Defined notes and rules for BSI APP.4.4.A18

ComplianceAsCode · Jul 15, 2024 · a7885d5 · a7885d5
1 parent 8906199
commit a7885d5
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 11 deletions.
diff --git a/applications/openshift/networking/configure_network_policies/rule.yml b/applications/openshift/networking/configure_network_policies/rule.yml
@@ -17,7 +17,7 @@ rationale: |-
 severity: high
 
 references:
-    bsi: APP.4.4.A7
+    bsi: APP.4.4.A7,APP.4.4.A18
     cis@ocp4: 5.3.1
     nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
     nist: CM-6,CM-6(1)

diff --git a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml
@@ -17,7 +17,7 @@ rationale: |-
 severity: high
 
 references:
-    bsi: APP.4.4.A7
+    bsi: APP.4.4.A7, APP.4.4.A18
     cis@eks: 4.3.2
     cis@ocp4: 5.3.2
     nerc-cip: CIP-003-8 R4,CIP-003-8 R4.2,CIP-003-8 R5,CIP-003-8 R6,CIP-004-6 R2.2.4,CIP-004-6 R3,CIP-007-3 R2,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R6.1
@@ -47,7 +47,7 @@ ocil: |-
     following command <tt>{{{ ocil_oc_pipe_jq_filter('networkpolicies', networkpolicies_for_non_ctlplane_namespaces_filter, all_namespaces=true) }}}</tt>
 
     Namespaces matching the variable <tt>ocp4-var-network-policies-namespaces-exempt-regex</tt> regex are excluded from this check.
-    
+
     Make sure that the namespaces displayed in the commands of the commands match.
 
 warnings:

diff --git a/applications/openshift/networking/project_template_network_policy/rule.yml b/applications/openshift/networking/project_template_network_policy/rule.yml
@@ -34,6 +34,7 @@ ocil: |-
     return true.
 
 references:
+    bsi: APP.4.4.A18
     srg: SRG-APP-000039-CTR-000110
 
 identifiers:

diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -425,18 +425,42 @@ controls:
     levels:
     - elevated
     description: >-
-      Pods SHOULD ONLY be able to communicate with each other through the necessary network
-      ports, even within a Kubernetes namespace. There SHOULD be rules within the CNI that
-      disallow all but the necessary network connections within the Kubernetes namespace. These
+      (1) Pods SHOULD ONLY be able to communicate with each other through the necessary network
+      ports, even within a Kubernetes namespace. (2) There SHOULD be rules within the CNI that
+      disallow all but the necessary network connections within the Kubernetes namespace. (3) These
       rules SHOULD precisely define the source and destination of the allowed connections using at
       least one of the following criteria: service name, metadata (“labels”), Kubernetes service
       accounts, or certificate-based authentication.
-      All the criteria used as labels for a connection SHOULD be secured in such a way that they can
-      only be changed by authorised persons and management services.
+      (4) All the criteria used as labels for a connection SHOULD be secured in such a way that they 
+      can only be changed by authorised persons and management services.
     notes: >-
-      TBD
-    status: pending
-    rules: []
+      In a cluster using a network plugin that supports Kubernetes network policy, network isolation 
+      is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugins (OpenShift SDN,
+      OVN Kubernetes) supports using network policy. Support for NetworkPolicy objects is verified
+      using rules.
+
+      Section 1-3: By default, all pods in a project are accessible from other pods and network endpoints. 
+      To isolate one or more pods in a project, you need to create NetworkPolicy objects in that project
+      to indicate the allowed incoming connections. If a pod is matched by selectors in one or more 
+      NetworkPolicy objects, then the pod will accept only connections that are allowed by at least 
+      one of those NetworkPolicy objects. A pod that is not selected by any NetworkPolicy objects 
+      is fully accessible. 
+      
+      It is useful to create default policies for each application namespace e.g. to deny all ingress
+      traffic by default. The existance of at least one network policy and the automatic creation
+      as part of a namespace template is checked using rules. The creation of suitable NetworkPolicy
+      objects that satisfy the requirements from sections 1 to 3, however, needs to be ensured by the
+      application owner.
+      
+      Section 4: It needs to be ensured organizationally, that only required subjects are granted
+      RBAC to change the relevant Kubernetes objects.
+    status: partial
+    rules:
+      # General support of network policies
+      - configure_network_policies
+      # Section 1-2
+      - configure_network_policies_namespaces
+      - project_config_and_template_network_policy
 
   - id: APP.4.4.A19
     title: High Availability of Kubernetes