Ensure that HyperShift Hosted Namespaces have Network Policies defined.

An XCCDF Rule

Description

Use network policies to isolate traffic in your cluster network.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/networking.k8s.io/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/networkpolicies API endpoint, filter with with the jq utility using the following filter [.items[] | .metadata.name] and persist it to the local /apis/networking.k8s.io/v1/namespaces/networkpolicies#08ccf6ea6e29d378349cc36918df58d5e6172cd458ede2bf03fe4266ee1b6d6a file.

Rationale

Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace all traffic will be allowed into and out of the pods in that namespace.

ID: xccdf_org.ssgproject.content_rule_configure_network_policies_hypershift_hosted
Severity: High
References: Req-1.1.4 Req-1.2 Req-1.2.1 Req-1.3.1 Req-1.3.2 Req-2.2

5.3.2

CCE-86104-7
Updated: about 1 year ago