand All @@ -52,8 +57,4 @@ template:
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: '.servingInfo["bindAddress"]'
xccdf_variable: var_apiserver_bind_address
embedded_data: "true"
values:
- value: '(.+)'
operation: "pattern match"
type: "string"
regex_data: "true"
10 changes: 7 additions & 3 deletions applications/openshift/api-server/var_apiserver_bind_address.var
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,17 @@ documentation_complete: true

title: 'Bind Address of secure API endpoint'

description: 'Bind Address of secure API endpoint'
description: |-
Regular expression matching the expected bind address
of the secure API endpoint. Accepts both IPv4 (0.0.0.0:6443)
and IPv6 ([::]:6443) wildcard addresses to support
single-stack and dual-stack clusters.

type: string

operator: equals
operator: pattern match

interactive: false

options:
default: "0.0.0.0:6443"
default: "^(0\\.0\\.0\\.0:6443|\\[::\\]:6443)$"
Loading