Hide Forgot
Description of problem: Compliance rule ocp4-configure-network-policies should not be manual as it can be verified. As per documentation the supported network provider support networkpolicies https://docs.openshift.com/container-platform/4.10/networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.html#nw-ovn-kubernetes-matrix_about-ovn-kubernetes Version-Release number of selected component (if applicable): all How reproducible: Checking compliance result status status: $ oc get compliancecheckresults.compliance.openshift.io | grep configure-network-policies ocp4-cis-modified-configure-network-policies MANUAL high Checking configuration: $ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type' "OpenShiftSDN" Steps to Reproduce: 1. Launch CIS Benchmark ocp4-cis profile verification 2. Rule ocp4-configure-network-policies configured as Manual Actual results: Customer need to verify a configuration that by OCP network support matrix is supported Expected results: To fail in case the default network provider is other than supported one which support networkpolicy. In case customer has the possibility to configure it own network provider, the remediation should be allowed to configure the rational justification.
I was able to recreate this using OCP 4.6 and 4.10, so it's certainly applicable to newer releases, too. This is the rule we would need to update to check the cluster configuration. https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies/rule.yml
This fix requires patches to the content and the compliance-operator, but both are up for review. https://github.com/openshift/compliance-operator/pull/815 https://github.com/ComplianceAsCode/content/pull/8524
Both fixes landed. Moving to modified.
Hi Lance, The ccr ocp4-cis-configure-network-policies is not manual now. It is PASS for SDN and OVN network. However, seems the instructions is not clear. Do we need to update it? Thanks. Current instruction: $ oc get ccr ocp4-cis-configure-network-policies -o=jsonpath={.instructions} Verify on OpenShift that the NetworkPolicy plugin is being used: $ oc explain networkpolicy The resulting output should be an explanation of the NetworkPolicy resource. Actual command used: $ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type' Verification Details: verified with payload 4.11.0-0.nightly-2022-05-25-193227 and compliance-operator.v0.1.52. $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2022-05-25-193227 True False 3h15m Cluster version is 4.11.0-0.nightly-2022-05-25-193227 $ oc get ip dNAME CSV APPROVAL APPROVED install-prbqr compliance-operator.v0.1.52 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.52 Compliance Operator 0.1.52 Succeeded elasticsearch-operator.5.4.2 OpenShift Elasticsearch Operator 5.4.2 Succeeded $ oc get pod NAME READY STATUS RESTARTS AGE compliance-operator-59b569f68d-67wtp 1/1 Running 1 (4m45s ago) 5m28s ocp4-openshift-compliance-pp-5cd896b74c-gcfbr 1/1 Running 0 4m3s rhcos4-openshift-compliance-pp-78bf7c5bf9-2hq7p 1/1 Running 0 4m3s $ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: my-ssb-r > profiles: > - name: ocp4-cis > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > settingsRef: > name: default > kind: ScanSetting > apiGroup: compliance.openshift.io/v1alpha1 > EOF scansettingbinding.compliance.openshift.io/my-ssb-r created $ oc get suite -w NAME PHASE RESULT my-ssb-r RUNNING NOT-AVAILABLE my-ssb-r AGGREGATING NOT-AVAILABLE my-ssb-r DONE NON-COMPLIANT my-ssb-r DONE NON-COMPLIANT $ oc get ccr ocp4-cis-configure-network-policies ocp4-cis-configure-network-policies PASS high $ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type' "OVNKubernetes" The checkresult also pass for a sdn cluster: $ oc get ccr ocp4-cis-configure-network-policies NAME STATUS SEVERITY ocp4-cis-configure-network-policies PASS high $ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type' "OpenShiftSDN" $ oc get ccr ocp4-cis-configure-network-policies -o=jsonpath={.instructions} Verify on OpenShift that the NetworkPolicy plugin is being used: $ oc explain networkpolicy $ oc get ccr ocp4-cis-configure-network-policies -o=jsonpath={.description} Ensure that the CNI in use supports Network Policies Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies. $ oc get ccr ocp4-cis-configure-network-policies -o=jsonpath={.instructions} Verify on OpenShift that the NetworkPolicy plugin is being used: $ oc explain networkpolicy The resulting output should be an explanation of the NetworkPolicy resource.
verify with 4.6.58 + compliance-operator.v0.1.52 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.6.58 True False 4h48m Cluster version is 4.6.58 $ oc get ip NAME CSV APPROVAL APPROVED install-x5pl6 compliance-operator.v0.1.52 Automatic true $ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: my-ssb-r > profiles: > - name: ocp4-cis > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > settingsRef: > name: default > kind: ScanSetting > apiGroup: compliance.openshift.io/v1alpha1 > EOF scansettingbinding.compliance.openshift.io/my-ssb-r created $ oc get ssb NAME AGE my-ssb-r 5s $ oc get suite my-ssb-r DONE NON-COMPLIANT $ oc get ccr ocp4-cis-configure-network-policies NAME STATUS SEVERITY ocp4-cis-configure-network-policies PASS high $ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type' "OpenShiftSDN"
Per https://bugzilla.redhat.com/show_bug.cgi?id=2072431#c12 and https://bugzilla.redhat.com/show_bug.cgi?id=2072431#c13, move it to verified. for instructions issue, will create a new bug to track.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:4657