From f5af76e8f5ef927f37d2271081baa34d913c062d Mon Sep 17 00:00:00 2001 From: Benjamin Ruland Date: Fri, 4 Oct 2024 10:18:01 +0200 Subject: [PATCH] Adjusted rules for BSI APP.4.4.A18 according to review --- .../configure_appropriate_network_policies/rule.yml | 10 ++++++---- .../configure_network_policies_namespaces/rule.yml | 2 +- controls/bsi_app_4_4.yml | 7 +++---- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml index 1d94cb556410..8cc2c4e37fbd 100644 --- a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml +++ b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml @@ -1,9 +1,9 @@ documentation_complete: true -title: 'Ensure appropriate Network Policies are configured' +title: 'Ensure Appropriate Network Policies are Configured' description: |- - Configure Network Policies in any application namespace in an approrpriate way, so that + Configure Network Policies in any application namespace in an appropriate way, so that only the required communications are allowed. The Network Policies should precisely define source and target using label selectors and ports. @@ -33,11 +33,13 @@ ocil_clause: 'Network Policies need to be evaluated if they are appropriate' ocil: |- For each non-default namespace in the cluster, review the configured Network Policies - and ensure that they only allow the necessary network network connections. They should should + and ensure that they only allow the necessary network connections. They should precisely define source and target using label selectors and ports. 1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-* - 
$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'
+ 
$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name]'
+ + Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check. 2. For each of these namespaces, review the network policies: 
$ oc get networkpolicies -n $namespace -o yaml
diff --git a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml index 3804944cae51..ca2b93ed9b2a 100644 --- a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml +++ b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml @@ -27,7 +27,7 @@ references: {{% set networkpolicies_api_path = '/apis/networking.k8s.io/v1/networkpolicies' %}} {{% set namespaces_api_path = '/api/v1/namespaces' %}} {{% set networkpolicies_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique' %}} -{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}}))]' %}} +{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}")) | not{{else}}true{{end}}))]' %}} platform: not ocp4-on-hypershift ocil_clause: 'Namespaced Network Policies needs review' diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 460498ad4cd3..8e780191b8b4 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -437,9 +437,8 @@ controls: can only be changed by authorised persons and management services. notes: >- In a cluster using a network plugin that supports Kubernetes network policy, network isolation - is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugins (OpenShift SDN, - OVN Kubernetes) supports using network policy. Support for NetworkPolicy objects is verified - using rules. + is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugin (OVN-Kubernetes) + supports using network policy. Support for NetworkPolicy objects is verified using rules. Section 1-3: By default, all pods in a project are accessible from other pods and network endpoints. To isolate one or more pods in a project, you need to create NetworkPolicy objects in that project @@ -447,7 +446,7 @@ controls: NetworkPolicy objects, then the pod will accept only connections that are allowed by at least one of those NetworkPolicy objects. A pod that is not selected by any NetworkPolicy objects is fully accessible. - +^1 It is useful to create default policies for each application namespace e.g. to deny all ingress traffic by default. The existance of at least one network policy and the automatic creation as part of a namespace template is checked using rules.