OCPBUGS-33948: Clairfy encryption ciphers available for use in OpenShift

Previously, we were only advertising aescbc, even though the rule checks for aesgcm, too. This commit updates the instruction so that it is consistent with what OpenShift supports.
ComplianceAsCode · Jun 24, 2024 · bd235d7 · bd235d7
1 parent 644de12
commit bd235d7
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml b/applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml
@@ -68,11 +68,12 @@ platform: not ocp4-on-hypershift-hosted
 ocil_clause: '<tt>aescbc</tt> is not configured as the encryption provider'
 
 ocil: |-
-    OpenShift supports encryption of data at rest of etcd datastore, but it is up to the
-    customer to configure. The asecbc cipher is used. No other ciphers are supported. Keys
-    are stored on the filesystem of the master and automatically rotated.
-    Run the following command to review the Encrypted status condition for the OpenShift
-    API server to verify that its resources were successfully encrypted:
+    OpenShift supports encryption of data at rest of etcd datastore, but it is
+    up to the customer to configure. The asecbc and aesgcm ciphers are
+    available for use within OpenShift. Keys are stored on the filesystem of
+    the master and automatically rotated. Run the following command to review
+    the Encrypted status condition for the OpenShift API server to verify that its
+    resources were successfully encrypted:
     <pre>
     # encrypt the etcd datastore
     $ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}'