Skip to content

CMP-4119: Use OCP4 CIS control based referencing#14548

Open
yuumasato wants to merge 4 commits intoComplianceAsCode:masterfrom
yuumasato:use_ocp4_cis_control_references
Open

CMP-4119: Use OCP4 CIS control based referencing#14548
yuumasato wants to merge 4 commits intoComplianceAsCode:masterfrom
yuumasato:use_ocp4_cis_control_references

Conversation

@yuumasato
Copy link
Member

@yuumasato yuumasato commented Mar 11, 2026

Description:

  • Enable control based references for OCP CIS v1.7.0 and v1.9.0.
  • Removes OCP4 CIS from the rules.

Rationale:

  • By using the control based referencing we don't need to maintain them in the rules anymore.
    They are automatically injected into the rule during build time.

Review Hints:

<xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn" severity="medium">
  <xccdf-1.2:title>Ensure that the --kubelet-https argument is set to true</xccdf-1.2:title>
  <xccdf-1.2:description>The kube-apiserver ensures https to the kubelet by default. The apiserver
....
  <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/v1.7.0">1.2.4</xccdf-1.2:reference>
  <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/v1.7.0">1.2</xccdf-1.2:reference>
  <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/v1.7.0">1</xccdf-1.2:reference>
  <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/v1.9.0">1.2.2</xccdf-1.2:reference>
  <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/v1.9.0">1.2</xccdf-1.2:reference>
  <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/v1.9.0">1</xccdf-1.2:reference>

@yuumasato
Add OCP CIS references based on the control files
f6d30bb 
This enables control based referencing, making it easier to maintain the
OCP CIS references.
Adds versioning to the references. This is important as we keep multiple
verions of CIS profiles, a rule can be part of different controls in
each version.
@yuumasato
Remove CIS OCP4 references from the rules
52ca150 
They are not used, and need to be removed so that the build system can
add references from the CIS control file.
@yuumasato
Remove broad cis reference from rule
2bca8ec 
Since we are switching to use control based referencing we need to
remove any cis reference in the file.
@yuumasato yuumasato force-pushed the use_ocp4_cis_control_references branch from 68176de to 2bca8ec Compare March 11, 2026 13:14
@yuumasato yuumasato added this to the 0.1.81 milestone Mar 11, 2026
@yuumasato yuumasato added OpenShift OpenShift product related. CIS CIS Benchmark related. labels Mar 11, 2026
@yuumasato yuumasato requested a review from rhmdnd March 11, 2026 13:14
@Anna-Koudelkova Anna-Koudelkova mentioned this pull request Mar 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhmdnd rhmdnd Awaiting requested review from rhmdnd

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

CIS CIS Benchmark related. OpenShift OpenShift product related.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

1 participant

@yuumasato