Optimize KubeletConfig rules

We made some optimization in CO to scan runtime KubeletConfig in a different way, this PR adapts those changes.

applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml

@@ -2,11 +2,10 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 {{%- if product == "eks" %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- else %}}
+platform: ocp4-node
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- endif %}}
 
@@ -52,10 +51,12 @@ ocil: |-
     <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done</pre>
     The output should return <pre>enabled: false</pre>.
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
 template:
-    name: kubelet_combine
-
+    name: yamlfile_value
+    vars:
+        filepath: '/tmp/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.authentication.anonymous.enabled"
+        check_existence: "all_exist"
+        values:
+         - value: "false"
+           operation: "equals"

applications/openshift/kubelet/kubelet_authorization_mode/rule.yml

@@ -2,11 +2,10 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 {{%- if product == "eks" %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- else %}}
+platform: ocp4-node
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- endif %}}
 
@@ -31,7 +30,6 @@ rationale: |-
 identifiers:
   cce@ocp4: CCE-83593-4
 
-
 severity: medium
 
 references:
@@ -49,10 +47,12 @@ ocil: |-
     Verify that the output is not set to <tt>mode: AlwaysAllow</tt>, or missing
     (defaults to <tt>mode: Webhook</tt>).
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/tmp/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.authorization.mode"
+        check_existence: "all_exist"
+        values:
+         - value: "AlwaysAllow"
+           operation: "not equal"

applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml

@@ -2,12 +2,11 @@ documentation_complete: true
 
 prodtype: eks,ocp4
 
-platform: {{{ product }}}
-
 {{%- if product == "eks" %}}
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
 {{%- set ca_path = "/etc/kubernetes/pki/ca.crt" %}}
 {{%- else %}}
+platform: ocp4-node
 {{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
 {{%- set ca_path = "/etc/kubernetes/kubelet-ca.crt" %}}
 {{%- endif %}}
@@ -54,10 +53,12 @@ references:
     nist: CM-6,CM-6(1)
     srg: SRG-APP-000516-CTR-001325
 
-warnings:
-- general: |-
-    {{{ openshift_cluster_setting_kubeletconfig() | indent(4) }}}
-
-
 template:
-    name: kubelet_combine
+    name: yamlfile_value
+    vars:
+        filepath: '/tmp/compliance-operator/kubeletconfig/openscap-kubeletconfig'
+        yamlpath: ".kubeletconfig.authentication.x509.clientCAFile"
+        check_existence: "all_exist"
+        values:
+         - value: "{{{ ca_path}}}"
+           operation: "equals"