Ensure that all Routes has rate limit enabled

An XCCDF Rule

Description

OpenShift has an option to set the IP whitelist for Routes [1] when creating new Routes. All routes outside the openshift namespaces and the kube namespaces should use the IP whitelist annotations. Requests from IP addresses that are not in the whitelist are dropped. [1] https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/route.openshift.io/v1/routes?limit=500 API endpoint, filter with with the jq utility using the following filter [.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/ip_whitelist"] | not) | .metadata.name] and persist it to the local /apis/route.openshift.io/v1/routes?limit=500#aec152a4446d7917fcbebee892a2ec3fbdef3b71cc0784c9457b2e54fd64dd3b file.

Rationale

The usage of IP whitelist for Routes provides basic protection against unwanted access.

ID: xccdf_org.ssgproject.content_rule_route_ip_whitelist
Severity: Medium
References: SC-7(5)

CCE-90596-8
Updated: about 1 year ago