Merge pull request #58 from sig-bsi-grundschutz/bsi-app-4.4-a20to21

Bsi app 4.4 a20to21
sig-bsi-grundschutz · May 31, 2024 · a7b055e · a7b055e
2 parents 6ac1d43 + 9814419
commit a7b055e
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 3 deletions.
diff --git a/applications/openshift/general/kube_descheduler_interval.var b/applications/openshift/general/kube_descheduler_interval.var
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'Maximum number of seconds between descheduler runs'
+
+description: |-
+   You can configure the maximum amount of time between descheduler runs in seconds.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+   default: "86400"
diff --git a/applications/openshift/general/kube_descheduler_lifecycle_policy/rule.yml b/applications/openshift/general/kube_descheduler_lifecycle_policy/rule.yml
@@ -0,0 +1,42 @@
+documentation_complete: true
+
+title: Ensure that the LifecycleAndUtilization profile for the Kube Descheduler operator is enabled
+
+description: |-
+    If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly.
+    No pod should run for more than 24 hours. The availability of the applications in the pod should be ensured.
+
+rationale: |-
+    If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly.
+
+identifiers: {}
+
+references:
+  bsi: APP.4.4.A21
+
+severity: medium
+
+ocil_clause: "The LifecycleAndUtilization profile for the Kube Descheduler operator is not enabled"
+
+ocil: |-
+    Run the following command to edit the KubeDescheduler object:
+    <pre>$ oc edit kubedeschedulers.operator.openshift.io cluster -n openshift-kube-descheduler-operator </pre>
+    Make sure the LifecycleAndUtilization profile is listed under .spec.profiles and the correct time between descheduler runs is set under .spec.deschedulingIntervalSeconds
+
+{{% set jqfilter = '[if (any(.spec.profiles[]; . =="LifecycleAndUtilization")) == true and ((.spec.deschedulingIntervalSeconds &lt;= {{.kube_descheduler_interval}}) == true) then true else false end]' %}}
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting({'/apis/operator.openshift.io/v1/namespaces/openshift-kube-descheduler-operator/kubedeschedulers/cluster': jqfilter}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: {{{ openshift_filtered_path('/apis/operator.openshift.io/v1/namespaces/openshift-kube-descheduler-operator/kubedeschedulers/cluster', jqfilter) }}}
+    yamlpath: "[:]"
+    check_existence: "all_exist"
+    entity_check: "all"
+    values:
+      - value: "true"
+        operation: "equals"
diff --git a/applications/openshift/general/kube_descheduler_operator_exists/rule.yml b/applications/openshift/general/kube_descheduler_operator_exists/rule.yml
@@ -0,0 +1,42 @@
+documentation_complete: true
+
+title: Ensure that the Kube Descheduler operator is deployed
+
+description: |-
+    If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly.
+    No pod should run for more than 24 hours. The availability of the applications in the pod should be ensured.
+
+rationale: |-
+    If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly.
+
+identifiers: {}
+
+references:
+  bsi: APP.4.4.A21
+
+severity: medium
+
+ocil_clause: "No CRDs from the Kube Descheduler operator were found"
+
+ocil: |-
+    Run the following command to retrieve the customresourcedefinitions objects in the system:
+    <pre>$ oc get crds </pre>
+    Make sure there is a crd for the Kube Descheduler operator.
+
+{{% set jqfilter = '[.items[] | select(.metadata.name =="kubedeschedulers.operator.openshift.io") | .metadata.name]' %}}
+
+warnings:
+- general: |-
+    {{{ openshift_filtered_cluster_setting({'/apis/apiextensions.k8s.io/v1/customresourcedefinitions?limit=500': jqfilter}) | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: {{{ openshift_filtered_path('/apis/apiextensions.k8s.io/v1/customresourcedefinitions?limit=500', jqfilter) }}}
+    yamlpath: "[:]"
+    check_existence: "at_least_one_exists"
+    entity_check: "at least one"
+    values:
+    - value: ".*"
+      operation: "pattern match"
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -551,10 +551,15 @@ controls:
     levels:
     - elevated
     description: >-
-      Pods SHOULD be stopped and restarted regularly if there is an increased risk of external
-      interference and a very high need for protection. No pod SHOULD run for more than 24
+      (1) Pods SHOULD be stopped and restarted regularly if there is an increased risk of external
+      interference and a very high need for protection.
+      (2) No pod SHOULD run for more than 24
       hours. The availability of the applications in a pod SHOULD be ensured.
     notes: >-
       TBD
     status: pending
-    rules: []
+    rules:
+      # Section 1
+      - kube_descheduler_operator_exists
+      # Section 2
+      - kube_descheduler_lifecycle_policy