1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
<def-group>
{{% set networkpolicies_api_path = '/apis/networking.k8s.io/v1/networkpolicies' %}}
{{% set namespaces_api_path = '/api/v1/namespaces' %}}
{{% set networkpolicies_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique' %}}
{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}}))]' %}}
<definition class="compliance" id="configure_network_policies_namespaces" version="1">
{{{ oval_metadata("Ensure that application Namespaces have Network Policies defined", rule_title=rule_title) }}}
<criteria>
<criterion comment="Make sure that the file '{{{ openshift_filtered_path(networkpolicies_api_path, networkpolicies_for_non_ctlplane_namespaces_filter) }}} exists."
test_ref="test_file_for_configure_network_policies_namespaces"/>
<criterion comment="Make sure that the file '{{{ openshift_filtered_path(namespaces_api_path, non_ctlplane_namespaces_filter) }}}' exists."
test_ref="test_file_for_configure_network_policies_filtered_namespaces"/>
<criteria operator="OR">
<criterion comment="Make sure that all target elements exists for elements at path '.items[:].spec.host'"
test_ref="test_elements_count_for_configure_network_policies_namespaces"/>
<criteria operator="AND">
<criterion comment="Make sure that there are no network policies in non-ctlplane namespaces"
test_ref="test_configure_network_policies_namespaces"/>
<criterion comment="Make sure that there are no namespaces in non-ctlplane namespaces"
test_ref="test_configure_network_policies_filtered_namespaces"/>
</criteria>
</criteria>
</criteria>
</definition>
<!-- OCP object file locations -->
<local_variable id="configure_network_policies_namespaces_file_location" datatype="string"
comment="Path of file containing filtered non-ctlplane namespaces with network policies." version="1">
<concat>
<variable_component var_ref="ocp_data_root"/>
<literal_component>{{{ openshift_filtered_path(networkpolicies_api_path, networkpolicies_for_non_ctlplane_namespaces_filter) }}}</literal_component>
</concat>
</local_variable>
<local_variable id="configure_network_policies_filtered_namespaces_file_location" datatype="string"
comment="Path of file containing filtered non-ctlplane namespaces." version="1">
<concat>
<variable_component var_ref="ocp_data_root"/>
<literal_component>{{{ openshift_filtered_path(namespaces_api_path, non_ctlplane_namespaces_filter) }}}</literal_component>
</concat>
</local_variable>
<!-- File existence checks -->
<unix:file_test id="test_file_for_configure_network_policies_namespaces" check="all" check_existence="only_one_exists"
comment="Find the file to be checked ('{{{ openshift_filtered_path(networkpolicies_api_path, networkpolicies_for_non_ctlplane_namespaces_filter) }}}')." version="1">
<unix:object object_ref="object_file_for_configure_network_policies_namespaces"/>
</unix:file_test>
<unix:file_object id="object_file_for_configure_network_policies_namespaces" version="1">
<unix:filepath var_ref="configure_network_policies_namespaces_file_location"/>
</unix:file_object>
<unix:file_test id="test_file_for_configure_network_policies_filtered_namespaces" check="all" check_existence="only_one_exists"
comment="Find the file to be checked ('{{{ openshift_filtered_path(namespaces_api_path, non_ctlplane_namespaces_filter) }}}')." version="1">
<unix:object object_ref="object_file_for_configure_network_policies_filtered_namespaces"/>
</unix:file_test>
<unix:file_object id="object_file_for_configure_network_policies_filtered_namespaces" version="1">
<unix:filepath var_ref="configure_network_policies_filtered_namespaces_file_location"/>
</unix:file_object>
<!-- Object gathering -->
<ind:yamlfilecontent_object id="object_configure_network_policies_namespaces" version="1">
<ind:filepath var_ref="configure_network_policies_namespaces_file_location"/>
<ind:yamlpath>[:]</ind:yamlpath>
</ind:yamlfilecontent_object>
<local_variable comment="Items counter" datatype="int" id="local_variable_counter_configure_network_policies_namespaces" version="1">
<count>
<object_component object_ref="object_configure_network_policies_namespaces" item_field="value" record_field="#"/>
</count>
</local_variable>
<ind:yamlfilecontent_test id="test_configure_network_policies_namespaces" version="1" check="all" comment="Make sure there are no count for network policies in non-ctlplane namespaces" check_existence="none_exist" state_operator="AND">
<ind:object object_ref="object_configure_network_policies_namespaces"/>
</ind:yamlfilecontent_test>
<ind:yamlfilecontent_object id="object_configure_network_policies_filtered_namespaces" version="1">
<ind:filepath var_ref="configure_network_policies_filtered_namespaces_file_location"/>
<ind:yamlpath>[:].metadata.name</ind:yamlpath>
</ind:yamlfilecontent_object>
<local_variable comment="Items counter control" datatype="int" id="local_variable_counter_configure_network_policies_filtered_namespaces" version="1">
<count>
<object_component object_ref="object_configure_network_policies_filtered_namespaces" item_field="value" record_field="#"/>
</count>
</local_variable>
<ind:yamlfilecontent_test id="test_configure_network_policies_filtered_namespaces" version="1" check="all" comment="Make sure there are no count for namespaces in non-ctlplane namespaces" check_existence="none_exist" state_operator="AND">
<ind:object object_ref="object_configure_network_policies_filtered_namespaces"/>
</ind:yamlfilecontent_test>
<!-- Object counts -->
<ind:variable_test version="1" id="test_elements_count_for_configure_network_policies_namespaces" check="all"
comment="Count elements at both paths and compare">
<ind:object object_ref="object_elements_count_for_configure_network_policies_namespaces"/>
<ind:state state_ref="state_elements_count_for_configure_network_policies_namespaces"/>
</ind:variable_test>
<ind:variable_object id="object_elements_count_for_configure_network_policies_namespaces" version="1">
<ind:var_ref>local_variable_counter_configure_network_policies_namespaces</ind:var_ref>
</ind:variable_object>
<!-- Comparison -->
<!-- This verifies that the filtered namespaces are equal to the namespaces with NetworkPolicies -->
<ind:variable_state id="state_elements_count_for_configure_network_policies_namespaces" version="1">
<ind:value datatype="int" var_ref="local_variable_counter_configure_network_policies_filtered_namespaces"/>
</ind:variable_state>
<!-- OCP data root declaration -->
<external_variable comment="Root of OCP data dump" datatype="string" id="ocp_data_root" version="1" />
</def-group>
|
