Skip to content

CMP-4110: Implement CIS OpenShift version 1.9.0#14431

Merged
yuumasato merged 7 commits intoComplianceAsCode:masterfrom
rhmdnd:CMP-4110
Mar 11, 2026
Merged

CMP-4110: Implement CIS OpenShift version 1.9.0#14431
yuumasato merged 7 commits intoComplianceAsCode:masterfrom
rhmdnd:CMP-4110

Conversation

@rhmdnd
Copy link
Copy Markdown
Collaborator

@rhmdnd rhmdnd commented Feb 19, 2026

  • Bump CIS OpenShift version from 1.7.0 to 1.9.0
  • Add CIS OpenShift 1.9.0 profile and controls
  • Implement CIS OpenShift v1.9.0 section 1
  • Add CIS OpenShift v1.9.0 section 2
  • Implement CIS OpenShift v1.9.0 section 3
  • Implement CIS OpenShift v1.9.0 section 4
  • Implement CIS OpenShift v1.9.0 section 5

@rhmdnd rhmdnd changed the title CMP 4110 CMP-4110: Implement CIS OpenShift version 1.9.0 Feb 19, 2026
@rhmdnd
Bump CIS OpenShift version from 1.7.0 to 1.9.0
fbc1506 
Version 1.9.0 was released last month. Let's update the profile to match
the latest version.

Assisted-By: Claude Opus 4.6
@rhmdnd
Add CIS OpenShift 1.9.0 profile and controls
dcdb508 
CIS 1.9.0 benchmark has some minor differences from 1.7.0. Let's add
some separate control files for 1.9.0 so we can make those changes
without affecting 1.7.0.

Assisted-By: Claude Opus 4.6
@rhmdnd
Implement CIS OpenShift v1.9.0 section 1
9644ce9 
Section 1 remains largely the same as version 1.7.0, with minor
differences:

- 1.1.12 had a wording change in the title
- 1.2.2 and 1.2.3 were removed in version 1.9.0 causing the control IDs
  to shift
- 1.3.5 was removed in version 1.9.0

This commit accounts for those removals and indexing changes.

Assisted-By: Claude Opus 4.6
@rhmdnd
Add CIS OpenShift v1.9.0 section 2
f28703a 
This section remains the same as version 1.7.0.

Assisted-By: Claude Opus 4.6
@rhmdnd
Implement CIS OpenShift v1.9.0 section 3
3fe7521 
This section remains the same as version 1.7.0.

Assisted-By: Claude Opus 4.6
@rhmdnd
Implement CIS OpenShift v1.9.0 section 4
3349405 
This section is largely the same as version 1.7.0 with one minor
wording change to control 4.2.8, otherwise the technical controls are
the same.

Assisted-By: Claude Opus 4.6
@rhmdnd
Implement CIS OpenShift v1.9.0 section 5
9be6c7c 
This section remains the same as version 1.7.0.

Assisted-By: Claude Opus 4.6
@Anna-Koudelkova
Copy link
Copy Markdown
Collaborator

Anna-Koudelkova commented Feb 23, 2026
edited
Loading

Pre-merge verification passed on OCP 4.18 + compliance operator 1.8.2 +content build with this PR.
Verification steps:

  1. Install CO 1.8.2. and build content from this PR.
  2. Verify CIS 1.9.0 is present
$ oc get profiles | grep cis
ocp4-cis                                  40m   1.7.0
ocp4-cis-1-7                              40m   1.7.0
ocp4-cis-node                             40m   1.7.0
ocp4-cis-node-1-7                         40m   1.7.0
upstream-ocp4-cis                         38m   1.9.0
upstream-ocp4-cis-1-7                     38m   1.7.0
upstream-ocp4-cis-1-9                     38m   1.9.0
upstream-ocp4-cis-node                    38m   1.9.0
upstream-ocp4-cis-node-1-7                38m   1.7.0
upstream-ocp4-cis-node-1-9                38m   1.9.0
  1. Create a ssb with the new profiles, check it is ready and check the result of suite, scans, ccr and cr gets created:
$ oc compliance bind -N test profile/upstream-ocp4-cis-1-9 profile/upstream-ocp4-cis-node-1-9
Creating ScanSettingBinding test

$ oc get suite
NAME   PHASE   RESULT
test   DONE    NON-COMPLIANT

$ oc get scans
NAME                                PHASE   RESULT
upstream-ocp4-cis-1-9               DONE    NON-COMPLIANT
upstream-ocp4-cis-node-1-9-master   DONE    COMPLIANT
upstream-ocp4-cis-node-1-9-worker   DONE    COMPLIANT

$ oc get ccr
NAME                                                                                       STATUS   SEVERITY
upstream-ocp4-cis-1-9-accounts-restrict-service-account-tokens                             MANUAL   medium
upstream-ocp4-cis-1-9-accounts-unique-service-account                                      MANUAL   medium
upstream-ocp4-cis-1-9-api-server-admission-control-plugin-alwaysadmit                      PASS     medium
upstream-ocp4-cis-1-9-api-server-admission-control-plugin-alwayspullimages                 PASS     high
upstream-ocp4-cis-1-9-api-server-admission-control-plugin-namespacelifecycle               PASS     medium
...

$ oc get cr
NAME                                                            STATE
upstream-ocp4-cis-1-9-api-server-encryption-provider-cipher-1   NotApplied
upstream-ocp4-cis-1-9-audit-profile-set                         NotApplied
upstream-ocp4-cis-1-9-ingress-controller-tls-cipher-suites      NotApplied

@taimurhafeez
Copy link
Copy Markdown
Contributor

taimurhafeez commented Feb 27, 2026
edited
Loading

Passed on OCP 4.21:

  1. SSb used:
cat ssb-for-cis190.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: upstream-ocp4-cis-1-9
  namespace: openshift-compliance
profiles:
  - name: upstream-ocp4-cis-1-9
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1
  1. Confirming profiles
oc get profiles | grep cis
ocp4-cis                                  4m54s   1.7.0
ocp4-cis-1-7                              4m54s   1.7.0
ocp4-cis-node                             4m54s   1.7.0
ocp4-cis-node-1-7                         4m54s   1.7.0
upstream-ocp4-cis                         27s     1.9.0
upstream-ocp4-cis-1-7                     27s     1.7.0
upstream-ocp4-cis-1-9                     27s     1.9.0
upstream-ocp4-cis-node                    27s     1.9.0
upstream-ocp4-cis-node-1-7                27s     1.7.0
upstream-ocp4-cis-node-1-9                27s     1.9.0
  1. Getting suites, scans, ccrs
oc get compliancesuites -n openshift-compliance
NAME                    PHASE   RESULT
upstream-ocp4-cis-1-9   DONE    NON-COMPLIANT
oc get scans
NAME                    PHASE   RESULT
upstream-ocp4-cis-1-9   DONE    NON-COMPLIANT
oc get ccr
NAME                                                                           STATUS   SEVERITY
upstream-ocp4-cis-1-9-accounts-restrict-service-account-tokens                 MANUAL   medium
upstream-ocp4-cis-1-9-accounts-unique-service-account                          MANUAL   medium
upstream-ocp4-cis-1-9-api-server-admission-control-plugin-alwaysadmit          PASS     medium
....
oc get cr
NAME                                                            STATE
upstream-ocp4-cis-1-9-api-server-encryption-provider-cipher-1   NotApplied
upstream-ocp4-cis-1-9-audit-profile-set                         NotApplied
upstream-ocp4-cis-1-9-ingress-controller-tls-cipher-suites      NotApplied
  1. Count rules in both versions:
echo "1.7.0 rules:" && oc get profile upstream-ocp4-cis-1-7 -n openshift-compliance -o jsonpath='{.rules[*]}' | tr ' ' '\n' | wc -l
1.7.0 rules:
99

echo "1.9.0 rules:" && oc get profile upstream-ocp4-cis-1-9 -n openshift-compliance -o jsonpath='{.rules[*]}' | tr ' ' '\n' | wc -l
1.9.0 rules:
95
  1. See the rule difference between v 1.7.0 and 1.9.0
comm -23 \
  <(oc get profile upstream-ocp4-cis-1-7 -n openshift-compliance -o jsonpath='{.rules[*]}' | tr ' ' '\n' | sort) \
  <(oc get profile upstream-ocp4-cis-1-9 -n openshift-compliance -o jsonpath='{.rules[*]}' | tr ' ' '\n' | sort)
upstream-ocp4-api-server-basic-auth
upstream-ocp4-api-server-token-auth
upstream-ocp4-controller-insecure-port-disabled
upstream-ocp4-controller-secure-port

@xiaojiey
Copy link
Copy Markdown
Collaborator

xiaojiey commented Mar 2, 2026

/lgtm
Added deprecation check for cis 1-7 profiles:

$ oc get profile upstream-ocp4-cis-1-7 -o=jsonpath={.metadata.annotations.compliance\\.openshift\\.io/profile-status} 
deprecated
$ oc get profile upstream-ocp4-cis-node-1-7 -o=jsonpath={.metadata.annotations.compliance\\.openshift\\.io/profile-status} 
deprecated

yuumasato
yuumasato approved these changes Mar 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
I checked the Released Benchmarks, the listed changes, and compared it against the 1.7 control file.

And I realized that the changelogs entries in the Benchmark, and the CIS tickets don't reflect all that changed from one version to another.
For example, in CIS v1.8.0, Requirements 1.2.2 and 1.2.3 were removed, but I don't see it reflected anywhere.

The summary changes from Claude:
v1.9.0 removed 3 deprecated/obsolete API server and controller manager controls (basic-auth-file, token-auth-file, bind-address), renumbered accordingly, and updated some section 5 status values.

@yuumasato yuumasato added this to the 0.1.81 milestone Mar 11, 2026
@yuumasato yuumasato self-assigned this Mar 11, 2026
@yuumasato yuumasato added OpenShift OpenShift product related. CIS CIS Benchmark related. New Profile Issues or pull requests related to new Profiles. Update Profile Issues or pull requests related to Profiles updates. labels Mar 11, 2026
@yuumasato yuumasato merged commit d37c4c4 into ComplianceAsCode:master Mar 11, 2026
63 of 64 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot bot mentioned this pull request Mar 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuumasato yuumasato yuumasato approved these changes

@Anna-Koudelkova Anna-Koudelkova Awaiting requested review from Anna-Koudelkova

Assignees

@yuumasato yuumasato

Labels

CIS CIS Benchmark related. New Profile Issues or pull requests related to new Profiles. OpenShift OpenShift product related. Update Profile Issues or pull requests related to Profiles updates.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

5 participants

@rhmdnd @Anna-Koudelkova @taimurhafeez @xiaojiey @yuumasato