-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
-
4.17.0
-
Low
-
None
-
False
-
Description of problem:
Â
The instructions for rule ocp4-etcd-unique-ca are not accurate. For 417 and higher versions, the instruction doesn’t work. % oc get rule ocp4-etcd-unique-ca -o=jsonpath={.instructions} Run the following command: oc debug node/$NODE -- diff /host/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt /host/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/client-ca/ca-bundle.crt where $NODE is a master node. If you don't see diff output the differences, you might have a compromise and should isolate the cluster. OpenShift will use separate PKIs by default. Is it the case that The etcd CA certificate is not unique?%  % oc debug node/xiyuan-417-23a-ljr2n-master-0 -- diff /host/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt /host/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/client-ca/ca-bundle.crt Temporary namespace openshift-debug-4kr8v is created for debugging node... Starting pod/xiyuan-417-23a-ljr2n-master-0-debug-jprt4 ... To use host binaries, run `chroot /host` diff: /host/etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca/ca-bundle.crt: No such file or directory Removing debug pod ... Temporary namespace openshift-debug-4kr8v was removed. error: non-zero exit code from debug container
Version-Release number of selected component (if applicable):
4.17.0-0.nightly-2024-09-22-162519 + compliance-operator.v1.6.0 Â
How reproducible:
Always
Steps to Reproduce:
1.   Install compliance-operator.v1.6.0 2.  Get the instructions for rule ocp4-etcd-unique-ca. And check whether the command in the instruction works or not. % oc get rule ocp4-etcd-unique-ca -o=jsonpath={.instructions}  Â
Actual results:
The command in the instructions will return error.
Expected results:
The command in the instructions should not return error. Â
Additional info:
- links to
-
RHBA-2025:3728 OpenShift Compliance Operator 1.7.0