documentation_complete: true


title: 'Ensure That The kubelet Client Certificate Is Correctly Set'

{{% set default_jqfilter = '[.data."config.yaml" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("{{.var_apiserver_kubelet_client_cert}}"))]' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '[.data."config.json" | fromjson | select(.apiServerArguments["kubelet-client-certificate"]) | .apiServerArguments["kubelet-client-certificate"][] | select(test("/etc/kubernetes/certs/kubelet/tls.crt"))]' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~  default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~  default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}

description: |-
    To ensure the kubelet TLS client certificate is configured, edit the
    kubelet configuration file <tt>/etc/kubernetes/kubelet.conf</tt>
    and configure the kubelet certificate file.
    <pre>tlsCertFile: /path/to/TLS/cert.key</pre>

rationale: |-
    Without cryptographic integrity protections, information can be
    altered by unauthorized users without detection.

severity: medium

identifiers:
    cce@ocp4: CCE-83396-2

platform: not ocp4-on-hypershift-hosted

references:
    cis@ocp4: 4.2.9
    nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
    nist: SC-8,SC-8(1),SC-8(2)
    pcidss: Req-2.2,Req-2.2.3,Req-2.3
    srg: SRG-APP-000441-CTR-001090,SRG-APP-000442-CTR-001095

ocil_clause: 'the kubelet certificate is not configured'

ocil: |-
    Run the following command on the kubelet node(s):
    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'</pre>
    Verify that a client certificate is configured.

warnings:
    - general: |-
        {{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(8) }}}

template:
  name: yamlfile_value
  vars:
    ocp_data: "true"
    filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
    yamlpath: "[:]"
    check_existence: "at_least_one_exists"
    entity_check: "all"
    values:
      - value: "(.*?)"
        operation: "pattern match"