-
Notifications
You must be signed in to change notification settings - Fork 695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CMP-2543: Implement whitelist for configure-network-policies-namespaces #11952
Conversation
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, mention in the rule description as well that namespaces matching the variable regex are not checked for presence of a Network Policy.
applications/openshift/networking/var_network_policies_namespaces_whitelist_regex.var
Outdated
Show resolved
Hide resolved
applications/openshift/networking/var_network_policies_namespaces_whitelist_regex.var
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please mention the variable in the rule description.
I have tried the rule in the cluster and it is not working for me, :(
It is always incompliant.
@yuumasato thanks for the review, this issue should be fixed now with the new commit.
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
+++ xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
@@ -10,15 +10,15 @@
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
/apis/networking.k8s.io/v1/networkpolicies
API endpoint, filter with with the jq utility using the following filter
- [.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique
+ [.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique
and persist it to the local
- /apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300
+ /apis/networking.k8s.io/v1/networkpolicies#7400bb301fff2f7fc7b1b0fb7448b8e3f15222a8d23f992204315b19eeefa72f
file.
/api/v1/namespaces
API endpoint, filter with with the jq utility using the following filter
- [.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]
+ [.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}}))]
and persist it to the local
- /api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d
+ /api/v1/namespaces#f673748db2dd4e4f0ad55d10ce5e86714c06da02b67ddb392582f71ef81efab2
file.
[reference]:
OVAL for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces' differs.
--- oval:ssg-configure_network_policies_namespaces:def:1
+++ oval:ssg-configure_network_policies_namespaces:def:1
@@ -1,4 +1,8 @@
criteria AND
criterion oval:ssg-test_file_for_configure_network_policies_namespaces:tst:1
criterion oval:ssg-test_file_for_configure_network_policies_filtered_namespaces:tst:1
+criteria OR
criterion oval:ssg-test_elements_count_for_configure_network_policies_namespaces:tst:1
+criteria AND
+criterion oval:ssg-test_configure_network_policies_namespaces:tst:1
+criterion oval:ssg-test_configure_network_policies_filtered_namespaces:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces' differs.
--- ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1
+++ ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1
@@ -2,10 +2,12 @@
NetworkPolicy.
To get all the non-control plane namespaces, you can do the
-following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'
+following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
To get all the non-control plane namespaces with a NetworkPolicy, you can do the
-following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique'
+following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
+
+Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
Make sure that the namespaces displayed in the commands of the commands match.
Is it the case that Namespaced Network Policies needs review? |
38f3ea8
to
02ca1d5
Compare
/test help |
@yuumasato: The specified target(s) for
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/test 4.13-e2e-aws-ocp4-cis |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Just needs adjustments to the e2e assertion.
I got a 4.15 cluster and the rule passes there:
$ oc get ccr | grep network-policies-namespaces
upstream-ocp4-cis-configure-network-policies-namespaces PASS high
$ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and (true)) | .metadata.name ]'
[]
$ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and (true)) | .metadata.namespace] | unique'
[]
02ca1d5
to
cd8788b
Compare
/test 4.13-e2e-aws-ocp4-cis |
Added a new varible var_network_policies_namespaces_whitelist_regex, and updated the rule configure_network_policies_namespaces so user is able to excude namespaces by setting this variable to the regex of namespace they want to exclude for this rule
…ces_whitelist_regex.var Co-authored-by: Watson Yuuma Sato <[email protected]>
…ces_whitelist_regex.var Co-authored-by: Watson Yuuma Sato <[email protected]>
Let's add the variable ocp4-var-network-policies-namespaces-whitelist-regex in rule's instruction for better user experience
Since CI cluster has no additional namespace, it should pass the e2e test on default
cd8788b
to
dc89b7f
Compare
Code Climate has analyzed commit dc89b7f and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
/test 4.13-e2e-aws-ocp4-cis |
Added a new varible var_network_policies_namespaces_whitelist_regex, and updated the rule
configure_network_policies_namespaces
so user is able to excude namespaces by setting this variable to the regex of namespace they want to exclude for this rule