Skip to content

CMP-3589: Add variable for routes rate limit #14023

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 27, 2025
Merged

CMP-3589: Add variable for routes rate limit #14023

merged 3 commits into from
Oct 27, 2025

Conversation

@Vincent056
Copy link
Contributor

@Vincent056 Vincent056 commented Oct 16, 2025

Add a variable for excluded namespaces in the routes rate limit check

Introduce a new variable 'var_routes_excluded_namespaces_regex' to define namespaces that should be excluded from the routes rate limit compliance check.

@jan-cerny jan-cerny added the OpenShift OpenShift product related. label Oct 16, 2025
@Vincent056 Vincent056 changed the title CMP-3589: Add variable for excluded namespaces CMP-3589: Add variable for routes rate limit Oct 16, 2025
rhmdnd
rhmdnd reviewed Oct 17, 2025
View reviewed changes
@Vincent056
CMP-3589: Add variable for excluded namespaces in routes rate limit c…
0580e28 
…heck

Introduce a new variable 'var_routes_excluded_namespaces_regex' to define namespaces that should be excluded from the routes rate limit compliance check.
@Vincent056
Copy link
Contributor Author

Vincent056 commented Oct 21, 2025

tested with

apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: custom-security-checks
  namespace: openshift-compliance
spec:
  description: Test variable
  enableRules:
    - kind: Rule
      name: upstream-ocp4-routes-rate-limit   
      rationale: test
  setValues:
    - name: upstream-ocp4-var-routes-excluded-namespaces-regex
      rationale: test
      value: "^*"
  title: test
---
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cel-ssb
  namespace: openshift-compliance
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile
    name: custom-security-checks
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default

@Vincent056
Update default regex for excluded namespaces in network policies and …
6704fbe 
…refine jqfilter in rate limit rule

Change the default value of 'var_network_policies_namespaces_exempt_regex' to match namespaces starting with 'kube-' or 'openshift-'. Additionally, modify the jqfilter in 'rule.yml' to utilize the updated regex for improved namespace exclusion in rate limit checks.
xiaojiey
xiaojiey reviewed Oct 23, 2025
View reviewed changes
applications/openshift/networking/routes_rate_limit/rule.yml Outdated
routes outside the excluded namespaces (as defined by the variable
<tt>ocp4-var-routes-excluded-namespaces-regex</tt>) without rate limiting annotations.
Use following command to list the routes that would fail the test:
<tt>{{{ ocil_oc_pipe_jq_filter('routes', jqfilter) }}}</tt>
Copy link
Collaborator

@xiaojiey xiaojiey Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be use {{{ ocil_oc_pipe_jq_filter('routes --all-namespaces', jqfilter) }}}?
Currently, the command in the instructions will always return [].
'''
% oc get ccr upstream-ocp4-stig-routes-rate-limit -o=jsonpath={.instructions}
This rule checks routes that do not have rate limiting enabled and fails if there are
routes outside the excluded namespaces (as defined by the variable
ocp4-var-routes-excluded-namespaces-regex) without rate limiting annotations.
Use following command to list the routes that would fail the test:
$ oc get routes -o json | jq '[.items[] | select(.metadata.namespace | test("^kube-.|openshift-."; "") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]'
Is it the case that Rate limit is not enabled for all routes outside the excluded namespaces?%

% oc get routes -o json | jq '[.items[] | select(.metadata.namespace | test("^kube-.|openshift-."; "") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]'
[]

% oc get routes --all-namespaces -o json | jq '[.items[] | select(.metadata.namespace | test("^kube-.|openshift-."; "") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]'
[
"test-route"
]
% oc get ccr | grep routes-rate-limit
ocp4-stig-routes-rate-limit FAIL medium
upstream-ocp4-stig-routes-rate-limit FAIL medium
'''

@xiaojiey
Copy link
Collaborator

xiaojiey commented Oct 23, 2025

It works well at the function part. The only issue is the instruction need to updated a little bit.

1. Create a test-route without the annotation, and run the scan
%  oc get routes --all-namespaces -o json | jq '[.items[] | select(.metadata.namespace | test("^kube-.*|openshift-.*"; "") | not) | 
  select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | {namespace: .metadata.namespace, name: .metadata.name}]'
[
  {
    "namespace": "test-routes",
    "name": "test-route"
  }
]
% oc get ccr | grep routes-rate-limit                                
ocp4-stig-routes-rate-limit                                     FAIL     medium
upstream-ocp4-stig-routes-rate-limit                            FAIL     medium
2. Create a tp with the variable to exclude the check for a specific namespace:
% cat custom-security-checks.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: custom-security-checks
  namespace: openshift-compliance
spec:
  description: Test variable
  enableRules:
    - kind: Rule
      name: upstream-ocp4-routes-rate-limit
      rationale: test
  setValues:
    - name: upstream-ocp4-var-routes-excluded-namespaces-regex
      rationale: test
      value: "^kube-.*|openshift-.*|test-routes"
  title: test
% oc apply -f custom-security-checks.yaml 
tailoredprofile.compliance.openshift.io/custom-security-checks created
% oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cel-ssb
  namespace: openshift-compliance
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile
    name: custom-security-checks
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
heredoc> EOF
scansettingbinding.compliance.openshift.io/cel-ssb created
% oc get suite cel-ssb  
NAME                              PHASE     RESULT
cel-ssb                           DONE          COMPLIANT
% oc get ccr | grep routes-rate-limit    
custom-security-checks-routes-rate-limit                        PASS     medium
ocp4-stig-routes-rate-limit                                     FAIL     medium
upstream-ocp4-stig-routes-rate-limit                            FAIL     medium
3. The only issue is that the instructions need to be updated a little bit. Details seen from https://github.com/ComplianceAsCode/content/pull/14023#discussion_r2454207457

@openshift-ci
Copy link

openshift-ci bot commented Oct 24, 2025

@Vincent056: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 14b2786 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

rhmdnd
rhmdnd reviewed Oct 27, 2025
View reviewed changes
applications/openshift/networking/routes_rate_limit/rule.yml
routes outside the excluded namespaces (as defined by the variable
<tt>ocp4-var-routes-excluded-namespaces-regex</tt>) without rate limiting annotations.
Use following command to list the routes that would fail the test:
<tt>{{{ ocil_oc_pipe_jq_filter('routes --all-namespaces', jqfilter) }}}</tt>
Copy link
Collaborator

@rhmdnd rhmdnd Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for updating this so it returns all routes.

rhmdnd
rhmdnd approved these changes Oct 27, 2025
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@rhmdnd
Copy link
Collaborator

rhmdnd commented Oct 27, 2025

/packit retest-required

@rhmdnd rhmdnd added this to the 0.1.79 milestone Oct 27, 2025
@yuumasato
Copy link
Member

yuumasato commented Oct 27, 2025

Overriding testing-farm:centos-stream-9-x86_64:/static-checks

@yuumasato yuumasato merged commit 45262ce into ComplianceAsCode:master Oct 27, 2025
137 of 140 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhmdnd rhmdnd rhmdnd approved these changes

+1 more reviewer

@xiaojiey xiaojiey xiaojiey left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@yuumasato yuumasato

@rhmdnd rhmdnd

Labels

OpenShift OpenShift product related.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

5 participants

@Vincent056 @xiaojiey @rhmdnd @yuumasato @jan-cerny