Skip to content

ROX-13265: Fix default policy "Deployments should have at least one ingress Network Policy" #3597

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fredrb merged 4 commits into from
Oct 31, 2022
Merged

ROX-13265: Fix default policy "Deployments should have at least one ingress Network Policy" #3597

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4e7c45d
X-Smart-Branch-Parent: master
fredrb Oct 27, 2022
f55aa60
correct issues with default policy not being correctly updated
fredrb Oct 27, 2022
50b10f2
update changelog
fredrb Oct 27, 2022
1853910
Update CHANGELOG.md
fredrb Oct 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ Please avoid adding duplicate information across this changelog and JIRA/doc inp
to allow using the `restricted` and `restricted-v2` SCCs.
- The service account "central", which is used by the central deployment, will now include `get` and `list` access to the following resources in the namespace where central is deployed to:
`pods`, `events`, and `namespaces`. This fixes an issue when generating diagnostic bundles to now correctly include all relevant information within the namespace of central.
- ROX-13265: Fix missing rationale and remediation texts for default policy "Deployments should have at least one ingress Network Policy"

## [3.72.0]

Expand Down
51 changes: 51 additions & 0 deletions migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/migration.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
package m103tom104

import (
"embed"

"github.com/pkg/errors"
"github.com/stackrox/rox/generated/storage"
"github.com/stackrox/rox/migrator/migrations"
"github.com/stackrox/rox/migrator/migrations/policymigrationhelper"
"github.com/stackrox/rox/migrator/types"
bolt "go.etcd.io/bbolt"
)

var (
migration = types.Migration{
StartingSeqNum: 109,
VersionAfter: storage.Version{SeqNum: 110},
Run: func(databases *types.Databases) error {
err := updatePolicies(databases.BoltDB)
if err != nil {
return errors.Wrap(err, "updating policies")
}
return nil
},
}

//go:embed policies_before_and_after
policyDiffFS embed.FS

// We want to migrate only if the existing policy sections and title haven't changed.
fieldsToCompare = []policymigrationhelper.FieldComparator{
policymigrationhelper.DescriptionComparator,
policymigrationhelper.RationaleComparator,
policymigrationhelper.RemediationComparator,
}

policyDiffs = []policymigrationhelper.PolicyDiff{
{
FieldsToCompare: fieldsToCompare,
PolicyFileName: "deployment_has_ingress_network_policy.json",
},
}
)

func updatePolicies(db *bolt.DB) error {
return policymigrationhelper.MigratePoliciesWithDiffs(db, policyDiffFS, policyDiffs)
}

func init() {
migrations.MustRegisterMigration(migration)
}
149 changes: 149 additions & 0 deletions ...icy_guidance_2/policies_before_and_after/after/deployment_has_ingress_network_policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
{
"id": "38bf79e7-48bf-4ab1-b72f-38e8ad8b4ec3",
"name": "Deployments should have at least one ingress Network Policy",
"description": "Alerts if deployments are missing an ingress Network Policy",
"rationale": "Pods that lack ingress Network Policies have unrestricted reachability on the network and may be exposed to attacks",
"remediation": "Create and apply an appropriate Network Policy of type ingress to all Deployments. See https://kubernetes.io/docs/concepts/services-networking/network-policies/ for details",
"disabled": true,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"DEPLOY"
],
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"deployment": {
"scope": {
"namespace": "kube-system"
}
}
},
{
"name": "Don't alert on openshift-kube-apiserver namespace",
"deployment": {
"scope": {
"namespace": "openshift-kube-apiserver"
}
}
},
{
"name": "Don't alert on openshift-kube-scheduler namespace",
"deployment": {
"scope": {
"namespace": "openshift-kube-scheduler"
}
}
},
{
"name": "Don't alert on openshift-kube-controller-manager namespace",
"deployment": {
"scope": {
"namespace": "openshift-kube-controller-manager"
}
}
},
{
"name": "Don't alert on openshift-sdn namespace",
"deployment": {
"scope": {
"namespace": "openshift-sdn"
}
}
},
{
"name": "Don't alert on openshift-network-operator namespace",
"deployment": {
"scope": {
"namespace": "openshift-network-operator"
}
}
},
{
"name": "Don't alert on openshift-multus namespace",
"deployment": {
"scope": {
"namespace": "openshift-multus"
}
}
},
{
"name": "Don't alert on openshift-cluster-version namespace",
"deployment": {
"scope": {
"namespace": "openshift-cluster-version"
}
}
},
{
"name": "Don't alert on node-ca DaemonSet in the openshift-image-registry namespace",
"deployment": {
"name": "node-ca",
"scope": {
"namespace": "openshift-image-registry"
}
}
},
{
"name": "Don't alert on host network usage within the openshift-etcd namespace",
"deployment": {
"scope": {
"namespace": "openshift-etcd"
}
}
},
{
"name": "Don't alert on host network usage within the openshift-machine-config-operator namespace",
"deployment": {
"scope": {
"namespace": "openshift-machine-config-operator"
}
}
},
{
"name": "Don't alert on host network usage within the openshift-monitoring namespace",
"deployment": {
"scope": {
"namespace": "openshift-monitoring"
}
}
},
{
"name": "Don't alert on host network usage within the openshift-machine-api namespace",
"deployment": {
"scope": {
"namespace": "openshift-machine-api"
}
}
},
{
"name": "Don't alert on host network usage within the openshift-cluster-node-tuning-operator namespace",
"deployment": {
"scope": {
"namespace": "openshift-cluster-node-tuning-operator"
}
}
}
],
"severity": "MEDIUM_SEVERITY",
"policyVersion": "1.1",
"policySections": [
{
"sectionName": "Alert on missing ingres Network Policy",
"policyGroups": [
{
"fieldName": "Has Ingress Network Policy",
"values": [
{
"value": "false"
}
]
}
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true
}
147 changes: 147 additions & 0 deletions ...cy_guidance_2/policies_before_and_after/before/deployment_has_ingress_network_policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
{
"id": "38bf79e7-48bf-4ab1-b72f-38e8ad8b4ec3",
"name": "Deployments should have at least one ingress Network Policy",
"description": "Alerts if deployments are missing an ingress Network Policy",
"disabled": true,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"DEPLOY"
],
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"deployment": {
"scope": {
"namespace": "kube-system"
}
}
},
{
"name": "Don't alert on openshift-kube-apiserver namespace",
"deployment": {
"scope": {
"namespace": "openshift-kube-apiserver"
}
}
},
{
"name": "Don't alert on openshift-kube-scheduler namespace",
"deployment": {
"scope": {
"namespace": "openshift-kube-scheduler"
}
}
},
{
"name": "Don't alert on openshift-kube-controller-manager namespace",
"deployment": {
"scope": {
"namespace": "openshift-kube-controller-manager"
}
}
},
{
"name": "Don't alert on openshift-sdn namespace",
"deployment": {
"scope": {
"namespace": "openshift-sdn"
}
}
},
{
"name": "Don't alert on openshift-network-operator namespace",
"deployment": {
"scope": {
"namespace": "openshift-network-operator"
}
}
},
{
"name": "Don't alert on openshift-multus namespace",
"deployment": {
"scope": {
"namespace": "openshift-multus"
}
}
},
{
"name": "Don't alert on openshift-cluster-version namespace",
"deployment": {
"scope": {
"namespace": "openshift-cluster-version"
}
}
},
{
"name": "Don't alert on node-ca DaemonSet in the openshift-image-registry namespace",
"deployment": {
"name": "node-ca",
"scope": {
"namespace": "openshift-image-registry"
}
}
},
{
"name": "Don't alert on host network usage within the openshift-etcd namespace",
"deployment": {
"scope": {
"namespace": "openshift-etcd"
}
}
},
{
"name": "Don't alert on host network usage within the openshift-machine-config-operator namespace",
"deployment": {
"scope": {
"namespace": "openshift-machine-config-operator"
}
}
},
{
"name": "Don't alert on host network usage within the openshift-monitoring namespace",
"deployment": {
"scope": {
"namespace": "openshift-monitoring"
}
}
},
{
"name": "Don't alert on host network usage within the openshift-machine-api namespace",
"deployment": {
"scope": {
"namespace": "openshift-machine-api"
}
}
},
{
"name": "Don't alert on host network usage within the openshift-cluster-node-tuning-operator namespace",
"deployment": {
"scope": {
"namespace": "openshift-cluster-node-tuning-operator"
}
}
}
],
"severity": "MEDIUM_SEVERITY",
"policyVersion": "1.1",
"policySections": [
{
"sectionName": "Alert on missing ingres Network Policy",
"policyGroups": [
{
"fieldName": "Has Ingress Network Policy",
"values": [
{
"value": "false"
}
]
}
]
}
],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true
}
1 change: 1 addition & 0 deletions migrator/runner/all.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
_ "github.com/stackrox/rox/migrator/migrations/m_106_to_m_107_policy_categories"
_ "github.com/stackrox/rox/migrator/migrations/m_107_to_m_108_remove_auth_plugin"
_ "github.com/stackrox/rox/migrator/migrations/m_108_to_m_109_compliance_run_schedules"
_ "github.com/stackrox/rox/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2"
_ "github.com/stackrox/rox/migrator/migrations/m_55_to_m_56_node_scanning_empty"
_ "github.com/stackrox/rox/migrator/migrations/m_56_to_m_57_compliance_policy_categories"
_ "github.com/stackrox/rox/migrator/migrations/m_57_to_m_58_update_run_secrets_volume_policy_regex"
Expand Down
2 changes: 2 additions & 0 deletions pkg/defaults/policies/files/deployment_has_ingress_network_policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
"id": "38bf79e7-48bf-4ab1-b72f-38e8ad8b4ec3",
"name": "Deployments should have at least one ingress Network Policy",
"description": "Alerts if deployments are missing an ingress Network Policy",
"rationale": "Pods that lack ingress Network Policies have unrestricted reachability on the network and may be exposed to attacks",
"remediation": "Create and apply an appropriate Network Policy of type ingress to all Deployments. See https://kubernetes.io/docs/concepts/services-networking/network-policies/ for details",
"disabled": true,
"categories": [
"Security Best Practices"
Expand Down
2 changes: 1 addition & 1 deletion pkg/migrations/internal/seq_num.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ var (
// CurrentDBVersionSeqNum is the current DB version number.
// This must be incremented every time we write a migration.
// It is a shared constant between central and the migrator binary.
CurrentDBVersionSeqNum = 109
CurrentDBVersionSeqNum = 110
// PostgresDBVersionPlus is the current DB version number with Postgres DB data migration.
PostgresDBVersionPlus = 56
)