@@ -3,10 +3,10 @@ title: Ensure that all Routes has rate limit enabled
33
44description : |-
55 OpenShift has an option to set the rate limit for Routes [1] when creating new Routes.
6- All routes outside the openshift namespaces and the kube namespaces should use the
7- rate-limiting annotations.
6+ All routes outside the excluded namespaces (as defined by the variable
7+ <tt>ocp4-var-routes-excluded-namespaces-regex</tt>) should use the rate-limiting annotations.
88
9- [1] https://docs.openshift.com/container-platform/4.9 /networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
9+ [1] https://docs.openshift.com/container-platform/latest /networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
1010
1111rationale : |-
1212 The usage of rate limit for Routes provides basic protection against distributed denial-of-service (DDoS) attacks.
@@ -19,14 +19,17 @@ references:
1919 nist : SC-5,SC-5(1),SC-5(2)
2020 srg : SRG-APP-000246-CTR-000605,SRG-APP-000435-CTR-001070
2121
22- {{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' %}}
22+ {{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace | test("{{.var_routes_excluded_namespaces_regex}}"; "") | not) | select(.metadata. annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' %}}
2323
24- ocil_clause : ' Rate limit is not enabled for all routes outside the openshift namespaces'
24+ ocil_clause : ' Rate limit is not enabled for all routes outside the excluded namespaces'
2525
2626ocil : |-
27- Run the following command to retrieve a list routes that does not have rate limit enabled:
28- <pre>$ oc get routes --all-namespaces -o json | jq '{{{ jqfilter }}}'</pre>
29- Make sure that there is output nothing in the result.
27+ This rule checks routes that do not have rate limiting enabled and fails if there are
28+ routes outside the excluded namespaces (as defined by the variable
29+ <tt>ocp4-var-routes-excluded-namespaces-regex</tt>) without rate limiting annotations.
30+ Use following command to list the routes that would fail the test:
31+ <tt>{{{ ocil_oc_pipe_jq_filter('routes', jqfilter) }}}</tt>
32+
3033
3134severity : medium
3235
0 commit comments