Ensure that all Routes has rate limit enabled

An XCCDF Rule

Description

OpenShift has an option to set the rate limit for Routes [1] when creating new Routes. All routes outside the openshift namespaces and the kube namespaces should use the rate-limiting annotations. [1] https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/route.openshift.io/v1/routes?limit=500 API endpoint, filter with with the jq utility using the following filter [.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name] and persist it to the local /apis/route.openshift.io/v1/routes?limit=500#842fa6716f17342d62e70f2755db709b9d7a161cf0338ea8bfae9b06dab5e6cc file.

Rationale

The usage of rate limit for Routes provides basic protection against distributed denial-of-service (DDoS) attacks.

ID: xccdf_org.ssgproject.content_rule_routes_rate_limit
Severity: Medium
References: SC-5 SC-5(1) SC-5(2)

SRG-APP-000246-CTR-000605 SRG-APP-000435-CTR-001070

CCE-90779-0
Updated: about 1 year ago