Merge pull request ComplianceAsCode#6225 from piggyvenus/cis1_3_6

redhatrises · web-flow · commit 3a96ab356f4f · 2020-10-27T08:29:37.000-06:00
CIS 1.3.6
diff --git a/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml b/applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml
@@ -41,12 +41,25 @@ ocil: |-
 #identifiers:
 #    cce@ocp4:
 
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config") | indent(4) }}}
+- functionality: |-
+    This recommendation only applies if you let kubelets get their
+    certificates from the API Server. In case your certificates come from an
+    outside Certificate Authority/tool (e.g. Vault) then you need to take care
+    of rotation yourself
+
 references:
     cis: 1.3.6
 
-warnings:
-    - functionality: |-
-        This recommendation only applies if you let kubelets get their
-        certificates from the API Server. In case your certificates come from an
-        outside Certificate Authority/tool (e.g. Vault) then you need to take care
-        of rotation yourself.
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /api/v1/namespaces/openshift-kube-controller-manager/configmaps/config
+    yamlpath: '.data["config.yaml"]'
+    values:
+    - value: '\"RotateKubeletServerCertificate\=true\"'
+      operation: "pattern match"
+      type: "string"
