Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CMP-2543: Implement whitelist for configure-network-policies-namespaces #11952

Merged
merged 5 commits into from
May 16, 2024

Conversation

Vincent056
Copy link
Contributor

@Vincent056 Vincent056 commented May 7, 2024

Added a new varible var_network_policies_namespaces_whitelist_regex, and updated the rule configure_network_policies_namespaces so user is able to excude namespaces by setting this variable to the regex of namespace they want to exclude for this rule

Copy link

github-actions bot commented May 7, 2024

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

github-actions bot commented May 7, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11952
This image was built from commit: dc89b7f

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11952

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11952 make deploy-local

Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, mention in the rule description as well that namespaces matching the variable regex are not checked for presence of a Network Policy.

Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please mention the variable in the rule description.

I have tried the rule in the cluster and it is not working for me, :(
It is always incompliant.

@Vincent056
Copy link
Contributor Author

Vincent056 commented May 15, 2024

@yuumasato thanks for the review, this issue should be fixed now with the new commit.

$ oc create ns no-policy-0
$ oc create ns no-policy-1

$ ./utils/build_ds_container.py -p -d -P ocp4


cat <<EOF | oc apply -f -
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: cis-pass
  namespace: openshift-compliance
spec:
  description: Test
  setValues:
  - name: upstream-ocp4-var-network-policies-namespaces-exempt-regex
    value: no-policy-0|no-policy-1
    rationale: test
  extends: upstream-ocp4-cis
  title: My modified nist profile with a custom value
EOF

cat <<EOF | oc apply -f -
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: cis-no-pass
  namespace: openshift-compliance
spec:
  description: Test
  extends: upstream-ocp4-cis
  title: My modified nist profile with a custom value
EOF

[vincent@node cac-content-fork]$ oc get tp
NAME          STATE
cis-no-pass   READY
cis-pass      READY

cat <<EOF | oc apply -f -
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cis-test-network-policy
  namespace: openshift-compliance
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
  kind: TailoredProfile
  name: cis-pass
- apiGroup: compliance.openshift.io/v1alpha1
  kind: TailoredProfile
  name: cis-no-pass
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF

[vincent@node cac-content-fork]$ oc get ssb
NAME                      STATUS
cis-test-network-policy   READY

[vincent@node cac-content-fork]$ oc get scan -w
NAME          PHASE     RESULT
cis-no-pass   RUNNING   NOT-AVAILABLE
cis-pass      RUNNING   NOT-AVAILABLE
cis-pass      AGGREGATING   NOT-AVAILABLE
cis-pass      AGGREGATING   NOT-AVAILABLE
cis-no-pass   AGGREGATING   NOT-AVAILABLE
cis-no-pass   AGGREGATING   NOT-AVAILABLE
cis-no-pass   DONE          NON-COMPLIANT
cis-pass      DONE          NON-COMPLIANT

[vincent@node cac-content-fork]$ oc get ccr | grep network-policies-n
cis-no-pass-configure-network-policies-namespaces                    FAIL     high
cis-pass-configure-network-policies-namespaces                       PASS     high

oc delete ssb cis-test-network-policy
oc delete tp cis-no-pass cis-pass
oc delete profilebundle upstream-ocp4

@Vincent056 Vincent056 requested a review from yuumasato May 15, 2024 09:08
Copy link

github-actions bot commented May 15, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
+++ xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
@@ -10,15 +10,15 @@
 Therefore, you need to use a tool that can query the OCP API, retrieve the following:
 /apis/networking.k8s.io/v1/networkpolicies
     API endpoint, filter with with the jq utility using the following filter
-    [.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique
+    [.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique
     and persist it to the local
-    /apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300
+    /apis/networking.k8s.io/v1/networkpolicies#7400bb301fff2f7fc7b1b0fb7448b8e3f15222a8d23f992204315b19eeefa72f
     file.
   /api/v1/namespaces
     API endpoint, filter with with the jq utility using the following filter
-    [.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]
+    [.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}}))]
     and persist it to the local
-    /api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d
+    /api/v1/namespaces#f673748db2dd4e4f0ad55d10ce5e86714c06da02b67ddb392582f71ef81efab2
     file.
 
 [reference]:

OVAL for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces' differs.
--- oval:ssg-configure_network_policies_namespaces:def:1
+++ oval:ssg-configure_network_policies_namespaces:def:1
@@ -1,4 +1,8 @@
 criteria AND
 criterion oval:ssg-test_file_for_configure_network_policies_namespaces:tst:1
 criterion oval:ssg-test_file_for_configure_network_policies_filtered_namespaces:tst:1
+criteria OR
 criterion oval:ssg-test_elements_count_for_configure_network_policies_namespaces:tst:1
+criteria AND
+criterion oval:ssg-test_configure_network_policies_namespaces:tst:1
+criterion oval:ssg-test_configure_network_policies_filtered_namespaces:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces' differs.
--- ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1
+++ ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1
@@ -2,10 +2,12 @@
 NetworkPolicy.
 
 To get all the non-control plane namespaces, you can do the
-following command oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'
+following command oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
 
 To get all the non-control plane namespaces with a NetworkPolicy, you can do the
-following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique'
+following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
+
+Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
 
 Make sure that the namespaces displayed in the commands of the commands match.
       Is it the case that Namespaced Network Policies needs review?

@Vincent056 Vincent056 force-pushed the network_policy branch 2 times, most recently from 38f3ea8 to 02ca1d5 Compare May 15, 2024 09:16
@yuumasato
Copy link
Member

/test help

Copy link

openshift-ci bot commented May 15, 2024

@yuumasato: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test 4.13-e2e-aws-ocp4-cis
  • /test 4.13-e2e-aws-ocp4-cis-node
  • /test 4.13-e2e-aws-ocp4-e8
  • /test 4.13-e2e-aws-ocp4-high
  • /test 4.13-e2e-aws-ocp4-high-node
  • /test 4.13-e2e-aws-ocp4-moderate
  • /test 4.13-e2e-aws-ocp4-moderate-node
  • /test 4.13-e2e-aws-ocp4-pci-dss
  • /test 4.13-e2e-aws-ocp4-pci-dss-node
  • /test 4.13-e2e-aws-ocp4-stig
  • /test 4.13-e2e-aws-ocp4-stig-node
  • /test 4.13-e2e-aws-rhcos4-e8
  • /test 4.13-e2e-aws-rhcos4-high
  • /test 4.13-e2e-aws-rhcos4-moderate
  • /test 4.13-e2e-aws-rhcos4-stig
  • /test 4.13-images
  • /test 4.14-images
  • /test 4.15-e2e-aws-ocp4-cis
  • /test 4.15-e2e-aws-ocp4-cis-node
  • /test 4.15-e2e-aws-ocp4-e8
  • /test 4.15-e2e-aws-ocp4-high
  • /test 4.15-e2e-aws-ocp4-high-node
  • /test 4.15-e2e-aws-ocp4-moderate
  • /test 4.15-e2e-aws-ocp4-moderate-node
  • /test 4.15-e2e-aws-ocp4-pci-dss
  • /test 4.15-e2e-aws-ocp4-pci-dss-node
  • /test 4.15-e2e-aws-ocp4-stig
  • /test 4.15-e2e-aws-ocp4-stig-node
  • /test 4.15-e2e-aws-rhcos4-e8
  • /test 4.15-e2e-aws-rhcos4-high
  • /test 4.15-e2e-aws-rhcos4-moderate
  • /test 4.15-e2e-aws-rhcos4-stig
  • /test 4.15-images
  • /test 4.16-e2e-aws-ocp4-cis
  • /test 4.16-e2e-aws-ocp4-cis-node
  • /test 4.16-e2e-aws-ocp4-e8
  • /test 4.16-e2e-aws-ocp4-high
  • /test 4.16-e2e-aws-ocp4-high-node
  • /test 4.16-e2e-aws-ocp4-moderate
  • /test 4.16-e2e-aws-ocp4-moderate-node
  • /test 4.16-e2e-aws-ocp4-pci-dss
  • /test 4.16-e2e-aws-ocp4-pci-dss-node
  • /test 4.16-e2e-aws-ocp4-stig
  • /test 4.16-e2e-aws-ocp4-stig-node
  • /test 4.16-e2e-aws-rhcos4-e8
  • /test 4.16-e2e-aws-rhcos4-high
  • /test 4.16-e2e-aws-rhcos4-moderate
  • /test 4.16-e2e-aws-rhcos4-stig
  • /test 4.16-images
  • /test e2e-aws-ocp4-cis
  • /test e2e-aws-ocp4-cis-node
  • /test e2e-aws-ocp4-e8
  • /test e2e-aws-ocp4-high
  • /test e2e-aws-ocp4-high-node
  • /test e2e-aws-ocp4-moderate
  • /test e2e-aws-ocp4-moderate-node
  • /test e2e-aws-ocp4-pci-dss
  • /test e2e-aws-ocp4-pci-dss-node
  • /test e2e-aws-ocp4-stig
  • /test e2e-aws-ocp4-stig-node
  • /test e2e-aws-rhcos4-e8
  • /test e2e-aws-rhcos4-high
  • /test e2e-aws-rhcos4-moderate
  • /test e2e-aws-rhcos4-stig
  • /test images

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-ComplianceAsCode-content-master-4.13-images
  • pull-ci-ComplianceAsCode-content-master-4.14-images
  • pull-ci-ComplianceAsCode-content-master-4.15-images
  • pull-ci-ComplianceAsCode-content-master-4.16-images
  • pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@yuumasato
Copy link
Member

/test 4.13-e2e-aws-ocp4-cis
/test 4.14-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis

Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Just needs adjustments to the e2e assertion.
I got a 4.15 cluster and the rule passes there:

$ oc get ccr | grep network-policies-namespaces
upstream-ocp4-cis-configure-network-policies-namespaces                    PASS     high
$ oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and (true)) | .metadata.name ]'
[]
$ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and (true)) | .metadata.namespace] | unique'                    
[]

@yuumasato
Copy link
Member

/test 4.13-e2e-aws-ocp4-cis
/test 4.14-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis

Vincent056 and others added 5 commits May 15, 2024 13:51
Added a new varible var_network_policies_namespaces_whitelist_regex, and updated the rule configure_network_policies_namespaces so user is able to excude namespaces by setting this variable to the regex of namespace they want to exclude for this rule
…ces_whitelist_regex.var

Co-authored-by: Watson Yuuma Sato <[email protected]>
…ces_whitelist_regex.var

Co-authored-by: Watson Yuuma Sato <[email protected]>
Let's add the variable ocp4-var-network-policies-namespaces-whitelist-regex in rule's instruction for better user experience
Since CI cluster has no additional namespace, it should pass the e2e test on default
Copy link

codeclimate bot commented May 15, 2024

Code Climate has analyzed commit dc89b7f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@yuumasato
Copy link
Member

/test 4.13-e2e-aws-ocp4-cis
/test 4.14-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis

@yuumasato yuumasato added this to the 0.1.74 milestone May 16, 2024
@yuumasato yuumasato merged commit 23d56eb into ComplianceAsCode:master May 16, 2024
113 of 117 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
OpenShift OpenShift product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants