Skip to content

CMP-4119: Use OCP4 CIS control based referencing#14548

Open
yuumasato wants to merge 3 commits intoComplianceAsCode:masterfrom
yuumasato:use_ocp4_cis_control_references
Open

CMP-4119: Use OCP4 CIS control based referencing#14548
yuumasato wants to merge 3 commits intoComplianceAsCode:masterfrom
yuumasato:use_ocp4_cis_control_references

Conversation

@yuumasato
Copy link
Member

@yuumasato yuumasato commented Mar 11, 2026
edited
Loading

Description:

  • Enable control based references for OCP CIS v1.9.0.
  • Removes OCP4 CIS from the rules.

Rationale:

  • By using the control based referencing we don't need to maintain them in the rules anymore.
    They are automatically injected into the rule during build time.

Review Hints:

<xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn" severity="medium">
  <xccdf-1.2:title>Ensure that the --kubelet-https argument is set to true</xccdf-1.2:title>
  <xccdf-1.2:description>The kube-apiserver ensures https to the kubelet by default. The apiserver
....
  <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.2.2</xccdf-1.2:reference>
  <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.2</xccdf-1.2:reference>
  <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1</xccdf-1.2:reference>

Note

After feedback that older versions of CIS profiles are not that useful, I have changed this to add references based only on the latest version.

@yuumasato yuumasato force-pushed the use_ocp4_cis_control_references branch from 68176de to 2bca8ec Compare March 11, 2026 13:14
@yuumasato yuumasato added this to the 0.1.81 milestone Mar 11, 2026
@yuumasato yuumasato added OpenShift OpenShift product related. CIS CIS Benchmark related. labels Mar 11, 2026
@yuumasato yuumasato requested a review from rhmdnd March 11, 2026 13:14
@Anna-Koudelkova Anna-Koudelkova mentioned this pull request Mar 12, 2026
Closed
@yuumasato
Add OCP CIS references based on the control files
8267fc9 
This enables control based referencing, making it easier to maintain the
OCP CIS references.
The references in the rules will track the latest version.
@yuumasato
Remove CIS OCP4 references from the rules
ae69a50 
They are not used, and need to be removed so that the build system can
add references from the CIS control file.
@yuumasato
Remove broad cis reference from rule
b7c0f6b 
Since we are switching to use control based referencing we need to
remove any cis reference in the file.
@yuumasato yuumasato force-pushed the use_ocp4_cis_control_references branch from 1d613a7 to b7c0f6b Compare March 20, 2026 10:01
@yuumasato
Copy link
Member Author

yuumasato commented Mar 20, 2026

I have dropped support for multiple CIS reference versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhmdnd rhmdnd Awaiting requested review from rhmdnd

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka

@Mab879 Mab879 Awaiting requested review from Mab879

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek

@jan-cerny jan-cerny Awaiting requested review from jan-cerny

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

CIS CIS Benchmark related. OpenShift OpenShift product related.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

1 participant

@yuumasato