ComplianceAsCode
Defined notes and rules for BSI SYS.1.6.A26
Description:
Added notes and controls for BSI SYS.1.6 A17-A21
Rationale:
As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.
- https://github.com/sig-bsi-grundschutz/content/issues/26
Review Hints:
sandboxed_containers_operator_configured:
- needs additional permissions these are in https://github.com/ComplianceAsCode/compliance-operator/pull/618
- the e2e test can take a long time, as it adds a mcp and needs to restart all nodes. The timeout is 3600s which is quite long and might need adjustments
- for the compliancecheck to succeed the finish of mcp is not needed, thus we might delete that testing alltogether
- OR adjust the compliancecheck to check if nodes provide the separation... which is another level of complication and access permissions
- the compliancecheck checks for a kataconfig, but this is only enough on baremetal deployments. on Azure, AWS, IBM Z and IBM LinuxOne there are additional configurations needed, which we do not check for (peerpods, and others)
Hi @sluetze. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Start a new ephemeral environment with changes proposed in this pull request:
ocp4 (from CTF) Environment (using Fedora as testing environment)
Fedora Testing Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This datastream diff is auto generated by the check Compare DS/Generate Diff
Click here to see the full diff
New content has different text for rule 'xccdf_org.ssgproject.content_rule_general_node_separation'.
--- xccdf_org.ssgproject.content_rule_general_node_separation
+++ xccdf_org.ssgproject.content_rule_general_node_separation
@@ -20,6 +20,9 @@
[reference]:
SYS.1.6.A3
+[reference]:
+SYS.1.6.A26
+
[rationale]:
Assigning workloads with high protection requirements to specific nodes creates and additional
boundary (the node) between workloads of high protection requirements and workloads which might
/test 4.17-e2e-aws-ocp4-bsi /test 4.17-e2e-aws-ocp4-bsi-node /test 4.17-e2e-aws-rhcos4-bsi
There still seems to be an issue with the remediation script. I am investigating
If I analysed it correctly there are multiple issues:
- the clusterscoped kataconfig ressource is not included in the artifacts, so I cant verify how it looks and where the check fails. But I am quite sure it installed, since I can see the CRD and a deployment under
namespaces/openshift-sandboxed-containers-operator/apps/deployments.yamlwhich only gets created by kataconfig iirc. - the sandboxed containers does not install successfully, since my e2e script deploys sandboxed containers for baremetal (my installation is baremetal) it the container fails to start on aws, since this needs peerpods - this should not be relevant for the fail of the check
containerStatuses:
- image: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9@sha256:03381ad7a468abc1350b229a8a7f9375fcb315e59786fdacac8e5539af4a3cdc
imageID: ""
lastState: {}
name: kata-monitor
ready: false
restartCount: 0
started: false
state:
waiting:
message: |
container create failed: time="2024-12-09T15:07:36Z" level=error msg="runc create failed: unable to start container process: error during container init: write /proc/self/attr/keycreate: invalid argument"
reason: CreateContainerError
- I am not sure, if this test-run runs with the needed permissions from https://github.com/ComplianceAsCode/compliance-operator/pull/618 if not, this would explain the fail even though the requirements are met for the check to succeed.
@yuumasato I could try to adapt the e2e-remediation script to apply to AWS so the sandboxed-containers operator get installed correctly. Do you think this is the right way?
@sluetze CI is not picking the PR for kataconfig as it is not merged yet.
@sluetze with permissions to read kataconfig merged in CO, could you rebase this?
Also, I see that a new required check Ensure No Merge Commits was added, so a rebase will ensure this test is run.
Code Climate has analyzed commit 788fd731 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 61.9% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
/test 4.17-e2e-aws-ocp4-bsi /test 4.17-e2e-aws-ocp4-bsi-node /test 4.17-e2e-aws-rhcos4-bsi
@sluetze: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/4.17-e2e-aws-ocp4-bsi | 788fd731c42a3050d445b671d9ecff7bf58fdd60 | link | true | /test 4.17-e2e-aws-ocp4-bsi |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.