Skip to content

CMP-4110: Implement CIS OpenShift version 1.9.0#14431

Open
rhmdnd wants to merge 7 commits intoComplianceAsCode:masterfrom
rhmdnd:CMP-4110
Open

CMP-4110: Implement CIS OpenShift version 1.9.0#14431
rhmdnd wants to merge 7 commits intoComplianceAsCode:masterfrom
rhmdnd:CMP-4110

Conversation

@rhmdnd
Copy link
Collaborator

@rhmdnd rhmdnd commented Feb 19, 2026

  • Bump CIS OpenShift version from 1.7.0 to 1.9.0
  • Add CIS OpenShift 1.9.0 profile and controls
  • Implement CIS OpenShift v1.9.0 section 1
  • Add CIS OpenShift v1.9.0 section 2
  • Implement CIS OpenShift v1.9.0 section 3
  • Implement CIS OpenShift v1.9.0 section 4
  • Implement CIS OpenShift v1.9.0 section 5

@rhmdnd rhmdnd changed the title CMP 4110 CMP-4110: Implement CIS OpenShift version 1.9.0 Feb 19, 2026
@rhmdnd
Bump CIS OpenShift version from 1.7.0 to 1.9.0
fbc1506 
Version 1.9.0 was released last month. Let's update the profile to match
the latest version.

Assisted-By: Claude Opus 4.6
@rhmdnd
Add CIS OpenShift 1.9.0 profile and controls
dcdb508 
CIS 1.9.0 benchmark has some minor differences from 1.7.0. Let's add
some separate control files for 1.9.0 so we can make those changes
without affecting 1.7.0.

Assisted-By: Claude Opus 4.6
@rhmdnd
Implement CIS OpenShift v1.9.0 section 1
9644ce9 
Section 1 remains largely the same as version 1.7.0, with minor
differences:

- 1.1.12 had a wording change in the title
- 1.2.2 and 1.2.3 were removed in version 1.9.0 causing the control IDs
  to shift
- 1.3.5 was removed in version 1.9.0

This commit accounts for those removals and indexing changes.

Assisted-By: Claude Opus 4.6
@rhmdnd
Add CIS OpenShift v1.9.0 section 2
f28703a 
This section remains the same as version 1.7.0.

Assisted-By: Claude Opus 4.6
@rhmdnd
Implement CIS OpenShift v1.9.0 section 3
3fe7521 
This section remains the same as version 1.7.0.

Assisted-By: Claude Opus 4.6
@rhmdnd
Implement CIS OpenShift v1.9.0 section 4
3349405 
This section is largely the same as version 1.7.0 with one minor
wording change to control 4.2.8, otherwise the technical controls are
the same.

Assisted-By: Claude Opus 4.6
@rhmdnd
Implement CIS OpenShift v1.9.0 section 5
9be6c7c 
This section remains the same as version 1.7.0.

Assisted-By: Claude Opus 4.6
@Anna-Koudelkova
Copy link
Collaborator

Anna-Koudelkova commented Feb 23, 2026
edited
Loading

Pre-merge verification passed on OCP 4.18 + compliance operator 1.8.2 +content build with this PR.
Verification steps:

  1. Install CO 1.8.2. and build content from this PR.
  2. Verify CIS 1.9.0 is present
$ oc get profiles | grep cis
ocp4-cis                                  40m   1.7.0
ocp4-cis-1-7                              40m   1.7.0
ocp4-cis-node                             40m   1.7.0
ocp4-cis-node-1-7                         40m   1.7.0
upstream-ocp4-cis                         38m   1.9.0
upstream-ocp4-cis-1-7                     38m   1.7.0
upstream-ocp4-cis-1-9                     38m   1.9.0
upstream-ocp4-cis-node                    38m   1.9.0
upstream-ocp4-cis-node-1-7                38m   1.7.0
upstream-ocp4-cis-node-1-9                38m   1.9.0
  1. Create a ssb with the new profiles, check it is ready and check the result of suite, scans, ccr and cr gets created:
$ oc compliance bind -N test profile/upstream-ocp4-cis-1-9 profile/upstream-ocp4-cis-node-1-9
Creating ScanSettingBinding test

$ oc get suite
NAME   PHASE   RESULT
test   DONE    NON-COMPLIANT

$ oc get scans
NAME                                PHASE   RESULT
upstream-ocp4-cis-1-9               DONE    NON-COMPLIANT
upstream-ocp4-cis-node-1-9-master   DONE    COMPLIANT
upstream-ocp4-cis-node-1-9-worker   DONE    COMPLIANT

$ oc get ccr
NAME                                                                                       STATUS   SEVERITY
upstream-ocp4-cis-1-9-accounts-restrict-service-account-tokens                             MANUAL   medium
upstream-ocp4-cis-1-9-accounts-unique-service-account                                      MANUAL   medium
upstream-ocp4-cis-1-9-api-server-admission-control-plugin-alwaysadmit                      PASS     medium
upstream-ocp4-cis-1-9-api-server-admission-control-plugin-alwayspullimages                 PASS     high
upstream-ocp4-cis-1-9-api-server-admission-control-plugin-namespacelifecycle               PASS     medium
...

$ oc get cr
NAME                                                            STATE
upstream-ocp4-cis-1-9-api-server-encryption-provider-cipher-1   NotApplied
upstream-ocp4-cis-1-9-audit-profile-set                         NotApplied
upstream-ocp4-cis-1-9-ingress-controller-tls-cipher-suites      NotApplied

@taimurhafeez
Copy link

taimurhafeez commented Feb 27, 2026
edited
Loading

Passed on OCP 4.21:

  1. SSb used:
cat ssb-for-cis190.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: upstream-ocp4-cis-1-9
  namespace: openshift-compliance
profiles:
  - name: upstream-ocp4-cis-1-9
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1
  1. Confirming profiles
oc get profiles | grep cis
ocp4-cis                                  4m54s   1.7.0
ocp4-cis-1-7                              4m54s   1.7.0
ocp4-cis-node                             4m54s   1.7.0
ocp4-cis-node-1-7                         4m54s   1.7.0
upstream-ocp4-cis                         27s     1.9.0
upstream-ocp4-cis-1-7                     27s     1.7.0
upstream-ocp4-cis-1-9                     27s     1.9.0
upstream-ocp4-cis-node                    27s     1.9.0
upstream-ocp4-cis-node-1-7                27s     1.7.0
upstream-ocp4-cis-node-1-9                27s     1.9.0
  1. Getting suites, scans, ccrs
oc get compliancesuites -n openshift-compliance
NAME                    PHASE   RESULT
upstream-ocp4-cis-1-9   DONE    NON-COMPLIANT
oc get scans
NAME                    PHASE   RESULT
upstream-ocp4-cis-1-9   DONE    NON-COMPLIANT
oc get ccr
NAME                                                                           STATUS   SEVERITY
upstream-ocp4-cis-1-9-accounts-restrict-service-account-tokens                 MANUAL   medium
upstream-ocp4-cis-1-9-accounts-unique-service-account                          MANUAL   medium
upstream-ocp4-cis-1-9-api-server-admission-control-plugin-alwaysadmit          PASS     medium
....
oc get cr
NAME                                                            STATE
upstream-ocp4-cis-1-9-api-server-encryption-provider-cipher-1   NotApplied
upstream-ocp4-cis-1-9-audit-profile-set                         NotApplied
upstream-ocp4-cis-1-9-ingress-controller-tls-cipher-suites      NotApplied
  1. Count rules in both versions:
echo "1.7.0 rules:" && oc get profile upstream-ocp4-cis-1-7 -n openshift-compliance -o jsonpath='{.rules[*]}' | tr ' ' '\n' | wc -l
1.7.0 rules:
99

echo "1.9.0 rules:" && oc get profile upstream-ocp4-cis-1-9 -n openshift-compliance -o jsonpath='{.rules[*]}' | tr ' ' '\n' | wc -l
1.9.0 rules:
95
  1. See the rule difference between v 1.7.0 and 1.9.0
comm -23 \
  <(oc get profile upstream-ocp4-cis-1-7 -n openshift-compliance -o jsonpath='{.rules[*]}' | tr ' ' '\n' | sort) \
  <(oc get profile upstream-ocp4-cis-1-9 -n openshift-compliance -o jsonpath='{.rules[*]}' | tr ' ' '\n' | sort)
upstream-ocp4-api-server-basic-auth
upstream-ocp4-api-server-token-auth
upstream-ocp4-controller-insecure-port-disabled
upstream-ocp4-controller-secure-port

@xiaojiey
Copy link
Collaborator

xiaojiey commented Mar 2, 2026

/lgtm
Added deprecation check for cis 1-7 profiles:

$ oc get profile upstream-ocp4-cis-1-7 -o=jsonpath={.metadata.annotations.compliance\\.openshift\\.io/profile-status} 
deprecated
$ oc get profile upstream-ocp4-cis-node-1-7 -o=jsonpath={.metadata.annotations.compliance\\.openshift\\.io/profile-status} 
deprecated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Anna-Koudelkova Anna-Koudelkova Awaiting requested review from Anna-Koudelkova

@yuumasato yuumasato Awaiting requested review from yuumasato

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rhmdnd @Anna-Koudelkova @taimurhafeez @xiaojiey