From 14ae93f598e984653248f96215f068f6f746d2e4 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Mon, 14 Oct 2024 18:43:10 +0200 Subject: [PATCH] add rule to check for sandboxed containers config --- .../rule.yml | 41 +++++++++++++++++++ .../tests/ocp4/e2e-remediation.sh | 27 ++++++++++++ .../tests/ocp4/e2e.yml | 3 ++ .../rule.yml | 2 +- .../e2e/sandboxed-containers-instance.yaml | 12 ++++++ shared/references/cce-redhat-avail.txt | 1 - 6 files changed, 84 insertions(+), 2 deletions(-) create mode 100644 applications/openshift/general/sandboxed_containers_operator_configured/rule.yml create mode 100755 applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e-remediation.sh create mode 100644 applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e.yml create mode 100644 ocp-resources/e2e/sandboxed-containers-instance.yaml diff --git a/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml b/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml new file mode 100644 index 00000000000..265226dc8a7 --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_configured/rule.yml @@ -0,0 +1,41 @@ + +title: Ensure that Sandboxed Containers Operator is Configured + +description: |- + {{{ weblink(link="https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/1.7", + text="The Sandboxed Containers Operator") }}} + provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes. + + It is only active, if it is correctly configured with a KataConfig AND you configured each pod spec with
runtimeClassName: kata. + + Be advised, that on AWS, Azure, IBM Z and IBM LinuxOne you need to enable PeerPods and confiugre additional resources. + +rationale: |- + Using separate kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the container-host. + +severity: medium + +identifiers: + cce@ocp4: CCE-87430-5 + +ocil_clause: 'Sandboxed Containers Operator is not configured' + +ocil: |- + Run the following command to check if a KataConfig for the cluster exists: +
$ oc get kataconfigs openshift-sandboxed-containers-operator+ Make sure at least one KataConfig exists. + +warnings: +- general: |- + {{{ openshift_cluster_setting("/apis/kataconfiguration.openshift.io/v1/kataconfigs?limit=5") | indent(4) }}} + +template: + name: yamlfile_value + vars: + ocp_data: "true" + filepath: /apis/kataconfiguration.openshift.io/v1/kataconfigs?limit=5 + yamlpath: ".items[:].metadata.name" + entity_check: "at least one" + values: + - value: ".*" + operation: "pattern match" diff --git a/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e-remediation.sh b/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e-remediation.sh new file mode 100755 index 00000000000..55a5e6035ac --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e-remediation.sh @@ -0,0 +1,27 @@ +#!/bin/bash +set -xe + +echo "installing sandboxed-containers-operator" +oc apply -f ${ROOT_DIR}/ocp-resources/e2e/sandboxed-containers-install.yaml --server-side=true + +sleep 30 + +echo "waiting for sandboxed-containers-operator deployment to exist" +while [ -z "$(oc get -n openshift-sandboxed-containers-operator --ignore-not-found deployment/controller-manager)" ]; do + sleep 3 +done + +# we need to wait for the pods to be ready, otherwise there is no webhook endpoint +# for the kataconfig +echo "waiting for sandboxed-containers-operator pods to be ready" +oc wait -n openshift-sandboxed-containers-operator --for=condition=ContainersReady=true \ +--timeout=300s pods -l control-plane=controller-manager + +echo "configuring kataconfig" +oc apply -f ${ROOT_DIR}/ocp-resources/e2e/sandboxed-containers-instance.yaml --server-side=true + +echo "check, that the mcp was updated" +oc wait --for=condition=Updated --timeout=3600s machineconfigpool/kata-oc + +echo "waiting for the cluster to become stable" +oc adm wait-for-stable-cluster --minimum-stable-period 1m diff --git a/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e.yml b/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e.yml new file mode 100644 index 00000000000..fd9b313e87b --- /dev/null +++ b/applications/openshift/general/sandboxed_containers_operator_configured/tests/ocp4/e2e.yml @@ -0,0 +1,3 @@ +--- +default_result: FAIL +result_after_remediation: PASS diff --git a/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml b/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml index e61f83373da..85808b837b0 100644 --- a/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml +++ b/applications/openshift/general/sandboxed_containers_operator_exists/rule.yml @@ -7,7 +7,7 @@ description: |- provides containers with a dedicated kernel by running them in a virtual machine. This allows for extended separation, as no kernel is shared. This is done by using RHCOS cluster extension and is only available on RHCOS nodes. rationale: |- - Using separate Kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the host. + Using separate kernels for each container provides for better isolation, and makes it harder for adveseries to move laterally to other containers or the container-host. severity: medium diff --git a/ocp-resources/e2e/sandboxed-containers-instance.yaml b/ocp-resources/e2e/sandboxed-containers-instance.yaml new file mode 100644 index 00000000000..1c44b70c7fe --- /dev/null +++ b/ocp-resources/e2e/sandboxed-containers-instance.yaml @@ -0,0 +1,12 @@ +apiVersion: kataconfiguration.openshift.io/v1 +kind: KataConfig +metadata: + name: example-kataconfig +spec: + checkNodeEligibility: false + enablePeerPods: false + kataConfigPoolSelector: + matchExpressions: + - key: node-role.kubernetes.io/worker + operator: Exists + logLevel: info diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index c3acec4a97c..d082e2e2dcb 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -520,7 +520,6 @@ CCE-87419-8 CCE-87422-2 CCE-87426-3 CCE-87427-1 -CCE-87430-5 CCE-87431-3 CCE-87432-1 CCE-87434-7