From a6af0718d7630d59050142a7abd82422975bb3d4 Mon Sep 17 00:00:00 2001 From: Benjamin Ruland Date: Mon, 15 Jul 2024 14:09:27 +0200 Subject: [PATCH] Add manual rule for appropriate network policies --- .../ocp4/e2e.yml | 2 + .../rule.yml | 43 +++++++++++++++++++ controls/bsi_app_4_4.yml | 2 + 3 files changed, 47 insertions(+) create mode 100644 applications/openshift/networking/configure_appropriate_network_policies/ocp4/e2e.yml create mode 100644 applications/openshift/networking/configure_appropriate_network_policies/rule.yml diff --git a/applications/openshift/networking/configure_appropriate_network_policies/ocp4/e2e.yml b/applications/openshift/networking/configure_appropriate_network_policies/ocp4/e2e.yml new file mode 100644 index 00000000000..69a7d085eb4 --- /dev/null +++ b/applications/openshift/networking/configure_appropriate_network_policies/ocp4/e2e.yml @@ -0,0 +1,2 @@ +--- +default_result: MANUAL diff --git a/applications/openshift/networking/configure_appropriate_network_policies/rule.yml b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml new file mode 100644 index 00000000000..1d94cb55641 --- /dev/null +++ b/applications/openshift/networking/configure_appropriate_network_policies/rule.yml @@ -0,0 +1,43 @@ +documentation_complete: true + +title: 'Ensure appropriate Network Policies are configured' + +description: |- + Configure Network Policies in any application namespace in an approrpriate way, so that + only the required communications are allowed. The Network Policies should precisely define + source and target using label selectors and ports. + +rationale: |- + By default, all pod to pod traffic within a cluster is allowed. Network + Policy creates a pod- level firewall that can be used to restrict traffic + between sources. Pod traffic is restricted by having a Network Policy that + selects it (through the use of labels). Once there is any Network Policy in a + namespace selecting a particular pod, that pod will reject any connections + that are not allowed by any Network Policy. Other pods in the namespace that + are not selected by any Network Policy will continue to accept all traffic. + + Implementing Kubernetes Network Policies with minimal allowed communication enhances security + by reducing entry points and limiting attacker movement within the cluster. It ensures pods and + services communicate only with necessary entities, reducing unauthorized access risks. In case + of a breach, these policies contain compromised pods, preventing widespread malicious activity. + Additionally, they enhance monitoring and detection of anomalous network activities. + +severity: medium + +identifiers: {} + +references: + bsi: APP.4.4.A19 + +ocil_clause: 'Network Policies need to be evaluated if they are appropriate' + +ocil: |- + For each non-default namespace in the cluster, review the configured Network Policies + and ensure that they only allow the necessary network network connections. They should should + precisely define source and target using label selectors and ports. + + 1. Get a list of existing projects(namespaces), exclude default, kube-*, openshift-* + 
$ oc get namespaces -ojson | jq -r '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]'
+ + 2. For each of these namespaces, review the network policies: + 
$ oc get networkpolicies -n $namespace -o yaml
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index 2281036e363..69697d3a931 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -510,6 +510,8 @@ controls: # Section 1-2 - configure_network_policies_namespaces - project_config_and_template_network_policy + # Section 3 + - configure_appropriate_network_policies - id: APP.4.4.A19 title: High Availability of Kubernetes