Add fixes in node and etcd TCs

aquasecurity · Nov 6, 2024 · ff650d0 · ff650d0
1 parent 1ae58e3
commit ff650d0
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/cfg/rh-1.6/etcd.yaml b/cfg/rh-1.6/etcd.yaml
@@ -28,7 +28,8 @@ groups:
             - flag: "file"
               compare:
                 op: regex
-                value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-serving\/etcd-serving-.*\.(?:crt|key)'
+                # some systems have certs in directory '/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs'
+                value: \/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-(?:serving|certs)\/etcd-serving-.*\.(?:crt|key)
         remediation: |
           OpenShift does not use the etcd-certfile or etcd-keyfile flags.
           Certificates for etcd are managed by the etcd cluster operator.
@@ -103,7 +104,8 @@ groups:
             - flag: "file"
               compare:
                 op: regex
-                value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-peer\/etcd-peer-.*\.(?:crt|key)'
+                # some systems have certs in directory '/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs'
+                value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-(?:peer|certs)\/etcd-peer-.*\.(?:crt|key)'
         remediation: |
           None. This configuration is managed by the etcd operator.
         scored: false

diff --git a/cfg/rh-1.6/node.yaml b/cfg/rh-1.6/node.yaml
@@ -349,15 +349,14 @@ groups:
           echo RotateKubeletServerCertificate=$(oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig.featureGates.RotateKubeletServerCertificate' 2> /dev/null)
           # Verify the rotateCertificates argument is set to true
           echo rotateCertificates=$(oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq -r '.kubeletconfig.rotateCertificates' 2> /dev/null)
-        use_multiple_values: true
         tests:
-          bin_op: or
+          bin_op: and
           test_items:
-            - flag: rotateCertificates
+            - flag: RotateKubeletServerCertificate
               compare:
                 op: eq
                 value: true
-            - flag: RotateKubeletServerCertificate
+            - flag: rotateCertificates
               compare:
                 op: eq
                 value: true