Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bsi app 4.4 a20to21 #58

Merged
merged 3 commits into from
May 31, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions applications/openshift/general/kube_descheduler_interval.var
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
documentation_complete: true

title: 'Maximum number of seconds between descheduler runs'

description: |-
You can configure the maximum amount of time between descheduler runs in seconds.

type: string

operator: equals

interactive: true

options:
default: "86400"
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
documentation_complete: true

title: Ensure that the LifecycleAndUtilization profile for the Kube Descheduler operator is enabled

description: |-
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly.
No pod should run for more than 24 hours. The availability of the applications in the pod should be ensured.

rationale: |-
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly.

identifiers: {}

references:
bsi: APP.4.4.A21

severity: medium

ocil_clause: "The LifecycleAndUtilization profile for the Kube Descheduler operator is not enabled"

ocil: |-
Run the following command to edit the KubeDescheduler object:
<pre>$ oc edit kubedeschedulers.operator.openshift.io cluster -n openshift-kube-descheduler-operator </pre>
Make sure the LifecycleAndUtilization profile is listed under .spec.profiles and the correct time between descheduler runs is set under .spec.deschedulingIntervalSeconds

{{% set jqfilter = '[if (any(.spec.profiles[]; . =="LifecycleAndUtilization")) == true and ((.spec.deschedulingIntervalSeconds &lt;= {{.kube_descheduler_interval}}) == true) then true else false end]' %}}

warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({'/apis/operator.openshift.io/v1/namespaces/openshift-kube-descheduler-operator/kubedeschedulers/cluster': jqfilter}) | indent(4) }}}

template:
name: yamlfile_value
vars:
ocp_data: "true"
filepath: {{{ openshift_filtered_path('/apis/operator.openshift.io/v1/namespaces/openshift-kube-descheduler-operator/kubedeschedulers/cluster', jqfilter) }}}
yamlpath: "[:]"
check_existence: "all_exist"
entity_check: "all"
values:
- value: "true"
operation: "equals"
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
documentation_complete: true

title: Ensure that the Kube Descheduler operator is deployed

description: |-
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly.
No pod should run for more than 24 hours. The availability of the applications in the pod should be ensured.

rationale: |-
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly.

identifiers: {}

references:
bsi: APP.4.4.A21

severity: medium

ocil_clause: "No CRDs from the Kube Descheduler operator were found"

ocil: |-
Run the following command to retrieve the customresourcedefinitions objects in the system:
<pre>$ oc get crds </pre>
Make sure there is a crd for the Kube Descheduler operator.

{{% set jqfilter = '[.items[] | select(.metadata.name =="kubedeschedulers.operator.openshift.io") | .metadata.name]' %}}

warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({'/apis/apiextensions.k8s.io/v1/customresourcedefinitions?limit=500': jqfilter}) | indent(4) }}}

template:
name: yamlfile_value
vars:
ocp_data: "true"
filepath: {{{ openshift_filtered_path('/apis/apiextensions.k8s.io/v1/customresourcedefinitions?limit=500', jqfilter) }}}
yamlpath: "[:]"
check_existence: "at_least_one_exists"
entity_check: "at least one"
values:
- value: ".*"
operation: "pattern match"
11 changes: 8 additions & 3 deletions controls/bsi_app_4_4.yml
Original file line number Diff line number Diff line change
Expand Up @@ -404,10 +404,15 @@ controls:
levels:
- elevated
description: >-
Pods SHOULD be stopped and restarted regularly if there is an increased risk of external
interference and a very high need for protection. No pod SHOULD run for more than 24
(1) Pods SHOULD be stopped and restarted regularly if there is an increased risk of external
interference and a very high need for protection.
(2) No pod SHOULD run for more than 24
hours. The availability of the applications in a pod SHOULD be ensured.
notes: >-
TBD
status: pending
rules: []
rules:
# Section 1
- kube_descheduler_operator_exists
# Section 2
- kube_descheduler_lifecycle_policy
Loading