routes-protected-by-tls compliance check failing when ODF 4.11 is installed

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat OpenShift Container Platform 4.11
Red Hat OpenShift Data Foundation 4.11

Issue

The rule “ocp4-routes-protected-by-tls” will ensure every route object has either None or Redirect in the .spec.tls.insecureEdgeTerminationPolicy setting but some RHOCP routes don't have these settings.

Resolution

It was fixed in OCP 4.13 branch with 0.1.66 Compliance Operator version

> Verification pass with 4.13.0-0.nightly-2023-04-06-060829 + openshift-compliance-operator-bundle-container-1.0.0-9. Details seen from below:
> 
> $ oc apply -f -<<EOF
> > apiVersion: v1
> kind: Service
> metadata:
>   labels:
>     name: service-unsecure
>   name: service-unsecure
> spec:
>   ports:
>   - name: http
>     port: 27017
>     protocol: TCP
>     targetPort: 8080
>   selector:
>     name: web-server
> EOF
> service/service-unsecure created
> $ oc create route edge myedge --service=service-unsecure
> route.route.openshift.io/myedge created
> $ oc get route -A
> NAMESPACE                  NAME                      HOST/PORT                                                                                  PATH        SERVICES            PORT    TERMINATION            WILDCARD
> openshift-authentication   oauth-openshift           oauth-openshift.apps.xiyuan07-1.qe.devcluster.openshift.com                                            oauth-openshift     6443    passthrough/Redirect   None
> openshift-console          console                   console-openshift-console.apps.xiyuan07-1.qe.devcluster.openshift.com                                  console             https   reencrypt/Redirect     None
> openshift-console          downloads                 downloads-openshift-console.apps.xiyuan07-1.qe.devcluster.openshift.com                                downloads           http    edge/Redirect          None
> openshift-ingress-canary   canary                    canary-openshift-ingress-canary.apps.xiyuan07-1.qe.devcluster.openshift.com                            ingress-canary      8080    edge/Redirect          None
> openshift-monitoring       alertmanager-main         alertmanager-main-openshift-monitoring.apps.xiyuan07-1.qe.devcluster.openshift.com         /api        alertmanager-main   web     reencrypt/Redirect     None
> openshift-monitoring       prometheus-k8s            prometheus-k8s-openshift-monitoring.apps.xiyuan07-1.qe.devcluster.openshift.com            /api        prometheus-k8s      web     reencrypt/Redirect     None
> openshift-monitoring       prometheus-k8s-federate   prometheus-k8s-federate-openshift-monitoring.apps.xiyuan07-1.qe.devcluster.openshift.com   /federate   prometheus-k8s      web     reencrypt/Redirect     None
> openshift-monitoring       thanos-querier            thanos-querier-openshift-monitoring.apps.xiyuan07-1.qe.devcluster.openshift.com            /api        thanos-querier      web     reencrypt/Redirect     None
> test1                      myedge                    myedge-test1.apps.xiyuan07-1.qe.devcluster.openshift.com                                               service-unsecure    http    edge                   None
> $ oc get routes myedge -n test1 -o=jsonpath={.spec.tls.insecureEdgeTerminationPolicy}
> $ oc get routes myedge -n test1  -o=jsonpath={.spec.tls.insecureEdgeTerminationPolicy}
> $ oc project openshift-compliance
> Now using project "openshift-compliance" on server "https://api.xiyuan07-1.qe.devcluster.openshift.com:6443".
> 
> $ oc compliance bind -N test profile/ocp4-pci-dss
> Creating ScanSettingBinding test
> $ oc get suite -w
> NAME   PHASE     RESULT
> test   RUNNING   NOT-AVAILABLE
> test   AGGREGATING   NOT-AVAILABLE
> test   DONE          NON-COMPLIANT
> test   DONE          NON-COMPLIANT
> $ oc get ccr ocp4-pci-dss-routes-protected-by-tls
> NAME                                   STATUS   SEVERITY
> ocp4-pci-dss-routes-protected-by-tls   PASS     medium

Diagnostic Steps

Provide the following information:

$ oc adm inspect ns/openshift-compliance
$ oc project openshift-compliance
$ oc get all > all.yaml
$ oc get profiles.compliance.openshift.io -o yaml  > profiles.yaml
$ oc get scansettingbindings.compliance.openshift.io -o yaml > scansettingbindings.yaml
$ oc get scansettings.compliance.openshift.io -o yaml  > scansettings.yaml
$ oc get compliancecheckresults.compliance.openshift.io -o yaml > checkresults.yaml
$ oc get complianceremediations.compliance.openshift.io -o yaml > remediations.yaml
$ oc get compliancesuites.compliance.openshift.io -o yaml > compliancesuites.yaml
$ oc get compliancescans.compliance.openshift.io -o yaml > compliancescan.yaml
$ oc get compliancesuites
$ oc get compliancescan

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Category

Learn more

Tags

compliance

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.