OpenShift must remove old components after updated versions have been installed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257570	CNTR-OS-000880	SV-257570r921653_rule		Medium

Description
Previous versions of OpenShift components that are not removed from the container platform after updates have been installed may be exploited by adversaries by causing older components to execute which contain vulnerabilities. When these components are deleted, the likelihood of this happening is removed. Satisfies: SRG-APP-000454-CTR-001110, SRG-APP-000454-CTR-001115

STIG	Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide	2023-08-28

Details

Check Text ( C-61305r921651_chk )
Ensure the imagepruner is configured and is not in a suspended state by executing the following: oc get imagepruners.imageregistry.operator.openshift.io/cluster -o jsonpath='{.spec}{"\n"}' Review the settings. If "suspend" is set to "true", this is a finding.

Fix Text (F-61229r921652_fix)
Enable the image pruner to automate the pruning of images from the cluster by executing the following: oc patch imagepruners.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"suspend":false}}' For additional details on configuring the image pruner operator, refer to the following document: https://docs.openshift.com/container-platform/4.8/applications/pruning-objects.html#pruning-images_pruning-objects

Fix Text (F-61229r921652_fix)

Enable the image pruner to automate the pruning of images from the cluster by executing the following:

oc patch imagepruners.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"suspend":false}}'

For additional details on configuring the image pruner operator, refer to the following document:
https://docs.openshift.com/container-platform/4.8/applications/pruning-objects.html#pruning-images_pruning-objects