From 517582d1019d7a43817a968ff59e3bb79cd46ca0 Mon Sep 17 00:00:00 2001 From: Benjamin Ruland Date: Wed, 6 Mar 2024 15:47:42 +0100 Subject: [PATCH 1/3] Defined notes and rules for BSI APP.4.4.A18 --- .../project_template_network_policy/rule.yml | 1 + controls/bsi_app_4_4.yml | 40 +++++++++++++++---- 2 files changed, 33 insertions(+), 8 deletions(-) diff --git a/applications/openshift/networking/project_template_network_policy/rule.yml b/applications/openshift/networking/project_template_network_policy/rule.yml index 7e219405259..cbda8e66cea 100644 --- a/applications/openshift/networking/project_template_network_policy/rule.yml +++ b/applications/openshift/networking/project_template_network_policy/rule.yml @@ -34,6 +34,7 @@ ocil: |- return true. references: + bsi: APP.4.4.A18 srg: SRG-APP-000039-CTR-000110 identifiers: diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 4a7ccf3c790..62cd45b3934 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -476,18 +476,42 @@ controls: levels: - elevated description: >- - Pods SHOULD ONLY be able to communicate with each other through the necessary network - ports, even within a Kubernetes namespace. There SHOULD be rules within the CNI that - disallow all but the necessary network connections within the Kubernetes namespace. These + (1) Pods SHOULD ONLY be able to communicate with each other through the necessary network + ports, even within a Kubernetes namespace. (2) There SHOULD be rules within the CNI that + disallow all but the necessary network connections within the Kubernetes namespace. (3) These rules SHOULD precisely define the source and destination of the allowed connections using at least one of the following criteria: service name, metadata (“labels”), Kubernetes service accounts, or certificate-based authentication. - All the criteria used as labels for a connection SHOULD be secured in such a way that they can - only be changed by authorised persons and management services. + (4) All the criteria used as labels for a connection SHOULD be secured in such a way that they + can only be changed by authorised persons and management services. notes: >- - TBD - status: pending - rules: [] + In a cluster using a network plugin that supports Kubernetes network policy, network isolation + is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugins (OpenShift SDN, + OVN Kubernetes) supports using network policy. Support for NetworkPolicy objects is verified + using rules. + + Section 1-3: By default, all pods in a project are accessible from other pods and network endpoints. + To isolate one or more pods in a project, you need to create NetworkPolicy objects in that project + to indicate the allowed incoming connections. If a pod is matched by selectors in one or more + NetworkPolicy objects, then the pod will accept only connections that are allowed by at least + one of those NetworkPolicy objects. A pod that is not selected by any NetworkPolicy objects + is fully accessible. + + It is useful to create default policies for each application namespace e.g. to deny all ingress + traffic by default. The existance of at least one network policy and the automatic creation + as part of a namespace template is checked using rules. The creation of suitable NetworkPolicy + objects that satisfy the requirements from sections 1 to 3, however, needs to be ensured by the + application owner. + + Section 4: It needs to be ensured organizationally, that only required subjects are granted + RBAC to change the relevant Kubernetes objects. + status: partial + rules: + # General support of network policies + - configure_network_policies + # Section 1-2 + - configure_network_policies_namespaces + - project_config_and_template_network_policy - id: APP.4.4.A19 title: High Availability of Kubernetes From 2add427b7778c672eb4600b841965d2d48a2fd32 Mon Sep 17 00:00:00 2001 From: Benjamin Ruland Date: Mon, 15 Jul 2024 14:09:27 +0200 Subject: [PATCH 2/3] Add manual rule for appropriate network policies --- .../ocp4/e2e.yml | 2 + .../rule.yml | 43 +++++++++++++++++++ controls/bsi_app_4_4.yml | 29 +++++++------ 3 files changed, 61 insertions(+), 13 deletions(-) create mode 100644 applications/openshift/networking/configure_appropriate_network_policies/ocp4/e2e.yml create mode 100644 applications/openshift/networking/configure_appropriate_network_policies/rule.yml diff --git a/applications/openshift/networking/configure_appropriate_network_policies/ocp4/e2e.yml b/applications/openshift/networking/configure_appropriate_network_policies/ocp4/e2e.yml new file mode 100644 index 00000000000..69a7d085eb4 --- /dev/null +++ b/applications/openshift/networking/configure_appropriate_network_policies/ocp4/e2e.yml @@ -0,0 +1,2 @@ +--- +default_result: MANUAL diff --git a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml new file mode 100644 index 00000000000..1d94cb55641 --- /dev/null +++ b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml @@ -0,0 +1,43 @@ +documentation_complete: true + +title: 'Ensure appropriate Network Policies are configured' + +description: |- + Configure Network Policies in any application namespace in an approrpriate way, so that + only the required communications are allowed. The Network Policies should precisely define + source and target using label selectors and ports. + +rationale: |- + By default, all pod to pod traffic within a cluster is allowed. Network + Policy creates a pod- level firewall that can be used to restrict traffic + between sources. Pod traffic is restricted by having a Network Policy that + selects it (through the use of labels). Once there is any Network Policy in a + namespace selecting a particular pod, that pod will reject any connections + that are not allowed by any Network Policy. Other pods in the namespace that + are not selected by any Network Policy will continue to accept all traffic. + + Implementing Kubernetes Network Policies with minimal allowed communication enhances security + by reducing entry points and limiting attacker movement within the cluster. It ensures pods and + services communicate only with necessary entities, reducing unauthorized access risks. In case + of a breach, these policies contain compromised pods, preventing widespread malicious activity. + Additionally, they enhance monitoring and detection of anomalous network activities. + +severity: medium + +identifiers: {} + +references: + bsi: APP.4.4.A19 + +ocil_clause: 'Network Policies need to be evaluated if they are appropriate' + +ocil: |- + For each non-default namespace in the cluster, review the configured Network Policies + and ensure that they only allow the necessary network network connections. They should should + precisely define source and target using label selectors and ports. + + 1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-* + 
$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'
+ + 2. For each of these namespaces, review the network policies: + 
$ oc get networkpolicies -n $namespace -o yaml
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 62cd45b3934..dcb5ec8c4e0 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -482,27 +482,28 @@ controls: rules SHOULD precisely define the source and destination of the allowed connections using at least one of the following criteria: service name, metadata (“labels”), Kubernetes service accounts, or certificate-based authentication. - (4) All the criteria used as labels for a connection SHOULD be secured in such a way that they + (4) All the criteria used as labels for a connection SHOULD be secured in such a way that they can only be changed by authorised persons and management services. notes: >- - In a cluster using a network plugin that supports Kubernetes network policy, network isolation + In a cluster using a network plugin that supports Kubernetes network policy, network isolation is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugins (OpenShift SDN, OVN Kubernetes) supports using network policy. Support for NetworkPolicy objects is verified using rules. - - Section 1-3: By default, all pods in a project are accessible from other pods and network endpoints. - To isolate one or more pods in a project, you need to create NetworkPolicy objects in that project - to indicate the allowed incoming connections. If a pod is matched by selectors in one or more - NetworkPolicy objects, then the pod will accept only connections that are allowed by at least - one of those NetworkPolicy objects. A pod that is not selected by any NetworkPolicy objects - is fully accessible. + Section 1-3: By default, all pods in a project are accessible from other pods and network endpoints. + To isolate one or more pods in a project, you need to create NetworkPolicy objects in that project + to indicate the allowed incoming connections. If a pod is matched by selectors in one or more + NetworkPolicy objects, then the pod will accept only connections that are allowed by at least + one of those NetworkPolicy objects. A pod that is not selected by any NetworkPolicy objects + is fully accessible. + It is useful to create default policies for each application namespace e.g. to deny all ingress traffic by default. The existance of at least one network policy and the automatic creation - as part of a namespace template is checked using rules. The creation of suitable NetworkPolicy - objects that satisfy the requirements from sections 1 to 3, however, needs to be ensured by the - application owner. - + as part of a namespace template is checked using rules. + + The creation of suitable NetworkPolicy objects that satisfy the requirements from sections 1 to 3, + however, needs to be ensured by the application owner. A manual rule is provided for that. + Section 4: It needs to be ensured organizationally, that only required subjects are granted RBAC to change the relevant Kubernetes objects. status: partial @@ -512,6 +513,8 @@ controls: # Section 1-2 - configure_network_policies_namespaces - project_config_and_template_network_policy + # Section 3 + - configure_appropriate_network_policies - id: APP.4.4.A19 title: High Availability of Kubernetes From b85f0f68157b5ccc04d3ea394f644206b4e13288 Mon Sep 17 00:00:00 2001 From: Benjamin Ruland Date: Fri, 4 Oct 2024 10:18:01 +0200 Subject: [PATCH 3/3] Adjusted rules for BSI APP.4.4.A18 according to review --- .../rule.yml | 16 ++++++++-------- .../project_template_network_policy/rule.yml | 2 -- controls/bsi_app_4_4.yml | 5 ++--- shared/references/cce-redhat-avail.txt | 1 - 4 files changed, 10 insertions(+), 14 deletions(-) diff --git a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml index 1d94cb55641..3c517f03d73 100644 --- a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml +++ b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml @@ -1,9 +1,9 @@ documentation_complete: true -title: 'Ensure appropriate Network Policies are configured' +title: 'Ensure Appropriate Network Policies are Configured' description: |- - Configure Network Policies in any application namespace in an approrpriate way, so that + Configure Network Policies in any application namespace in an appropriate way, so that only the required communications are allowed. The Network Policies should precisely define source and target using label selectors and ports. @@ -24,20 +24,20 @@ rationale: |- severity: medium -identifiers: {} - -references: - bsi: APP.4.4.A19 +identifiers: + cce@ocp4: CCE-89537-5 ocil_clause: 'Network Policies need to be evaluated if they are appropriate' ocil: |- For each non-default namespace in the cluster, review the configured Network Policies - and ensure that they only allow the necessary network network connections. They should should + and ensure that they only allow the necessary network connections. They should precisely define source and target using label selectors and ports. 1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-* - 
$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'
+ 
$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name]'
+ + Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check. 2. For each of these namespaces, review the network policies: 
$ oc get networkpolicies -n $namespace -o yaml
diff --git a/applications/openshift/networking/project_template_network_policy/rule.yml b/applications/openshift/networking/project_template_network_policy/rule.yml index cbda8e66cea..84c2b8aefde 100644 --- a/applications/openshift/networking/project_template_network_policy/rule.yml +++ b/applications/openshift/networking/project_template_network_policy/rule.yml @@ -34,7 +34,6 @@ ocil: |- return true. references: - bsi: APP.4.4.A18 srg: SRG-APP-000039-CTR-000110 identifiers: @@ -56,4 +55,3 @@ template: values: - value: "true" operation: "pattern match" - diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index dcb5ec8c4e0..c72c99e9888 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -486,9 +486,8 @@ controls: can only be changed by authorised persons and management services. notes: >- In a cluster using a network plugin that supports Kubernetes network policy, network isolation - is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugins (OpenShift SDN, - OVN Kubernetes) supports using network policy. Support for NetworkPolicy objects is verified - using rules. + is controlled entirely by NetworkPolicy objects. In OpenShift, the default plugin (OVN-Kubernetes) + supports using network policy. Support for NetworkPolicy objects is verified using rules. Section 1-3: By default, all pods in a project are accessible from other pods and network endpoints. To isolate one or more pods in a project, you need to create NetworkPolicy objects in that project diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 2f20480572f..573b5988113 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1800,7 +1800,6 @@ CCE-89531-8 CCE-89534-2 CCE-89535-9 CCE-89536-7 -CCE-89537-5 CCE-89539-1 CCE-89543-3 CCE-89544-1