-
Notifications
You must be signed in to change notification settings - Fork 706
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #12158 from sig-bsi-grundschutz/app-4-4-A13-A16
BSI APP.4.4.A14+A15
- Loading branch information
Showing
9 changed files
with
194 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
61 changes: 61 additions & 0 deletions
61
applications/openshift/master/master_taint_noschedule/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
documentation_complete: true | ||
|
||
title: Verify that Control Plane Nodes are not schedulable for workloads | ||
|
||
description: -| | ||
<p> | ||
User workloads should not be colocated with control plane workloads. To ensure that the scheduler won't | ||
schedule workloads on the master nodes, the taint "node-role.kubernetes.io/master" with the "NoSchedule" | ||
effect is set by default in most cluster configurations (excluding SNO and Compact Clusters). | ||
</p> | ||
<p> | ||
The scheduling of the master nodes is centrally configurable without reboot via | ||
<pre>oc edit schedulers.config.openshift.io cluster </pre> for details see the Red Hat Solution | ||
{{{ weblink(link="https://access.redhat.com/solutions/4564851") }}} | ||
</p> | ||
<p> | ||
If you run a setup, which requires the colocation of control plane and user workload you need to | ||
exclude this rule. | ||
</p> | ||
|
||
rationale: -| | ||
By separating user workloads and the control plane workloads we can better ensure that there is | ||
no ill effects from workload boosts to each other. Furthermore we ensure that an adversary who gets | ||
control over a badly secured workload container is not colocated to critical components of the control plane. | ||
In some setups it might be necessary to make the control plane schedulable for workloads i.e. | ||
Single Node Openshift (SNO) or Compact Cluster (Three Node Cluster) setups. | ||
|
||
{{% set jqfilter = '.items[] | select(.metadata.labels."node-role.kubernetes.io/master" == "" or .metadata.labels."node-role.kubernetes.io/control-plane" == "" ) | .spec.taints[] | select(.key == "node-role.kubernetes.io/master" and .effect == "NoSchedule")' %}} | ||
|
||
identifiers: | ||
cce@ocp4: CCE-88731-5 | ||
|
||
severity: medium | ||
|
||
ocil_clause: 'Control Plane is schedulable' | ||
|
||
ocil: |- | ||
Run the following command to see if control planes are schedulable | ||
<pre>$oc get --raw /api/v1/nodes | jq '.items[] | select(.metadata.labels."node-role.kubernetes.io/master" == "" or .metadata.labels."node-role.kubernetes.io/control-plane" == "" ) | .spec.taints[] | select(.key == "node-role.kubernetes.io/master" and .effect == "NoSchedule" )'</pre> | ||
for each master node, there should be an output of a key with the NoSchedule effect. | ||
By editing the cluster scheduler you can centrally configure the masters as schedulable or not | ||
by setting .spec.mastersSchedulable to true. | ||
Use <pre>$oc edit schedulers.config.openshift.io cluster</pre> to configure the scheduling. | ||
warnings: | ||
- general: |- | ||
{{{ openshift_filtered_cluster_setting({'/api/v1/nodes': jqfilter}) | indent(8) }}} | ||
template: | ||
name: yamlfile_value | ||
vars: | ||
ocp_data: "true" | ||
filepath: |- | ||
{{{ openshift_filtered_path('/api/v1/nodes', jqfilter) }}} | ||
yamlpath: ".effect" | ||
check_existence: "at_least_one_exists" | ||
entity_check: "at least one" | ||
values: | ||
- value: "NoSchedule" | ||
operation: "pattern match" |
2 changes: 2 additions & 0 deletions
2
applications/openshift/master/master_taint_noschedule/tests/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: PASS |
57 changes: 57 additions & 0 deletions
57
applications/openshift/networking/configure_egress_ip_node_assignable/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
documentation_complete: true | ||
|
||
title: Check Egress IPs Assignable to Nodes | ||
|
||
description: -| | ||
<p> | ||
The OpenShift Container Platform egress IP address functionality allows you to ensure that the | ||
traffic from one or more pods in one or more namespaces has a consistent source IP address for | ||
services outside the cluster network. | ||
</p> | ||
<p> | ||
The necessary labeling on the designated nodes is configurable without reboot via | ||
<pre>$ oc label nodes $NODENAME k8s.ovn.org/egress-assignable="" </pre> for details see the | ||
Red Hat Documentation | ||
{{{ weblink(link="https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/networking/ovn-kubernetes-network-plugin#nw-egress-ips-about_configuring-egress-ips-ovn") }}} | ||
</p> | ||
|
||
rationale: -| | ||
By using egress IPs you can provide a consistent IP to external services and configure special | ||
firewall rules which precisely select this IP. This allows for more control on external systems. | ||
Furthermore you can bind the IPs to specific nodes, which handle all the network connections to | ||
achieve a better separation of duties between the different nodes. | ||
|
||
identifiers: | ||
cce@ocp4: CCE-86787-9 | ||
|
||
severity: medium | ||
|
||
ocil_clause: 'Check Egress IPs Assignable to Nodes' | ||
|
||
ocil: |- | ||
Run the following command to see if nodes are assignable for egress IPs | ||
<pre>$ oc get --raw /api/v1/nodes | jq '.items[] | select(.metadata.labels."k8s.ovn.org/egress-assignable" != null) | .metadata.name'</pre> | ||
This commands prints the name of each node which is configured to get egress IPs assigned. If | ||
the output is empty, there are no nodes available. | ||
{{% set old_jqfilter = 'if any(.items[]?; .metadata.labels."k8s.ovn.org/egress-assignable" != null) then true else false end' %}} | ||
{{% set jqfilter = '[ .items[] | .metadata.labels["k8s.ovn.org/egress-assignable"] != null ]' %}} | ||
|
||
|
||
warnings: | ||
- general: |- | ||
{{{ openshift_filtered_cluster_setting({'/api/v1/nodes': jqfilter}) | indent(8) }}} | ||
template: | ||
name: yamlfile_value | ||
vars: | ||
ocp_data: "true" | ||
filepath: |- | ||
{{{ openshift_filtered_path('/api/v1/nodes', jqfilter) }}} | ||
yamlpath: '[:]' | ||
check_existence: at_least_one_exists | ||
entity_check: "at least one" | ||
values: | ||
- value: 'true' | ||
type: "string" | ||
entity_check: "at least one" |
9 changes: 9 additions & 0 deletions
9
...ns/openshift/networking/configure_egress_ip_node_assignable/tests/ocp4/e2e-remediation.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/bin/bash | ||
set -xe | ||
|
||
echo "Labeling Node for egress IP" | ||
|
||
NODENAME=`oc get node | tail -1 | cut -d" " -f1` | ||
oc label node $NODENAME k8s.ovn.org/egress-assignable="" | ||
|
||
sleep 5 |
3 changes: 3 additions & 0 deletions
3
applications/openshift/networking/configure_egress_ip_node_assignable/tests/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
--- | ||
default_result: FAIL | ||
result_after_remediation: PASS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters