Bsi app 4.4 a20to21

[ermeratos]

Description:

Notes / Rules for BSI APP4.4.A21 added.

Rationale:

As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.

[openshift-ci]

Hi @ermeratos. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11997
This image was built from commit: 9814419

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11997

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11997 make deploy-local

[yuumasato]

Please, ensure that all files have a "new line" at the end.

[yuumasato]

I think we could specify the CRD name explicity?

Suggested change

	<pre>$ oc get crds </pre>
	<pre>$ oc get crds kubedeschedulers.operator.openshift.io</pre>

or use grep:

Suggested change

	<pre>$ oc get crds </pre>
	<pre>$ oc get crds | grep descheduler</pre>

[yuumasato]

The default podLifetime is 24h, but it can be changed.
There could be a rule to check that podLifetime is 24h.

[ermeratos]

I have currently no idea how to check the podLifetime. By default there is no field fpr podLifetime in the yaml, also from what I understand the value can be formatted differently. So I have to either check for the field not existing at all, for a value less than "24h" (I think the type is time.Duration) or something like "86400s"

I would rather leave this as is for now and maybe expand on this later.

[yuumasato]

I feel like this rule should be split into two,

• one rule that ensures the descheduler is run once a day: deschedulingIntervalSeconds == 86400
• one rule configuring the lifetime criteria used to deschedule: podLifetime == 24h

[ermeratos]

I have currently no idea how to check the podLifetime. By default there is no field fpr podLifetime in the yaml, also from what I understand the value can be formatted differently. So I have to either check for the field not existing at all, for a value less than "24h" (I think the type is time.Duration) or something like "86400s"

I would rather leave this as is for now and maybe expand on this later.

[yuumasato]

/test e2e-aws-ocp4-bsi
/test e2e-aws-ocp4-bsi-node
/test e2e-aws-rhcos4-bsi

[yuumasato]

Not required right now, but it would be nice to have e2e tests.
Something similar to container_security_operator/tests .

[yuumasato]

By the way, would it be more reliable and simpler to check for the operator's subscription instead of looking for its CRDs?
Check what container_security_operator_exists rule does.

content/applications/openshift/risk-assessment/container_security_operator_exists/rule.yml

Line 55 in cd0c045

filepath: '/apis/operators.coreos.com/v1alpha1/namespaces/openshift-operators/subscriptions/container-security-operator'