Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Defined notes and rules for BSI SYS.1.6.A26 #12494

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

sluetze
Copy link
Contributor

@sluetze sluetze commented Oct 14, 2024

Description:

Added notes and controls for BSI SYS.1.6 A17-A21

Rationale:

As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.

Review Hints:

sandboxed_containers_operator_configured:

  • needs additional permissions these are in add read permission for kataconfig compliance-operator#618
  • the e2e test can take a long time, as it adds a mcp and needs to restart all nodes. The timeout is 3600s which is quite long and might need adjustments
  • for the compliancecheck to succeed the finish of mcp is not needed, thus we might delete that testing alltogether
  • OR adjust the compliancecheck to check if nodes provide the separation... which is another level of complication and access permissions
  • the compliancecheck checks for a kataconfig, but this is only enough on baremetal deployments. on Azure, AWS, IBM Z and IBM LinuxOne there are additional configurations needed, which we do not check for (peerpods, and others)

Copy link

openshift-ci bot commented Oct 14, 2024

Hi @sluetze. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Oct 14, 2024
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
New content has different text for rule 'xccdf_org.ssgproject.content_rule_general_node_separation'.
--- xccdf_org.ssgproject.content_rule_general_node_separation
+++ xccdf_org.ssgproject.content_rule_general_node_separation
@@ -15,5 +15,8 @@
 [reference]:
 SYS.1.6.A3
 
+[reference]:
+SYS.1.6.A26
+
 [rationale]:
 Assigning workloads with high protection requirements to specific nodes creates and additional boundary (the node) between workloads of high protection requirements and workloads which might follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads.

@jan-cerny jan-cerny added the OpenShift OpenShift product related. label Oct 16, 2024
@yuumasato
Copy link
Member

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels Nov 28, 2024
@yuumasato yuumasato self-assigned this Nov 28, 2024
@yuumasato
Copy link
Member

/test 4.17-e2e-aws-ocp4-bsi
/test 4.17-e2e-aws-ocp4-bsi-node
/test 4.17-e2e-aws-rhcos4-bsi

Copy link

codeclimate bot commented Dec 3, 2024

Code Climate has analyzed commit e85512a and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

@yuumasato
Copy link
Member

/test 4.17-e2e-aws-ocp4-bsi

1 similar comment
@yuumasato
Copy link
Member

/test 4.17-e2e-aws-ocp4-bsi

Copy link

openshift-ci bot commented Dec 9, 2024

@sluetze: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.17-e2e-aws-ocp4-bsi e85512a link true /test 4.17-e2e-aws-ocp4-bsi

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@sluetze
Copy link
Contributor Author

sluetze commented Dec 10, 2024

There still seems to be an issue with the remediation script. I am investigating

@sluetze
Copy link
Contributor Author

sluetze commented Dec 10, 2024

If I analysed it correctly there are multiple issues:

  1. the clusterscoped kataconfig ressource is not included in the artifacts, so I cant verify how it looks and where the check fails. But I am quite sure it installed, since I can see the CRD and a deployment under namespaces/openshift-sandboxed-containers-operator/apps/deployments.yaml which only gets created by kataconfig iirc.
  2. the sandboxed containers does not install successfully, since my e2e script deploys sandboxed containers for baremetal (my installation is baremetal) it the container fails to start on aws, since this needs peerpods - this should not be relevant for the fail of the check
   containerStatuses:
  - image: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9@sha256:03381ad7a468abc1350b229a8a7f9375fcb315e59786fdacac8e5539af4a3cdc
    imageID: ""
    lastState: {}
    name: kata-monitor
    ready: false
    restartCount: 0
    started: false
    state:
      waiting:
        message: |
          container create failed: time="2024-12-09T15:07:36Z" level=error msg="runc create failed: unable to start container process: error during container init: write /proc/self/attr/keycreate: invalid argument"
        reason: CreateContainerError
  1. I am not sure, if this test-run runs with the needed permissions from add read permission for kataconfig compliance-operator#618 if not, this would explain the fail even though the requirements are met for the check to succeed.

@yuumasato I could try to adapt the e2e-remediation script to apply to AWS so the sandboxed-containers operator get installed correctly. Do you think this is the right way?

@yuumasato
Copy link
Member

@sluetze CI is not picking the PR for kataconfig as it is not merged yet.

@yuumasato yuumasato added the BSI PRs or issues for the BSI profile. label Dec 17, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
BSI PRs or issues for the BSI profile. ok-to-test Used by openshift-ci bot. OpenShift OpenShift product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants