From ea19775532b27d1f99012df1e26c8297735a4076 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragsta@redhat.com>
Date: Thu, 13 Jul 2023 15:24:58 -0500
Subject: [PATCH] Implement rules for CIS OCP Section 1.4

Now that we have control files for the new OpenShift 1.4.0 profile,
let's start filling in the sections with rules that implement it.
---
 .../rbac_debug_role_protects_pprof/rule.yml   |  2 +-
 .../rule.yml                                  | 93 +++++++++++++++++++
 .../tests/ocp4/e2e.yml                        |  2 +
 .../rule.yml                                  | 92 ++++++++++++++++++
 .../tests/ocp4/e2e.yml                        |  2 +
 controls/cis_ocp_1_4_0/section-1.yml          | 12 ++-
 6 files changed, 197 insertions(+), 6 deletions(-)
 create mode 100644 applications/openshift/scheduler/scheduler_profiling_protected_by_rbac/rule.yml
 create mode 100644 applications/openshift/scheduler/scheduler_profiling_protected_by_rbac/tests/ocp4/e2e.yml
 create mode 100644 applications/openshift/scheduler/scheduler_service_protected_by_rbac/rule.yml
 create mode 100644 applications/openshift/scheduler/scheduler_service_protected_by_rbac/tests/ocp4/e2e.yml

diff --git a/applications/openshift/rbac/rbac_debug_role_protects_pprof/rule.yml b/applications/openshift/rbac/rbac_debug_role_protects_pprof/rule.yml
index e19307f3b01..f0f1bde5843 100644
--- a/applications/openshift/rbac/rbac_debug_role_protects_pprof/rule.yml
+++ b/applications/openshift/rbac/rbac_debug_role_protects_pprof/rule.yml
@@ -22,7 +22,7 @@ identifiers:
   cce@ocp4: CCE-84182-5
 
 references:
-  cis@ocp4: 1.3.1,1.4.1
+  cis@ocp4: 1.3.1
   nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
   nist: CM-6,CM-6(1)
   pcidss: Req-2.2
diff --git a/applications/openshift/scheduler/scheduler_profiling_protected_by_rbac/rule.yml b/applications/openshift/scheduler/scheduler_profiling_protected_by_rbac/rule.yml
new file mode 100644
index 00000000000..f2d14ec612c
--- /dev/null
+++ b/applications/openshift/scheduler/scheduler_profiling_protected_by_rbac/rule.yml
@@ -0,0 +1,93 @@
+documentation_complete: true
+prodtype: ocp4
+title: |-
+  Verify that the scheduler API service is protected by RBAC
+description: |-
+  Do not bind the scheduler service to non-loopback insecure addresses.
+rationale: |-
+  The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface
+severity: medium
+references:
+  cis@ocp4: 1.4.1
+ocil: |-
+  In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. The default `healthz` `port` value is `10251`, and the `healthz` `bindAddress` is `127.0.0.1`
+
+  To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to `cluster-admin` or `cluster-debugger` role. Profiling can not be disabled.
+
+  The bind-address argument is not used. Both authentication and authorization are in place.
+
+  Run the following command to verify the schedule endpoints:
+
+  ```
+  oc -n openshift-kube-scheduler describe endpoints
+  ```
+
+  Verify the `bind-address` and `port` arguments are not used:
+
+  ```
+  oc -n openshift-kube-scheduler get cm kube-scheduler-pod -o json | jq -r '.data."pod.yaml"' | jq '.spec.containers[]|select(.name=="kube-scheduler")|.args'
+  ```
+
+  Verify the metrics endpoint is protected by RBAC.
+
+  First, find the schedule pod information:
+
+  ```
+  oc project openshift-kube-scheduler
+  export POD=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].metadata.name}')
+  export POD_IP=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].status.podIP}')
+  export PORT=$(oc get pod $POD -o jsonpath='{.spec.containers[0].livenessProbe.httpGet.port}')
+  ```
+
+  Attempt to make an insecure `GET` request to the metrics endpoint:
+
+  ```
+  oc rsh $POD curl https://$POD_IP:$PORT/metrics -k
+  ```
+
+  Ensure an `HTTP 403` is returned.
+
+  Create a test service account:
+
+  ```
+  oc create sa permission-test-sa
+  ```
+
+  Generate a service account token and attempt to access the metrics endpoint:
+
+  ```
+  export SA_TOKEN=$(oc create token permission-test-sa)
+  oc rsh $POD curl https://$POD_IP:$PORT/metrics -H "Authorization: Bearer $SA_TOKEN" -k
+  ```
+
+  Verify that an `HTTP 403` is returned.
+
+  Login as a cluster administrator and attempt to access the metrics endpoint:
+
+  ```
+  export CLUSTER_ADMIN_TOKEN=$(oc whoami -t)
+  oc rsh $POD curl https://$POD_IP:$PORT/metrics -H "Authorization: Bearer $CLUSTER_ADMIN_TOKEN" -k
+  ```
+
+  Verify metrics output is returned. Unset environment variables used in the test and delete the test service account:
+
+  ```
+  unset CLUSTER_ADMIN_TOKEN POD PORT SA_TOKEN POD_IP
+  oc delete sa permission-test-sa
+  ```
+ocil_clause: 'The scheduler metrics endpoint is not protected by RBAC.'
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger") | indent(4) }}}
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger
+    yamlpath: '.rules[0].nonResourceURLs[:]'
+    entity_check: 'at least one'
+    values:
+    - value: '\/metrics'
+      operation: 'pattern match'
+      entity_check: 'at least one'
+
diff --git a/applications/openshift/scheduler/scheduler_profiling_protected_by_rbac/tests/ocp4/e2e.yml b/applications/openshift/scheduler/scheduler_profiling_protected_by_rbac/tests/ocp4/e2e.yml
new file mode 100644
index 00000000000..b49fd368b98
--- /dev/null
+++ b/applications/openshift/scheduler/scheduler_profiling_protected_by_rbac/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: PASS
diff --git a/applications/openshift/scheduler/scheduler_service_protected_by_rbac/rule.yml b/applications/openshift/scheduler/scheduler_service_protected_by_rbac/rule.yml
new file mode 100644
index 00000000000..144b1558d2b
--- /dev/null
+++ b/applications/openshift/scheduler/scheduler_service_protected_by_rbac/rule.yml
@@ -0,0 +1,92 @@
+documentation_complete: true
+prodtype: ocp4
+title: |-
+  Verify that the scheduler API service is protected by RBAC
+description: 'Do not bind the scheduler service to non-loopback insecure addresses.'
+rationale: |-
+  The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface
+severity: medium
+references:
+  cis@ocp4: 1.4.2
+ocil: |-
+  In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. The default `healthz` `port` value is `10251`, and the `healthz` `bindAddress` is `127.0.0.1`
+
+  To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to `cluster-admin` or `cluster-debugger` role. Profiling can not be disabled.
+
+  The bind-address argument is not used. Both authentication and authorization are in place.
+
+  Run the following command to verify the schedule endpoints:
+
+  ```
+  oc -n openshift-kube-scheduler describe endpoints
+  ```
+
+  Verify the `bind-address` and `port` arguments are not used:
+
+  ```
+  oc -n openshift-kube-scheduler get cm kube-scheduler-pod -o json | jq -r '.data."pod.yaml"' | jq '.spec.containers[]|select(.name=="kube-scheduler")|.args'
+  ```
+
+  Verify the metrics endpoint is protected by RBAC.
+
+  First, find the schedule pod information:
+
+  ```
+  oc project openshift-kube-scheduler
+  export POD=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].metadata.name}')
+  export POD_IP=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].status.podIP}')
+  export PORT=$(oc get pod $POD -o jsonpath='{.spec.containers[0].livenessProbe.httpGet.port}')
+  ```
+
+  Attempt to make an insecure `GET` request to the metrics endpoint:
+
+  ```
+  oc rsh $POD curl https://$POD_IP:$PORT/metrics -k
+  ```
+
+  Ensure an `HTTP 403` is returned.
+
+  Create a test service account:
+
+  ```
+  oc create sa permission-test-sa
+  ```
+
+  Generate a service account token and attempt to access the metrics endpoint:
+
+  ```
+  export SA_TOKEN=$(oc create token permission-test-sa)
+  oc rsh $POD curl https://$POD_IP:$PORT/metrics -H "Authorization: Bearer $SA_TOKEN" -k
+  ```
+
+  Verify that an `HTTP 403` is returned.
+
+  Login as a cluster administrator and attempt to access the metrics endpoint:
+
+  ```
+  export CLUSTER_ADMIN_TOKEN=$(oc whoami -t)
+  oc rsh $POD curl https://$POD_IP:$PORT/metrics -H "Authorization: Bearer $CLUSTER_ADMIN_TOKEN" -k
+  ```
+
+  Verify metrics output is returned. Unset environment variables used in the test and delete the test service account:
+
+  ```
+  unset CLUSTER_ADMIN_TOKEN POD PORT SA_TOKEN POD_IP
+  oc delete sa permission-test-sa
+  ```
+ocil_clause: 'The scheduler service API is not protected by RBAC.'
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger") | indent(4) }}}
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger
+    yamlpath: '.rules[0].nonResourceURLs[:]'
+    entity_check: 'at least one'
+    values:
+    - value: '\/metrics'
+      operation: 'pattern match'
+      entity_check: 'at least one'
+
diff --git a/applications/openshift/scheduler/scheduler_service_protected_by_rbac/tests/ocp4/e2e.yml b/applications/openshift/scheduler/scheduler_service_protected_by_rbac/tests/ocp4/e2e.yml
new file mode 100644
index 00000000000..b49fd368b98
--- /dev/null
+++ b/applications/openshift/scheduler/scheduler_service_protected_by_rbac/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: PASS
diff --git a/controls/cis_ocp_1_4_0/section-1.yml b/controls/cis_ocp_1_4_0/section-1.yml
index a1ad8da3e52..ef55a3eda14 100644
--- a/controls/cis_ocp_1_4_0/section-1.yml
+++ b/controls/cis_ocp_1_4_0/section-1.yml
@@ -441,17 +441,19 @@ controls:
       levels: level_1
   - id: '1.4'
     title: Scheduler
-    status: pending
+    status: automated
     rules: []
     controls:
     - id: 1.4.1
       title: Ensure that the healthz endpoints for the scheduler are protected by RBAC
-      status: pending
-      rules: []
+      status: automated
+      rules:
+        - scheduler_profiling_protected_by_rbac
       levels: level_1
     - id: 1.4.2
       title: Verify that the scheduler API service is protected by RBAC
-      status: pending
-      rules: []
+      status: automated
+      rules:
+        - scheduler_service_protected_by_rbac
       levels: level_1