OCP4: add api_server_api_priority_v1_flowschema_catch_all

OCP 4.16 has introduced flowcontrol.apiserver.k8s.io/v1, this commit adds the v1 for ocp 4.16
ComplianceAsCode · Feb 20, 2024 · 8c74b93 · 8c74b93
1 parent 64b8d94
commit 8c74b93
Show file tree

Hide file tree

Showing 6 changed files with 91 additions and 9 deletions.
diff --git a/...cations/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml b/...cations/openshift/api-server/api_server_api_priority_flowschema_catch_all/oval/shared.xml
@@ -1,12 +1,16 @@
 <def-group oval_version="5.11">
-  <definition class="compliance" id="api_server_api_priority_flowschema_catch_all" version="1">
-    {{{ oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}}
-
-    <criteria operator="OR">
-      <extend_definition comment="flowschema v1alpha1" definition_ref="api_server_api_priority_v1alpha1_flowschema_catch_all" />
-      <extend_definition comment="flowschema v1beta1" definition_ref="api_server_api_priority_v1beta1_flowschema_catch_all" />
-      <extend_definition comment="flowschema v1beta2" definition_ref="api_server_api_priority_v1beta2_flowschema_catch_all" />
+  <definition class="compliance" id="api_server_api_priority_flowschema_catch_all" version="1"> {{{
+    oval_metadata("One of the flowschema versions should exist, but it doesn't matter which") }}} <criteria
+      operator="OR">
+      <extend_definition comment="flowschema v1alpha1"
+        definition_ref="api_server_api_priority_v1alpha1_flowschema_catch_all" />
+      <extend_definition comment="flowschema v1beta1"
+        definition_ref="api_server_api_priority_v1beta1_flowschema_catch_all" />
+      <extend_definition comment="flowschema v1beta2"
+        definition_ref="api_server_api_priority_v1beta2_flowschema_catch_all" />
+      <extend_definition comment="flowschema v1"
+        definition_ref="api_server_api_priority_v1_flowschema_catch_all" />
     </criteria>
 
   </definition>
-</def-group>
+</def-group>
diff --git a/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml b/applications/openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/rule.yml
@@ -0,0 +1,69 @@
+documentation_complete: true
+
+prodtype: ocp4
+
+title: 'Ensure catch-all FlowSchema object for API Priority and Fairness Exists'
+
+description: |-
+  Using <tt>APIPriorityAndFairness</tt> feature provides a fine-grained way
+  to control the behaviour of the Kubernetes API server in an overload
+  situation. The well-known FlowSchema <tt>catch-all</tt> should be available
+  to make sure that every request gets some kind of classification. By default,
+  the <tt>catch-all</tt> priority level only allows one concurrency share and
+  does not queue requests. To inspect all the <tt>FlowSchema</tt> objects, run:
+  <pre>oc get flowschema</pre>
+  To inspect the well-known <tt>catch-all</tt> object, run the following:
+  <pre>oc describe flowschema catch-all</pre>
+
+rationale: |-
+  The <tt>FlowSchema</tt> API objects enforce a limit on the
+  number of events that the API Server will accept in a given time slice
+  In a large multi-tenant cluster, there might be a small percentage of
+  misbehaving tenants which could have a significant impact on the
+  performance of the cluster overall. It is recommended to limit the rate
+  of events that the API Server will accept.
+
+identifiers:
+  cce@ocp4: CCE-86390-2
+
+platforms:
+  - ocp4.16
+
+severity: medium
+
+references:
+  cis@ocp4: 1.2.10
+  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
+  nist: CM-6,CM-6(1)
+  pcidss: Req-2.2
+  srg: SRG-APP-000516-CTR-001325
+
+ocil_clause: 'A FlowSchema object <tt>catch-all</tt> exists'
+
+ocil: |-
+  Run the following commands:
+  <pre>oc get flowschema</pre>
+  and inspect the FlowSchema objects. Make sure that at least the <tt>catch-all</tt>
+  object exists by calling:
+  <pre>oc describe flowschema catch-all</pre>
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all", true) | indent(4) }}}
+- dependency: |-
+    Note that this is only applicable in OpenShift Container Platform version 4.16
+    and higher
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: "/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all"
+    yamlpath: '.spec.rules[0].subjects[:].group["name"]'
+    check_existence: "at_least_one_exists"
+    entity_check: "at least one"
+    values:
+      - value: "system:authenticated"
+        operation: "pattern match"
+        check_existence: "at_least_one_exists"
+        entity_check: "at least one"
diff --git a/.../openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml b/.../openshift/api-server/api_server_api_priority_v1_flowschema_catch_all/tests/ocp4/4.16.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/...ations/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml b/...ations/openshift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/rule.yml
@@ -27,7 +27,7 @@ identifiers:
   cce@ocp4: CCE-86390-2
 
 platforms:
-  - ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15 or ocp4.16
+  - ocp4.11 or ocp4.12 or ocp4.13 or ocp4.14 or ocp4.15
 
 severity: medium
 

diff --git a/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml b/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.14.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+
diff --git a/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml b/...shift/api-server/api_server_api_priority_v1beta2_flowschema_catch_all/tests/ocp4/4.15.yml
@@ -0,0 +1,3 @@
+---
+default_result: PASS
+