ComplianceAsCode
CMP-2543: Implement whitelist for configure-network-policies-namespaces
Added a new varible var_network_policies_namespaces_whitelist_regex, and updated the rule configure_network_policies_namespaces so user is able to excude namespaces by setting this variable to the regex of namespace they want to exclude for this rule
Start a new ephemeral environment with changes proposed in this pull request:
ocp4 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
:robot: A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11952
This image was built from commit: dc89b7f327380c24556b8e63bd22ba3e954e763c
Click here to see how to deploy it
If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11952
Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11952 make deploy-local
@yuumasato thanks for the review, this issue should be fixed now with the new commit.
$ oc create ns no-policy-0
$ oc create ns no-policy-1
$ ./utils/build_ds_container.py -p -d -P ocp4
cat <<EOF | oc apply -f -
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: cis-pass
namespace: openshift-compliance
spec:
description: Test
setValues:
- name: upstream-ocp4-var-network-policies-namespaces-exempt-regex
value: no-policy-0|no-policy-1
rationale: test
extends: upstream-ocp4-cis
title: My modified nist profile with a custom value
EOF
cat <<EOF | oc apply -f -
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: cis-no-pass
namespace: openshift-compliance
spec:
description: Test
extends: upstream-ocp4-cis
title: My modified nist profile with a custom value
EOF
[vincent@node cac-content-fork]$ oc get tp
NAME STATE
cis-no-pass READY
cis-pass READY
cat <<EOF | oc apply -f -
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: cis-test-network-policy
namespace: openshift-compliance
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: cis-pass
- apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: cis-no-pass
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
EOF
[vincent@node cac-content-fork]$ oc get ssb
NAME STATUS
cis-test-network-policy READY
[vincent@node cac-content-fork]$ oc get scan -w
NAME PHASE RESULT
cis-no-pass RUNNING NOT-AVAILABLE
cis-pass RUNNING NOT-AVAILABLE
cis-pass AGGREGATING NOT-AVAILABLE
cis-pass AGGREGATING NOT-AVAILABLE
cis-no-pass AGGREGATING NOT-AVAILABLE
cis-no-pass AGGREGATING NOT-AVAILABLE
cis-no-pass DONE NON-COMPLIANT
cis-pass DONE NON-COMPLIANT
[vincent@node cac-content-fork]$ oc get ccr | grep network-policies-n
cis-no-pass-configure-network-policies-namespaces FAIL high
cis-pass-configure-network-policies-namespaces PASS high
oc delete ssb cis-test-network-policy
oc delete tp cis-no-pass cis-pass
oc delete profilebundle upstream-ocp4
This datastream diff is auto generated by the check Compare DS/Generate Diff
Click here to see the full diff
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces'.
--- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
+++ xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
@@ -10,15 +10,15 @@
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
/apis/networking.k8s.io/v1/networkpolicies
API endpoint, filter with with the jq utility using the following filter
- [.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique
+ [.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique
and persist it to the local
- /apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300
+ /apis/networking.k8s.io/v1/networkpolicies#7400bb301fff2f7fc7b1b0fb7448b8e3f15222a8d23f992204315b19eeefa72f
file.
/api/v1/namespaces
API endpoint, filter with with the jq utility using the following filter
- [.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]
+ [.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}}))]
and persist it to the local
- /api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d
+ /api/v1/namespaces#f673748db2dd4e4f0ad55d10ce5e86714c06da02b67ddb392582f71ef81efab2
file.
[reference]:
OVAL for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces' differs.
--- oval:ssg-configure_network_policies_namespaces:def:1
+++ oval:ssg-configure_network_policies_namespaces:def:1
@@ -1,4 +1,8 @@
criteria AND
criterion oval:ssg-test_file_for_configure_network_policies_namespaces:tst:1
criterion oval:ssg-test_file_for_configure_network_policies_filtered_namespaces:tst:1
+criteria OR
criterion oval:ssg-test_elements_count_for_configure_network_policies_namespaces:tst:1
+criteria AND
+criterion oval:ssg-test_configure_network_policies_namespaces:tst:1
+criterion oval:ssg-test_configure_network_policies_filtered_namespaces:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces' differs.
--- ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1
+++ ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1
@@ -2,10 +2,12 @@
NetworkPolicy.
To get all the non-control plane namespaces, you can do the
-following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'
+following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
To get all the non-control plane namespaces with a NetworkPolicy, you can do the
-following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique'
+following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
+
+Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
Make sure that the namespaces displayed in the commands of the commands match.
Is it the case that Namespaced Network Policies needs review?
@yuumasato: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:
-
/test 4.13-e2e-aws-ocp4-cis -
/test 4.13-e2e-aws-ocp4-cis-node -
/test 4.13-e2e-aws-ocp4-e8 -
/test 4.13-e2e-aws-ocp4-high -
/test 4.13-e2e-aws-ocp4-high-node -
/test 4.13-e2e-aws-ocp4-moderate -
/test 4.13-e2e-aws-ocp4-moderate-node -
/test 4.13-e2e-aws-ocp4-pci-dss -
/test 4.13-e2e-aws-ocp4-pci-dss-node -
/test 4.13-e2e-aws-ocp4-stig -
/test 4.13-e2e-aws-ocp4-stig-node -
/test 4.13-e2e-aws-rhcos4-e8 -
/test 4.13-e2e-aws-rhcos4-high -
/test 4.13-e2e-aws-rhcos4-moderate -
/test 4.13-e2e-aws-rhcos4-stig -
/test 4.13-images -
/test 4.14-images -
/test 4.15-e2e-aws-ocp4-cis -
/test 4.15-e2e-aws-ocp4-cis-node -
/test 4.15-e2e-aws-ocp4-e8 -
/test 4.15-e2e-aws-ocp4-high -
/test 4.15-e2e-aws-ocp4-high-node -
/test 4.15-e2e-aws-ocp4-moderate -
/test 4.15-e2e-aws-ocp4-moderate-node -
/test 4.15-e2e-aws-ocp4-pci-dss -
/test 4.15-e2e-aws-ocp4-pci-dss-node -
/test 4.15-e2e-aws-ocp4-stig -
/test 4.15-e2e-aws-ocp4-stig-node -
/test 4.15-e2e-aws-rhcos4-e8 -
/test 4.15-e2e-aws-rhcos4-high -
/test 4.15-e2e-aws-rhcos4-moderate -
/test 4.15-e2e-aws-rhcos4-stig -
/test 4.15-images -
/test 4.16-e2e-aws-ocp4-cis -
/test 4.16-e2e-aws-ocp4-cis-node -
/test 4.16-e2e-aws-ocp4-e8 -
/test 4.16-e2e-aws-ocp4-high -
/test 4.16-e2e-aws-ocp4-high-node -
/test 4.16-e2e-aws-ocp4-moderate -
/test 4.16-e2e-aws-ocp4-moderate-node -
/test 4.16-e2e-aws-ocp4-pci-dss -
/test 4.16-e2e-aws-ocp4-pci-dss-node -
/test 4.16-e2e-aws-ocp4-stig -
/test 4.16-e2e-aws-ocp4-stig-node -
/test 4.16-e2e-aws-rhcos4-e8 -
/test 4.16-e2e-aws-rhcos4-high -
/test 4.16-e2e-aws-rhcos4-moderate -
/test 4.16-e2e-aws-rhcos4-stig -
/test 4.16-images -
/test e2e-aws-ocp4-cis -
/test e2e-aws-ocp4-cis-node -
/test e2e-aws-ocp4-e8 -
/test e2e-aws-ocp4-high -
/test e2e-aws-ocp4-high-node -
/test e2e-aws-ocp4-moderate -
/test e2e-aws-ocp4-moderate-node -
/test e2e-aws-ocp4-pci-dss -
/test e2e-aws-ocp4-pci-dss-node -
/test e2e-aws-ocp4-stig -
/test e2e-aws-ocp4-stig-node -
/test e2e-aws-rhcos4-e8 -
/test e2e-aws-rhcos4-high -
/test e2e-aws-rhcos4-moderate -
/test e2e-aws-rhcos4-stig -
/test images
Use /test all to run the following jobs that were automatically triggered:
-
pull-ci-ComplianceAsCode-content-master-4.13-images -
pull-ci-ComplianceAsCode-content-master-4.14-images -
pull-ci-ComplianceAsCode-content-master-4.15-images -
pull-ci-ComplianceAsCode-content-master-4.16-images -
pull-ci-ComplianceAsCode-content-master-images
In response to this:
/test help
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
/test 4.13-e2e-aws-ocp4-cis /test 4.14-e2e-aws-ocp4-cis /test 4.15-e2e-aws-ocp4-cis /test 4.16-e2e-aws-ocp4-cis
/test 4.13-e2e-aws-ocp4-cis /test 4.14-e2e-aws-ocp4-cis /test 4.15-e2e-aws-ocp4-cis /test 4.16-e2e-aws-ocp4-cis
Code Climate has analyzed commit dc89b7f3 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 59.4% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
/test 4.13-e2e-aws-ocp4-cis /test 4.14-e2e-aws-ocp4-cis /test 4.15-e2e-aws-ocp4-cis /test 4.16-e2e-aws-ocp4-cis