Defined notes and rules for BSI APP.4.4.A18 #12154
Conversation
|
Hi @benruland. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: ocp4 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
benruland
force-pushed
the
bsi-app-4.4-a18
branch
from
2fa7ea1
to
2bb18f7
Compare
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies
+++ xccdf_org.ssgproject.content_rule_configure_network_policies
@@ -20,6 +20,9 @@
[reference]:
APP.4.4.A7
+
+[reference]:
+APP.4.4.A18
[reference]:
CIP-003-8 R6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
+++ xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
@@ -23,6 +23,9 @@
[reference]:
APP.4.4.A7
+
+[reference]:
+APP.4.4.A18
[reference]:
CIP-003-8 R4
New content has different text for rule 'xccdf_org.ssgproject.content_rule_project_template_network_policy'.
--- xccdf_org.ssgproject.content_rule_project_template_network_policy
+++ xccdf_org.ssgproject.content_rule_project_template_network_policy
@@ -19,6 +19,9 @@
file.
[reference]:
+APP.4.4.A18
+
+[reference]:
SRG-APP-000039-CTR-000110
[rationale]: |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit 2bb18f7 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
| status: pending | ||
| rules: [] | ||
| In a cluster using a network plugin that supports Kubernetes network policy, network isolation | ||
| is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugins (OpenShift SDN, |
There was a problem hiding this comment.
we should remove OpenShift SDN as it is deprecated
| precisely define source and target using label selectors and ports. | ||
|
|
||
| 1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-* | ||
| <pre>$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'</pre> |
There was a problem hiding this comment.
imho we should make the list of exceptions configurable. There are customers, which have applications running which they want to exclude from such a rule or they want to not exclude the default namespaces. Furthermore some of them might install operators to non-default namespaces.
| title: 'Ensure appropriate Network Policies are configured' | ||
|
|
||
| description: |- | ||
| Configure Network Policies in any application namespace in an approrpriate way, so that |
There was a problem hiding this comment.
| Configure Network Policies in any application namespace in an approrpriate way, so that | |
| Configure Network Policies in any application namespace in an appropriate way, so that |
| @@ -0,0 +1,43 @@ | |||
| documentation_complete: true | |||
|
|
|||
| title: 'Ensure appropriate Network Policies are configured' | |||
There was a problem hiding this comment.
| title: 'Ensure appropriate Network Policies are configured' | |
| title: 'Ensure Appropriate Network Policies are Configured' |
marcusburghardt
added
OpenShift
| For each non-default namespace in the cluster, review the configured Network Policies | ||
| and ensure that they only allow the necessary network network connections. They should should | ||
| precisely define source and target using label selectors and ports. | ||
|
|
There was a problem hiding this comment.
Could you please resolve the typo issue. Should be,
'and ensure that they only allow the necessary network connections. They should
precisely define source and target using label selectors and ports.'
Description:
Notes / Rules for BSI APP4.4.A17
Rationale:
As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.
This is a follow-up of #11659. It was breaken up for better reviewability.