diff --git a/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml b/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml
index 8e05c3f6ff4b..50ce8c257127 100644
--- a/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml
+++ b/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml
@@ -1,12 +1,16 @@
-
- {{{ oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}}
-
-
-
-
-
+ {{{
+ oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}}
+
+
+
+
-
+
\ No newline at end of file
diff --git a/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml
index b04efb9486eb..f990f73a6eb9 100644
--- a/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml
+++ b/applications/openshift/api-server/api_server_api_priority_flowschema_catch_all/rule.yml
@@ -45,4 +45,4 @@ ocil: |-
warnings:
- general: |-
- {{{ openshift_cluster_setting(["/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all"], true) | indent(8) }}}
+ {{{ openshift_cluster_setting(["/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all", "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all"], true) | indent(8) }}}
diff --git a/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml
new file mode 100644
index 000000000000..b78100414b6a
--- /dev/null
+++ b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml
@@ -0,0 +1,67 @@
+documentation_complete: true
+
+title: 'Ensure catch-all FlowSchema object for API Priority and Fairness Exists'
+
+description: |-
+ Using APIPriorityAndFairness feature provides a fine-grained way
+ to control the behaviour of the Kubernetes API server in an overload
+ situation. The well-known FlowSchema catch-all should be available
+ to make sure that every request gets some kind of classification. By default,
+ the catch-all priority level only allows one concurrency share and
+ does not queue requests. To inspect all the FlowSchema objects, run:
+ oc get flowschema
+ To inspect the well-known catch-all object, run the following:
+ oc describe flowschema catch-all
+
+rationale: |-
+ The FlowSchema API objects enforce a limit on the
+ number of events that the API Server will accept in a given time slice
+ In a large multi-tenant cluster, there might be a small percentage of
+ misbehaving tenants which could have a significant impact on the
+ performance of the cluster overall. It is recommended to limit the rate
+ of events that the API Server will accept.
+
+identifiers:
+ cce@ocp4: CCE-86097-3
+
+platforms:
+ - ocp4.16
+
+severity: medium
+
+references:
+ cis@ocp4: 1.2.10
+ nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
+ nist: CM-6,CM-6(1)
+ pcidss: Req-2.2
+ srg: SRG-APP-000516-CTR-001325
+
+ocil_clause: 'A FlowSchema object catch-all exists'
+
+ocil: |-
+ Run the following commands:
+ oc get flowschema
+ and inspect the FlowSchema objects. Make sure that at least the catch-all
+ object exists by calling:
+ oc describe flowschema catch-all
+
+warnings:
+- general: |-
+ {{{ openshift_cluster_setting("/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all", true) | indent(4) }}}
+- dependency: |-
+ Note that this is only applicable in OpenShift Container Platform version 4.16
+ and higher
+
+template:
+ name: yamlfile_value
+ vars:
+ ocp_data: "true"
+ filepath: "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all"
+ yamlpath: '.spec.rules[0].subjects[:].group["name"]'
+ check_existence: "at_least_one_exists"
+ entity_check: "at least one"
+ values:
+ - value: "system:authenticated"
+ operation: "pattern match"
+ check_existence: "at_least_one_exists"
+ entity_check: "at least one"
diff --git a/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml
new file mode 100644
index 000000000000..a700773455bb
--- /dev/null
+++ b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml
index 19be7580b299..152ffc65e316 100644
--- a/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml
+++ b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml
@@ -26,7 +26,7 @@ identifiers:
cce@ocp4: CCE-86390-2
platforms:
- - ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16
+ - ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15
severity: medium
diff --git a/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml
new file mode 100644
index 000000000000..a700773455bb
--- /dev/null
+++ b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml
new file mode 100644
index 000000000000..a700773455bb
--- /dev/null
+++ b/applications/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/products/ocp4/profiles/default.profile b/products/ocp4/profiles/default.profile
index 71e340a6468e..aa4a79e4196f 100644
--- a/products/ocp4/profiles/default.profile
+++ b/products/ocp4/profiles/default.profile
@@ -43,6 +43,7 @@ selections:
- kubelet_eviction_thresholds_set_soft_imagefs_inodesfree
- file_groupowner_kubeconfig
- api_server_api_priority_v1alpha1_flowschema_catch_all
+ - api_server_api_priority_v1_flowschema_catch_all
- file_groupowner_openvswitch
- gcp_disk_encryption_enabled
- kubelet_configure_tls_cipher_suites_ingresscontroller
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 08e6a876d398..a3c56b660ea5 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -6,7 +6,6 @@ CCE-86082-5
CCE-86083-3
CCE-86087-4
CCE-86088-2
-CCE-86097-3
CCE-86101-3
CCE-86105-4
CCE-86106-2