diff --git a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml index 1d94cb556410..4c638040f822 100644 --- a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml +++ b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml @@ -1,9 +1,9 @@ documentation_complete: true -title: 'Ensure appropriate Network Policies are configured' +title: 'Ensure Appropriate Network Policies are Configured' description: |- - Configure Network Policies in any application namespace in an approrpriate way, so that + Configure Network Policies in any application namespace in an appropriate way, so that only the required communications are allowed. The Network Policies should precisely define source and target using label selectors and ports. @@ -26,18 +26,17 @@ severity: medium identifiers: {} -references: - bsi: APP.4.4.A19 - ocil_clause: 'Network Policies need to be evaluated if they are appropriate' ocil: |- For each non-default namespace in the cluster, review the configured Network Policies - and ensure that they only allow the necessary network network connections. They should should + and ensure that they only allow the necessary network connections. They should precisely define source and target using label selectors and ports. 1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-* -
$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'
+
$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name]'
+ + Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check. 2. For each of these namespaces, review the network policies:
$ oc get networkpolicies -n $namespace -o yaml
diff --git a/applications/openshift/networking/project_template_network_policy/rule.yml b/applications/openshift/networking/project_template_network_policy/rule.yml index cbda8e66ceaa..84c2b8aefde7 100644 --- a/applications/openshift/networking/project_template_network_policy/rule.yml +++ b/applications/openshift/networking/project_template_network_policy/rule.yml @@ -34,7 +34,6 @@ ocil: |- return true. references: - bsi: APP.4.4.A18 srg: SRG-APP-000039-CTR-000110 identifiers: @@ -56,4 +55,3 @@ template: values: - value: "true" operation: "pattern match" - diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 460498ad4cd3..fa2873058f67 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -437,9 +437,8 @@ controls: can only be changed by authorised persons and management services. notes: >- In a cluster using a network plugin that supports Kubernetes network policy, network isolation - is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugins (OpenShift SDN, - OVN Kubernetes) supports using network policy. Support for NetworkPolicy objects is verified - using rules. + is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugin (OVN-Kubernetes) + supports using network policy. Support for NetworkPolicy objects is verified using rules. Section 1-3: By default, all pods in a project are accessible from other pods and network endpoints. To isolate one or more pods in a project, you need to create NetworkPolicy objects in that project