From 6089f758fb68c9469cf0ddf1aba0da44a74fb4d3 Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Mon, 6 May 2024 20:07:18 -0700 Subject: [PATCH] CMP-2543: Implement whitelist for configure-network-policies-namespaces Added a new varible var_network_policies_namespaces_whitelist_regex, and updated the rule configure_network_policies_namespaces so user is able to excude namespaces by setting this variable to the regex of namespace they want to exclude for this rule --- .../oval/shared.xml | 4 ++-- .../rule.yml | 7 +++---- ...ork_policies_namespaces_whitelist_regex.var | 18 ++++++++++++++++++ 3 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 applications/openshift/networking/var_network_policies_namespaces_whitelist_regex.var diff --git a/applications/openshift/networking/configure_network_policies_namespaces/oval/shared.xml b/applications/openshift/networking/configure_network_policies_namespaces/oval/shared.xml index f6762c66ccfc..4ee6fc77114e 100644 --- a/applications/openshift/networking/configure_network_policies_namespaces/oval/shared.xml +++ b/applications/openshift/networking/configure_network_policies_namespaces/oval/shared.xml @@ -1,8 +1,8 @@ {{% set networkpolicies_api_path = '/apis/networking.k8s.io/v1/networkpolicies' %}} {{% set namespaces_api_path = '/api/v1/namespaces' %}} -{{% set networkpolicies_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique' %}} -{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]' %}} +{{% set networkpolicies_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_whitelist_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_whitelist_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique' %}} +{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_whitelist_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_whitelist_regex}}") | not{{else}}true{{end}}))]' %}} {{{ oval_metadata("Ensure that application Namespaces have Network Policies defined") }}} diff --git a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml index c442dc51d161..07af09a44ec2 100644 --- a/applications/openshift/networking/configure_network_policies_namespaces/rule.yml +++ b/applications/openshift/networking/configure_network_policies_namespaces/rule.yml @@ -26,15 +26,14 @@ references: {{% set networkpolicies_api_path = '/apis/networking.k8s.io/v1/networkpolicies' %}} {{% set namespaces_api_path = '/api/v1/namespaces' %}} -{{% set networkpolicies_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique' %}} -{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]' %}} - +{{% set networkpolicies_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_whitelist_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_whitelist_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique' %}} +{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_whitelist_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_whitelist_regex}}") | not{{else}}true{{end}}))]' %}} platform: not ocp4-on-hypershift ocil_clause: 'Namespaced Network Policies needs review' # same as above except filters the names only. Used in OCIL only, not in the 'warnings attribute' -{{% set non_ctlplane_namespaces_filter_names = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]' %}} +{{% set non_ctlplane_namespaces_filter_names = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_whitelist_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_whitelist_regex}}") | not{{else}}true{{end}})) | .metadata.name ]' %}} ocil: |- Verify that the every non-control plane namespace has an appropriate diff --git a/applications/openshift/networking/var_network_policies_namespaces_whitelist_regex.var b/applications/openshift/networking/var_network_policies_namespaces_whitelist_regex.var new file mode 100644 index 000000000000..84b1c8827e43 --- /dev/null +++ b/applications/openshift/networking/var_network_policies_namespaces_whitelist_regex.var @@ -0,0 +1,18 @@ +documentation_complete: true + +title: 'Whitelist Namespaces for Network Policies' + +description: |- + Namespaces regular expression explicitly allowed + through network policy filters, e.g. setting value to + "namespace1|namespace2" will whitelist namespace + "namespace1" and "namespace2" for network policies checks. + +type: string + +operator: equals + +interactive: false + +options: + default: "None"