From aeb1768fdbb7cabc9c7a953958ae33bf35d11cd5 Mon Sep 17 00:00:00 2001 From: lichtblaugue Date: Tue, 8 Oct 2024 15:25:37 +0200 Subject: [PATCH 1/3] First Version for BSI SYS.1.6.A15 --- controls/bsi_sys_1_6.yml | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index 01a4fda1616..e5db7b6351f 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -401,13 +401,35 @@ controls: levels: - standard description: >- - Resources on the host system such as CPU, volatile and persistent memory, and network - bandwidth SHOULD be appropriately reserved and limited for each container. How the + (1) Resources on the host system such as CPU, volatile and persistent memory, and network + bandwidth SHOULD be appropriately reserved and limited for each container. (2) How the system should react if these limits are exceeded SHOULD be defined and documented. notes: >- - ToDo - status: manual - #rules: + Section 1: OpenShift supports the configuration of quotas for a project (client). + Applications can have their resources appropriately limited using limits/requests. + Network bandwidth is limited at the pod level and can be determined separately according + to incoming and outgoing network bandwidth. In addition, outgoing traffic (egress) can be + marked at the namespace level with differentiated services code point (DSCP) classifications + in order to assign quality of service classes to the outgoing packets in the physical network. + + Section 2: This requirement must be implemented organizationally. + Note: The behavior of OpenShift completely replicates the standard behavior of Kubernetes. + If CPU limits are exceeded, the process is slowed down. If volatile memory is exceeded, + the process is stopped and restarted by the scheduler. The persistent memory management + is responsible for exceeding the persistent memory - OpenShift will not enforce or limit + anything here. Compliance with the limited network bandwidth is enforced by dropping + packets that exceed the limit. + status: automated + rules: + # Section 1 + - project_config_and_template_resource_quota + - project_template_resource_quota + - resource_requests_limits_in_daemonset + - resource_requests_limits_in_deployment + - resource_requests_limits_in_statefulset + - resource_requests_quota + - resource_requests_quota_cluster + - resource_requests_quota_per_project - id: SYS.1.6.A16 title: Administrative Remote Access to Containers From 7b4f8b66d6c4dbbf8f44038b3fc947e82793d965 Mon Sep 17 00:00:00 2001 From: lichtblaugue Date: Thu, 17 Oct 2024 13:21:20 +0200 Subject: [PATCH 2/3] Adding manual rule configure_network_bandwidth --- .../configure_network_bandwidth/rule.yml | 38 +++++++++++++++++++ controls/bsi_sys_1_6.yml | 2 +- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 applications/openshift/networking/configure_network_bandwidth/rule.yml diff --git a/applications/openshift/networking/configure_network_bandwidth/rule.yml b/applications/openshift/networking/configure_network_bandwidth/rule.yml new file mode 100644 index 00000000000..a19f8e3a24f --- /dev/null +++ b/applications/openshift/networking/configure_network_bandwidth/rule.yml @@ -0,0 +1,38 @@ +documentation_complete: true + +title: 'Limiting Network Bandwidth in Pods' + +description: |- + Network bandwidth, SHOULD be appropriately reserved and limited. + +rationale: |- + Network bandwidth is limited at the pod level and can be determined separately according + to incoming and outgoing network bandwidth. + For more information about limiting Pod bandwidth on OCP 4 please refer to the Red Hat documentation: + {{{ weblink(link="https://access.redhat.com/solutions/5018951") }}} + + Out of the documetation use the example for the network bandwidth configuration of a pod: + 
+    kind: Pod
+    apiVersion: v1
+    metadata:
+      name: hello-openshift
+      annotations:
+        kubernetes.io/ingress-bandwidth: 2M
+        kubernetes.io/egress-bandwidth: 1M
+    spec:
+        containers:
+          - image: openshift/hello-openshift
+            name: hello-openshift
+
+ +severity: unknown + +identifiers: + +references: + +ocil_clause: 'Limiting Pod bandwidth on OCP 4' + +ocil: |- + Extend pod configuration with bandwidth annotations. diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index e5db7b6351f..4fcddeba294 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -411,7 +411,6 @@ controls: to incoming and outgoing network bandwidth. In addition, outgoing traffic (egress) can be marked at the namespace level with differentiated services code point (DSCP) classifications in order to assign quality of service classes to the outgoing packets in the physical network. - Section 2: This requirement must be implemented organizationally. Note: The behavior of OpenShift completely replicates the standard behavior of Kubernetes. If CPU limits are exceeded, the process is slowed down. If volatile memory is exceeded, @@ -430,6 +429,7 @@ controls: - resource_requests_quota - resource_requests_quota_cluster - resource_requests_quota_per_project + - configure_network_bandwidth - id: SYS.1.6.A16 title: Administrative Remote Access to Containers From 22df150d79c90f2fdf737b22d8be82ca899e6a3e Mon Sep 17 00:00:00 2001 From: lichtblaugue Date: Wed, 6 Nov 2024 14:39:56 +0100 Subject: [PATCH 3/3] Adding suggested changes to SYS.1.6.A15 --- .../configure_network_bandwidth/rule.yml | 19 ++++++++++--------- shared/references/cce-redhat-avail.txt | 1 - 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/applications/openshift/networking/configure_network_bandwidth/rule.yml b/applications/openshift/networking/configure_network_bandwidth/rule.yml index a19f8e3a24f..351bcc3032b 100644 --- a/applications/openshift/networking/configure_network_bandwidth/rule.yml +++ b/applications/openshift/networking/configure_network_bandwidth/rule.yml @@ -5,11 +5,11 @@ title: 'Limiting Network Bandwidth in Pods' description: |- Network bandwidth, SHOULD be appropriately reserved and limited. -rationale: |- +ocil: |- Network bandwidth is limited at the pod level and can be determined separately according to incoming and outgoing network bandwidth. - For more information about limiting Pod bandwidth on OCP 4 please refer to the Red Hat documentation: - {{{ weblink(link="https://access.redhat.com/solutions/5018951") }}} + For more information about limiting network bandwidth on the pod level please refer to the Red Hat documentation: + {{{ weblink(link="https://docs.openshift.com/container-platform/4.17/nodes/pods/nodes-pods-configuring.html#nodes-pods-configuring-bandwidth_nodes-pods-configuring") }}} Out of the documetation use the example for the network bandwidth configuration of a pod: 
@@ -29,10 +29,11 @@ rationale: |-
 severity: unknown
 
 identifiers:
-  
-references:
-  
-ocil_clause: 'Limiting Pod bandwidth on OCP 4'
+    cce@ocp4: CCE-87610-2
+   
+ocil_clause: 'Limiting Pod network bandwidth on OCP 4'
 
-ocil: |-
-    Extend pod configuration with bandwidth annotations.
+rationale: |-
+    Extend pod configuration with network bandwidth annotations to prevent
+    a bad actor or a malfunction in the pod to consume all the bandwidth in the cluster.
+    A network bandwidth limitation on the pod level can mitigate the bearing onto the cluster.
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 33debb230d4..e3d2ddd1de8 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -640,7 +640,6 @@ CCE-87595-5
 CCE-87597-1
 CCE-87600-3
 CCE-87603-7
-CCE-87610-2
 CCE-87611-0
 CCE-87612-8
 CCE-87613-6