1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
documentation_complete: true
title: 'Ensure that the CNI in use supports Network Policies'
description: |-
There are a variety of CNI plugins available for Kubernetes. If the CNI in
use does not support Network Policies it may not be possible to effectively
restrict traffic in the cluster. OpenShift supports Kubernetes NetworkPolicy
using a Kubernetes Container Network Interface (CNI) plug-in.
rationale: |-
Kubernetes network policies are enforced by the CNI plugin in use. As such
it is important to ensure that the CNI plugin supports both Ingress and
Egress network policies.
severity: high
references:
cis@ocp4: 5.3.1
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
pcidss: Req-1.1.4,Req-1.2,Req-2.2
srg: SRG-APP-000038-CTR-000105
platform: not ocp4-on-hypershift
ocil_clause: 'Support for Network Policies needs review'
ocil: |-
Verify that your CNI plugin supports NetworkPolicies:
<pre>$ oc get network cluster -ojsonpath='{.spec.networkType}'</pre>
The result should list a CNI plugin that supports NetworkPolicies,
currently the plugins in the rule's pass list are OpenShiftSDN, OVN
and Calico.
{{% set api_path = '/apis/operator.openshift.io/v1/networks/cluster' %}}
{{% set jqfilter = '[.spec.defaultNetwork.type]' %}}
warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({api_path: jqfilter}) | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: "true"
filepath: |-
{{{ openshift_filtered_path(api_path, jqfilter) }}}
yamlpath: "[:]"
check_existence: "any_exist"
entity_check: "all"
values:
- value: "OpenShiftSDN|OVN|Calico"
operation: "pattern match"
|
