ComplianceAsCode · rhmdnd · Feb 21, 2024 · Jan 30, 2024 · Feb 1, 2024 · Feb 20, 2024
diff --git a/...cations/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml b/...cations/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml
@@ -1,11 +1,15 @@
 <def-group oval_version="5.11">
-  <definition class="compliance" id="api_server_api_priority_flowschema_catch_all" version="1">
-    {{{ oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}}
-
-    <criteria operator="OR">
-      <extend_definition comment="flowschema v1alpha1" definition_ref="api_server_api_priority_v1alpha1_flowschema_catch_all" />
-      <extend_definition comment="flowschema v1beta1" definition_ref="api_server_api_priority_v1beta1_flowschema_catch_all" />
-      <extend_definition comment="flowschema v1beta2" definition_ref="api_server_api_priority_v1beta2_flowschema_catch_all" />
+  <definition class="compliance" id="api_server_api_priority_flowschema_catch_all" version="1"> {{{
+    oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}} <criteria
+      operator="OR">
+      <extend_definition comment="flowschema v1alpha1"
+        definition_ref="api_server_api_priority_v1alpha1_flowschema_catch_all" />
+      <extend_definition comment="flowschema v1beta1"
+        definition_ref="api_server_api_priority_v1beta1_flowschema_catch_all" />
+      <extend_definition comment="flowschema v1beta2"
+        definition_ref="api_server_api_priority_v1beta2_flowschema_catch_all" />
+      <extend_definition comment="flowschema v1"
+        definition_ref="api_server_api_priority_v1_flowschema_catch_all" />
     </criteria>
 
   </definition>

diff --git a/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml
@@ -45,4 +45,4 @@ ocil: |-
 
 warnings:
     - general: |-
-        {{{ openshift_cluster_setting(["/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all"], true) | indent(8) }}}
+        {{{ openshift_cluster_setting(["/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all"], true) | indent(8) }}}
diff --git a/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml
@@ -0,0 +1,67 @@
+documentation_complete: true
+
+title: 'Ensure catch-all FlowSchema object for API Priority and Fairness Exists'
+
+description: |-
+  Using <tt>APIPriorityAndFairness</tt> feature provides a fine-grained way
+  to control the behaviour of the Kubernetes API server in an overload
+  situation. The well-known FlowSchema <tt>catch-all</tt> should be available
+  to make sure that every request gets some kind of classification. By default,
+  the <tt>catch-all</tt> priority level only allows one concurrency share and
+  does not queue requests. To inspect all the <tt>FlowSchema</tt> objects, run:
+  <pre>oc get flowschema</pre>
+  To inspect the well-known <tt>catch-all</tt> object, run the following:
+  <pre>oc describe flowschema catch-all</pre>
+
+rationale: |-
+  The <tt>FlowSchema</tt> API objects enforce a limit on the
+  number of events that the API Server will accept in a given time slice
+  In a large multi-tenant cluster, there might be a small percentage of
+  misbehaving tenants which could have a significant impact on the
+  performance of the cluster overall. It is recommended to limit the rate
+  of events that the API Server will accept.
+
+identifiers:
+  cce@ocp4: CCE-86097-3
+
+platforms:
+  - ocp4.16
+
+severity: medium
+
+references:
+  cis@ocp4: 1.2.10
+  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
+  nist: CM-6,CM-6(1)
+  pcidss: Req-2.2
+  srg: SRG-APP-000516-CTR-001325
+
+ocil_clause: 'A FlowSchema object <tt>catch-all</tt> exists'
+
+ocil: |-
+  Run the following commands:
+  <pre>oc get flowschema</pre>
+  and inspect the FlowSchema objects. Make sure that at least the <tt>catch-all</tt>
+  object exists by calling:
+  <pre>oc describe flowschema catch-all</pre>
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all", true) | indent(4) }}}
+- dependency: |-
+    Note that this is only applicable in OpenShift Container Platform version 4.16
+    and higher
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all"
+    yamlpath: '.spec.rules[0].subjects[:].group["name"]'
+    check_existence: "at_least_one_exists"
+    entity_check: "at least one"
+    values:
+      - value: "system:authenticated"
+        operation: "pattern match"
+        check_existence: "at_least_one_exists"
+        entity_check: "at least one"
diff --git a/.../openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml b/.../openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/...ations/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml b/...ations/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml
@@ -26,7 +26,7 @@ identifiers:
   cce@ocp4: CCE-86390-2
 
 platforms:
-  - ocp4.11 or ocp4.12 or ocp4.13
+  - ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15
 
 severity: medium
 

diff --git a/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml b/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml b/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml
@@ -34,7 +34,7 @@ identifiers:
   cce@ocp4: CCE-84080-1
 
 platforms:
-  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted
+  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
 
 severity: high
 

diff --git a/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml b/applications/openshift/api-server/api_server_kubelet_client_key/rule.yml
@@ -34,7 +34,7 @@ identifiers:
   cce@ocp4: CCE-83591-8
 
 platforms:
-  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted
+  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
 
 severity: high
 

diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml
@@ -27,7 +27,7 @@ identifiers:
     cce@ocp4: CCE-83396-2
 
 platforms:
-  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted
+  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
 
 references:
     cis@ocp4: 4.2.9

diff --git a/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
@@ -27,7 +27,7 @@ identifiers:
     cce@ocp4: CCE-90614-9
 
 platforms:
-  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted
+  - (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16) and not ocp4-on-hypershift-hosted
 
 references:
     cis@ocp4: 4.2.9

diff --git a/products/ocp4/profiles/default.profile b/products/ocp4/profiles/default.profile
@@ -43,6 +43,7 @@ selections:
     - kubelet_eviction_thresholds_set_soft_imagefs_inodesfree
     - file_groupowner_kubeconfig
     - api_server_api_priority_v1alpha1_flowschema_catch_all
+    - api_server_api_priority_v1_flowschema_catch_all
     - file_groupowner_openvswitch
     - gcp_disk_encryption_enabled
     - kubelet_configure_tls_cipher_suites_ingresscontroller

diff --git a/shared/applicability/oval/installed_app_is_ocp4.xml b/shared/applicability/oval/installed_app_is_ocp4.xml
@@ -138,7 +138,7 @@
 
   <ind:yamlfilecontent_state id="state_ocp4_{{{ minorversion }}}" version="1">
       <ind:value datatype="record">
-          <field name="#" datatype="string" operation="pattern match">4\.{{{ minorversion }}}.*</field>
+          <field name="#" datatype="string" operation="pattern match">\b4\.{{{ minorversion }}}.*</field>
       </ind:value>
   </ind:yamlfilecontent_state>
 

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -6,7 +6,6 @@ CCE-86082-5
 CCE-86083-3
 CCE-86087-4
 CCE-86088-2
-CCE-86097-3
 CCE-86101-3
 CCE-86105-4
 CCE-86106-2