@@ -3,8 +3,35 @@ title: Ensure that all Routes has rate limit enabled
33
44description : |-
55 OpenShift has an option to set the rate limit for Routes [1] when creating new Routes.
6- All routes outside the openshift namespaces and the kube namespaces should use the
7- rate-limiting annotations.
6+ All routes outside the excluded namespaces (as defined by the variable
7+ <tt>var-routes-excluded-namespaces-regex</tt>) should use the rate-limiting annotations.
8+
9+ In case additional namespaces need to be excluded from this check (e.g., operator-managed
10+ namespaces where direct route modifications are not recommended), create a
11+ <tt>TailoredProfile</tt> and add the additional namespaces to the regular expression
12+ in the variable <tt>var-routes-excluded-namespaces-regex</tt>.
13+ An example allowing additional namespaces follows:
14+ </p>
15+ <pre>
16+ apiVersion: compliance.openshift.io/v1alpha1
17+ kind: TailoredProfile
18+ metadata:
19+ name: custom-routes-rate-limit
20+ spec:
21+ description: Custom routes rate limit with additional excluded namespaces
22+ setValues:
23+ - name: ocp4-var-routes-excluded-namespaces-regex
24+ rationale: Exclude additional operator-managed namespaces
25+ value: ^istio-system$|^grafana$|^my-custom-namespace$
26+ extends: ocp4-cis
27+ title: Modified CIS with custom route exclusions
28+ </pre>
29+ <p>
30+ Finally, reference this <tt>TailoredProfile</tt> in a <tt>ScanSettingBinding</tt>.
31+ For more information on Tailoring the Compliance Operator, please consult the
32+ OpenShift documentation:
33+ {{{ weblink(link="https://docs.openshift.com/container-platform/latest/security/compliance_operator/co-scans/compliance-operator-tailor.html") }}}
34+ </p>
835
936 [1] https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
1037
@@ -19,14 +46,22 @@ references:
1946 nist : SC-5,SC-5(1),SC-5(2)
2047 srg : SRG-APP-000246-CTR-000605,SRG-APP-000435-CTR-001070
2148
22- {{% set jqfilter = '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift- ") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' %}}
49+ {{% set jqfilter = '[.items[] | select(.metadata.namespace | test("{{.var_routes_excluded_namespaces_regex}}"; " ") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' %}}
2350
24- ocil_clause : ' Rate limit is not enabled for all routes outside the openshift namespaces'
51+ ocil_clause : ' Rate limit is not enabled for all routes outside the excluded namespaces'
2552
2653ocil : |-
27- Run the following command to retrieve a list routes that does not have rate limit enabled:
28- <pre>$ oc get routes --all-namespaces -o json | jq '{{{ jqfilter }}}'</pre>
29- Make sure that there is output nothing in the result.
54+ This rule checks routes that do not have rate limiting enabled and fails if there are
55+ routes outside the excluded namespaces (as defined by the variable
56+ <tt>ocp4-var-routes-excluded-namespaces-regex</tt>) without rate limiting annotations.
57+ To debug the rule, check the variable value, e.g:
58+ <pre>$ oc get variable ocp4-var-routes-excluded-namespaces-regex -ojsonpath='{.value}' -n openshift-compliance</pre>
59+ Then use following command to list the routes that would fail the test:
60+ <tt>{{{ ocil_oc_pipe_jq_filter('routes', jqfilter) }}}</tt>
61+ Please replace the regular expression in the test command with the value read from the variable
62+ <pre>ocp4-var-routes-excluded-namespaces-regex</pre>. You can read the variable
63+ value with:
64+ <pre>$ oc get variable ocp4-var-routes-excluded-namespaces-regex -ojsonpath='{.value}' -n openshift-compliance</pre>
3065
3166severity : medium
3267
0 commit comments