From 82fc125c0e8572992601b12dce68ac4f66246a21 Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Tue, 23 Jun 2026 15:35:15 -0700 Subject: [PATCH] OCP4: move kubelet rule filepath to /tmp/runtime/openscap-kubeletconfig The compliance-operator delivers the runtime kubeletconfig to the scanner via a shared emptyDir mounted at /host/tmp/runtime (mirroring the runtime SSH config), instead of a host symlink under /var/run. A volume mountpoint cannot be created under the read-only host /var/run, and the previous "ln -s" was non-idempotent and failed "Read-only file system" on re-scans. Point the kubelet yamlfile_value checks at the new path. Pairs with compliance-operator change "Deliver runtime kubeletconfig via shared emptyDir instead of a host symlink". CMP-4341 --- applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml | 2 +- .../openshift/kubelet/kubelet_authorization_mode/rule.yml | 2 +- .../openshift/kubelet/kubelet_configure_client_ca/rule.yml | 2 +- .../openshift/kubelet/kubelet_configure_event_creation/rule.yml | 2 +- .../kubelet/kubelet_configure_tls_cipher_suites/rule.yml | 2 +- .../kubelet/kubelet_configure_tls_min_version/rule.yml | 2 +- .../kubelet/kubelet_disable_hostname_override/rule.yml | 2 +- .../openshift/kubelet/kubelet_enable_cert_rotation/rule.yml | 2 +- .../kubelet/kubelet_enable_client_cert_rotation/rule.yml | 2 +- .../kubelet/kubelet_enable_iptables_util_chains/rule.yml | 2 +- .../kubelet/kubelet_enable_protect_kernel_defaults/rule.yml | 2 +- .../kubelet/kubelet_enable_server_cert_rotation/rule.yml | 2 +- .../kubelet/kubelet_enable_streaming_connections/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../openshift/kubelet/kubelet_read_only_port_secured/rule.yml | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml index aadcb22cd771..6e72f9cfe21f 100644 --- a/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml +++ b/applications/openshift/kubelet/kubelet_anonymous_auth/rule.yml @@ -53,7 +53,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.authentication.anonymous.enabled" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_authorization_mode/rule.yml b/applications/openshift/kubelet/kubelet_authorization_mode/rule.yml index 56af3440b9ca..20e9f74c7f1d 100644 --- a/applications/openshift/kubelet/kubelet_authorization_mode/rule.yml +++ b/applications/openshift/kubelet/kubelet_authorization_mode/rule.yml @@ -49,7 +49,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.authorization.mode" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml b/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml index d5aace6946af..44a49d698097 100644 --- a/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_client_ca/rule.yml @@ -54,7 +54,7 @@ references: template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.authentication.x509.clientCAFile" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml b/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml index ab9b95fd4b6d..75425e295636 100644 --- a/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_event_creation/rule.yml @@ -62,7 +62,7 @@ references: template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.eventRecordQPS" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml index d5a27a061375..3c052cc73bf9 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml @@ -70,7 +70,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.tlsCipherSuites[:]" xccdf_variable: var_kubelet_tls_cipher_suites_regex regex_data: true diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml index f8b2f0655004..9eb35cfe06e8 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml @@ -87,7 +87,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.tlsMinVersion" xccdf_variable: var_kubelet_tls_min_version_regex regex_data: true diff --git a/applications/openshift/kubelet/kubelet_disable_hostname_override/rule.yml b/applications/openshift/kubelet/kubelet_disable_hostname_override/rule.yml index 4095435cc2ed..55d8854285f1 100644 --- a/applications/openshift/kubelet/kubelet_disable_hostname_override/rule.yml +++ b/applications/openshift/kubelet/kubelet_disable_hostname_override/rule.yml @@ -40,7 +40,7 @@ references: template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.hostname-override" check_existence: "none_exist" values: diff --git a/applications/openshift/kubelet/kubelet_enable_cert_rotation/rule.yml b/applications/openshift/kubelet/kubelet_enable_cert_rotation/rule.yml index f74ebe803f05..2510ab2c11fe 100644 --- a/applications/openshift/kubelet/kubelet_enable_cert_rotation/rule.yml +++ b/applications/openshift/kubelet/kubelet_enable_cert_rotation/rule.yml @@ -46,7 +46,7 @@ references: template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.rotateCertificates" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_enable_client_cert_rotation/rule.yml b/applications/openshift/kubelet/kubelet_enable_client_cert_rotation/rule.yml index cf20531fa67f..19039207e927 100644 --- a/applications/openshift/kubelet/kubelet_enable_client_cert_rotation/rule.yml +++ b/applications/openshift/kubelet/kubelet_enable_client_cert_rotation/rule.yml @@ -47,7 +47,7 @@ references: template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.featureGates.RotateKubeletClientCertificate" check_existence: "any_exist" values: diff --git a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/rule.yml b/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/rule.yml index aa571bbe2bca..6a0611cd30ba 100644 --- a/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/rule.yml +++ b/applications/openshift/kubelet/kubelet_enable_iptables_util_chains/rule.yml @@ -47,7 +47,7 @@ references: template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.makeIPTablesUtilChains" values: - value: "true" diff --git a/applications/openshift/kubelet/kubelet_enable_protect_kernel_defaults/rule.yml b/applications/openshift/kubelet/kubelet_enable_protect_kernel_defaults/rule.yml index bc2b459fe9dc..316f3cf13c93 100644 --- a/applications/openshift/kubelet/kubelet_enable_protect_kernel_defaults/rule.yml +++ b/applications/openshift/kubelet/kubelet_enable_protect_kernel_defaults/rule.yml @@ -106,7 +106,7 @@ references: template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.protectKernelDefaults" values: - value: "true" diff --git a/applications/openshift/kubelet/kubelet_enable_server_cert_rotation/rule.yml b/applications/openshift/kubelet/kubelet_enable_server_cert_rotation/rule.yml index 79482877c34a..b01e029bec5b 100644 --- a/applications/openshift/kubelet/kubelet_enable_server_cert_rotation/rule.yml +++ b/applications/openshift/kubelet/kubelet_enable_server_cert_rotation/rule.yml @@ -44,7 +44,7 @@ references: template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.serverTLSBootstrap" values: - value: "true" diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml index db7638e245c1..7815d151f2ec 100644 --- a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml +++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml @@ -50,7 +50,7 @@ references: template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.streamingConnectionIdleTimeout" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/rule.yml index 56c1cb4c80dd..fdd0cd3e3f71 100644 --- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/rule.yml +++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/rule.yml @@ -70,7 +70,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.evictionHard['imagefs.available']" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml index e5c2ad5bc6a6..b2711f5d626f 100644 --- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml +++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml @@ -70,7 +70,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.evictionHard['imagefs.inodesFree']" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/rule.yml index b1fd29a4c280..fa0e4c2f757d 100644 --- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/rule.yml +++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/rule.yml @@ -70,7 +70,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.evictionHard['memory.available']" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/rule.yml index 1c59a959eed5..ec084e4be015 100644 --- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/rule.yml +++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_available/rule.yml @@ -70,7 +70,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.evictionHard['nodefs.available']" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/rule.yml index e4b49762bf18..9b944a8e8ee0 100644 --- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/rule.yml +++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_nodefs_inodesfree/rule.yml @@ -70,7 +70,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.evictionHard['nodefs.inodesFree']" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/rule.yml index 074b2e0ec3e0..2f3cdcd53668 100644 --- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/rule.yml +++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_available/rule.yml @@ -70,7 +70,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.evictionSoft['imagefs.available']" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/rule.yml index 00121d589a8b..b11e6714155e 100644 --- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/rule.yml +++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_imagefs_inodesfree/rule.yml @@ -69,7 +69,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.evictionSoft['imagefs.inodesFree']" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml index 6e395590689d..ab95f38f6d49 100644 --- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml +++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml @@ -69,7 +69,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.evictionSoft['memory.available']" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/rule.yml index 25d2403f2d96..f7b6f1e52344 100644 --- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/rule.yml +++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_available/rule.yml @@ -69,7 +69,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.evictionSoft['nodefs.available']" check_existence: "all_exist" xccdf_variable: var_event_record_qps diff --git a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/rule.yml b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/rule.yml index cf2296112dcd..55ec1e75b397 100644 --- a/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/rule.yml +++ b/applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_nodefs_inodesfree/rule.yml @@ -69,7 +69,7 @@ ocil: |- template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.evictionSoft['nodefs.inodesFree']" check_existence: "all_exist" values: diff --git a/applications/openshift/kubelet/kubelet_read_only_port_secured/rule.yml b/applications/openshift/kubelet/kubelet_read_only_port_secured/rule.yml index ea55e3f74a9f..19fcc8014c6f 100644 --- a/applications/openshift/kubelet/kubelet_read_only_port_secured/rule.yml +++ b/applications/openshift/kubelet/kubelet_read_only_port_secured/rule.yml @@ -35,7 +35,7 @@ references: template: name: yamlfile_value vars: - filepath: '/var/run/compliance-operator/kubeletconfig/openscap-kubeletconfig' + filepath: '/tmp/runtime/openscap-kubeletconfig' yamlpath: ".kubeletconfig.readOnlyPort" values: - value: "0"