-
Notifications
You must be signed in to change notification settings - Fork 696
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add manual rule for appropriate network policies
- Loading branch information
Showing
3 changed files
with
47 additions
and
0 deletions.
There are no files selected for viewing
2 changes: 2 additions & 0 deletions
2
applications/openshift/networking/configure_appropriate_network_policies/ocp4/e2e.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| --- | ||
| default_result: MANUAL |
43 changes: 43 additions & 0 deletions
43
applications/openshift/networking/configure_appropriate_network_policies/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Ensure appropriate Network Policies are configured' | ||
|
|
||
| description: |- | ||
| Configure Network Policies in any application namespace in an approrpriate way, so that | ||
| only the required communications are allowed. The Network Policies should precisely define | ||
| source and target using label selectors and ports. | ||
| rationale: |- | ||
| By default, all pod to pod traffic within a cluster is allowed. Network | ||
| Policy creates a pod- level firewall that can be used to restrict traffic | ||
| between sources. Pod traffic is restricted by having a Network Policy that | ||
| selects it (through the use of labels). Once there is any Network Policy in a | ||
| namespace selecting a particular pod, that pod will reject any connections | ||
| that are not allowed by any Network Policy. Other pods in the namespace that | ||
| are not selected by any Network Policy will continue to accept all traffic. | ||
| Implementing Kubernetes Network Policies with minimal allowed communication enhances security | ||
| by reducing entry points and limiting attacker movement within the cluster. It ensures pods and | ||
| services communicate only with necessary entities, reducing unauthorized access risks. In case | ||
| of a breach, these policies contain compromised pods, preventing widespread malicious activity. | ||
| Additionally, they enhance monitoring and detection of anomalous network activities. | ||
| severity: medium | ||
|
|
||
| identifiers: {} | ||
|
|
||
| references: | ||
| bsi: APP.4.4.A19 | ||
|
|
||
| ocil_clause: 'Network Policies need to be evaluated if they are appropriate' | ||
|
|
||
| ocil: |- | ||
| For each non-default namespace in the cluster, review the configured Network Policies | ||
| and ensure that they only allow the necessary network network connections. They should should | ||
| precisely define source and target using label selectors and ports. | ||
| 1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-* | ||
| <pre>$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'</pre> | ||
| 2. For each of these namespaces, review the network policies: | ||
| <pre>$ oc get networkpolicies -n $namespace -o yaml</pre> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters