CMP-2543: Implement whitelist for configure-network-policies-namespaces #11952
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Start a new ephemeral environment with changes proposed in this pull request: ocp4 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
yuumasato
requested changes
May 13, 2024
applications/openshift/networking/var_network_policies_namespaces_whitelist_regex.var
Outdated
Show resolved
Hide resolved
applications/openshift/networking/var_network_policies_namespaces_whitelist_regex.var
Outdated
Show resolved
Hide resolved
yuumasato
requested changes
May 14, 2024
|
@yuumasato thanks for the review, this issue should be fixed now with the new commit. |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
+++ xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
@@ -10,15 +10,15 @@
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
/apis/networking.k8s.io/v1/networkpolicies
API endpoint, filter with with the jq utility using the following filter
- [.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique
+ [.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique
and persist it to the local
- /apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300
+ /apis/networking.k8s.io/v1/networkpolicies#7400bb301fff2f7fc7b1b0fb7448b8e3f15222a8d23f992204315b19eeefa72f
file.
/api/v1/namespaces
API endpoint, filter with with the jq utility using the following filter
- [.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]
+ [.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}}))]
and persist it to the local
- /api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d
+ /api/v1/namespaces#f673748db2dd4e4f0ad55d10ce5e86714c06da02b67ddb392582f71ef81efab2
file.
[reference]:
OVAL for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces' differs.
--- oval:ssg-configure_network_policies_namespaces:def:1
+++ oval:ssg-configure_network_policies_namespaces:def:1
@@ -1,4 +1,8 @@
criteria AND
criterion oval:ssg-test_file_for_configure_network_policies_namespaces:tst:1
criterion oval:ssg-test_file_for_configure_network_policies_filtered_namespaces:tst:1
+criteria OR
criterion oval:ssg-test_elements_count_for_configure_network_policies_namespaces:tst:1
+criteria AND
+criterion oval:ssg-test_configure_network_policies_namespaces:tst:1
+criterion oval:ssg-test_configure_network_policies_filtered_namespaces:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces' differs.
--- ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1
+++ ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1
@@ -2,10 +2,12 @@
NetworkPolicy.
To get all the non-control plane namespaces, you can do the
-following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'
+following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
To get all the non-control plane namespaces with a NetworkPolicy, you can do the
-following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique'
+following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
+
+Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
Make sure that the namespaces displayed in the commands of the commands match.
Is it the case that Namespaced Network Policies needs review? |
Vincent056
force-pushed
the
network_policy
branch
2 times, most recently
from
38f3ea8
to
02ca1d5
Compare
|
/test help |
|
@yuumasato: The specified target(s) for
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test 4.13-e2e-aws-ocp4-cis |
yuumasato
reviewed
May 15, 2024
There was a problem hiding this comment.
/lgtm
Just needs adjustments to the e2e assertion.
I got a 4.15 cluster and the rule passes there:
$ oc get ccr | grep network-policies-namespaces
upstream-ocp4-cis-configure-network-policies-namespaces PASS high$ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and (true)) | .metadata.name ]'
[]$ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and (true)) | .metadata.namespace] | unique'
[]
Vincent056
force-pushed
the
network_policy
branch
from
02ca1d5
to
cd8788b
Compare
|
/test 4.13-e2e-aws-ocp4-cis |
Added a new varible var_network_policies_namespaces_whitelist_regex, and updated the rule configure_network_policies_namespaces so user is able to excude namespaces by setting this variable to the regex of namespace they want to exclude for this rule
…ces_whitelist_regex.var Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
…ces_whitelist_regex.var Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
Let's add the variable ocp4-var-network-policies-namespaces-whitelist-regex in rule's instruction for better user experience
Since CI cluster has no additional namespace, it should pass the e2e test on default
Vincent056
force-pushed
the
network_policy
branch
from
cd8788b
to
dc89b7f
Compare
|
Code Climate has analyzed commit dc89b7f and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
/test 4.13-e2e-aws-ocp4-cis |
yuumasato
approved these changes
May 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added a new varible var_network_policies_namespaces_whitelist_regex, and updated the rule
configure_network_policies_namespacesso user is able to excude namespaces by setting this variable to the regex of namespace they want to exclude for this rule