Adjusted rules for BSI APP.4.4.A18 according to review

sig-bsi-grundschutz · Oct 4, 2024 · f5af76e · f5af76e
1 parent 86c69fc
commit f5af76e
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 9 deletions.
diff --git a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml
@@ -1,9 +1,9 @@
 documentation_complete: true
 
-title: 'Ensure appropriate Network Policies are configured'
+title: 'Ensure Appropriate Network Policies are Configured'
 
 description: |-
-  Configure Network Policies in any application namespace in an approrpriate way, so that
+  Configure Network Policies in any application namespace in an appropriate way, so that
   only the required communications are allowed. The Network Policies should precisely define
   source and target using label selectors and ports.
 
@@ -33,11 +33,13 @@ ocil_clause: 'Network Policies need to be evaluated if they are appropriate'
 
 ocil: |-
     For each non-default namespace in the cluster, review the configured Network Policies
-    and ensure that they only allow the necessary network network connections. They should should
+    and ensure that they only allow the necessary network connections. They should
     precisely define source and target using label selectors and ports.
 
     1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-*
-    <pre>$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'</pre>
+    <pre>$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name]'</pre>
+
+    Namespaces matching the variable <tt>ocp4-var-network-policies-namespaces-exempt-regex</tt> regex are excluded from this check.
 
     2. For each of these namespaces, review the network policies:
     <pre>$ oc get networkpolicies -n $namespace -o yaml</pre>
diff --git a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml
@@ -27,7 +27,7 @@ references:
 {{% set networkpolicies_api_path = '/apis/networking.k8s.io/v1/networkpolicies' %}}
 {{% set namespaces_api_path = '/api/v1/namespaces' %}}
 {{% set networkpolicies_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique' %}}
-{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}}))]' %}}
+{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}")) | not{{else}}true{{end}}))]' %}}
 platform: not ocp4-on-hypershift
 
 ocil_clause: 'Namespaced Network Policies needs review'

diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -437,17 +437,16 @@ controls:
       can only be changed by authorised persons and management services.
     notes: >-
       In a cluster using a network plugin that supports Kubernetes network policy, network isolation
-      is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugins (OpenShift SDN,
-      OVN Kubernetes) supports using network policy. Support for NetworkPolicy objects is verified
-      using rules.
+      is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugin (OVN-Kubernetes)
+      supports using network policy. Support for NetworkPolicy objects is verified using rules.
       
       Section 1-3: By default, all pods in a project are accessible from other pods and network endpoints.
       To isolate one or more pods in a project, you need to create NetworkPolicy objects in that project
       to indicate the allowed incoming connections. If a pod is matched by selectors in one or more
       NetworkPolicy objects, then the pod will accept only connections that are allowed by at least
       one of those NetworkPolicy objects. A pod that is not selected by any NetworkPolicy objects
       is fully accessible.
-
+^1
       It is useful to create default policies for each application namespace e.g. to deny all ingress
       traffic by default. The existance of at least one network policy and the automatic creation
       as part of a namespace template is checked using rules.