forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
ermeratos
committed
Apr 25, 2024
1 parent
18c11e4
commit 702245f
Showing
3 changed files
with
94 additions
and
3 deletions.
There are no files selected for viewing
44 changes: 44 additions & 0 deletions
44
applications/openshift/general/kube_descheduler_lifecycle_policy/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: Ensure that the LifecycleAndUtilization profile for the Kube Descheduler operator is enabled | ||
|
|
||
| description: |- | ||
| If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. | ||
| No pod should run for more than 24 hours. The availability of the applications in the pod should be ensured. | ||
| rationale: |- | ||
| If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. | ||
| identifiers: {} | ||
|
|
||
| references: | ||
| bsi: APP.4.4.A21 | ||
|
|
||
| severity: medium | ||
|
|
||
| ocil_clause: "The LifecycleAndUtilization profile for the Kube Descheduler operator is not enabled" | ||
|
|
||
| ocil: |- | ||
| Run the following command to edit the KubeDescheduler object: | ||
| <pre>$ oc edit kubedeschedulers.operator.openshift.io cluster -n openshift-kube-descheduler-operator </pre> | ||
| Make sure the LifecycleAndUtilization profile is listed under .spec.profiles | ||
| {{% set jqfilter = '[.spec.profiles[] | if match("LifecycleAndUtilization") !=null then true else false end]' %}} | ||
|
|
||
| warnings: | ||
| - general: |- | ||
| {{{ openshift_filtered_cluster_setting({'/apis/operator.openshift.io/v1/namespaces/openshift-kube-descheduler-operator/kubedeschedulers/cluster': jqfilter}) | indent(4) }}} | ||
| template: | ||
| name: yamlfile_value | ||
| vars: | ||
| ocp_data: "true" | ||
| filepath: {{{ openshift_filtered_path('/apis/operator.openshift.io/v1/namespaces/openshift-kube-descheduler-operator/kubedeschedulers/cluster', jqfilter) }}} | ||
| yamlpath: "[:]" | ||
| check_existence: "at_least_one_exists" | ||
| entity_check: "at least one" | ||
| values: | ||
| - value: "true" | ||
| operation: "equals" | ||
|
|
||
| #this needs to be fixed |
42 changes: 42 additions & 0 deletions
42
applications/openshift/general/kube_descheduler_operator_exists/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: Ensure that the Kube Descheduler operator is deployed | ||
|
|
||
| description: |- | ||
| If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. | ||
| No pod should run for more than 24 hours. The availability of the applications in the pod should be ensured. | ||
| rationale: |- | ||
| If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. | ||
| identifiers: {} | ||
|
|
||
| references: | ||
| bsi: APP.4.4.A21 | ||
|
|
||
| severity: medium | ||
|
|
||
| ocil_clause: "No CRDs from the Kube Descheduler operator were found" | ||
|
|
||
| ocil: |- | ||
| Run the following command to retrieve the customresourcedefinitions objects in the system: | ||
| <pre>$ oc get crds </pre> | ||
| Make sure there is a crd for the Kube Descheduler operator. | ||
| {{% set jqfilter = '[.items[] | select(.metadata.name =="kubedeschedulers.operator.openshift.io") | .metadata.name]' %}} | ||
|
|
||
| warnings: | ||
| - general: |- | ||
| {{{ openshift_filtered_cluster_setting({'/apis/apiextensions.k8s.io/v1/customresourcedefinitions?limit=500': jqfilter}) | indent(4) }}} | ||
| template: | ||
| name: yamlfile_value | ||
| vars: | ||
| ocp_data: "true" | ||
| filepath: {{{ openshift_filtered_path('/apis/apiextensions.k8s.io/v1/customresourcedefinitions?limit=500', jqfilter) }}} | ||
| yamlpath: "[:]" | ||
| check_existence: "at_least_one_exists" | ||
| entity_check: "at least one" | ||
| values: | ||
| - value: ".*" | ||
| operation: "pattern match" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters