Defined notes and rules for control BSI APP4.4.A1 to APP4.4.A3

[sluetze]

Description:

• This are requirements 1 to 3 from the bsi APP.4.4 control
• this also adds a new MANUAL rule, which advices on how to check if only one Application is running per namespace. This is a little different to the already existing rule general_namespaces_in_use

Rationale:

As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.

Note:

while we promised to keep the PRs small and reviewable and intended to do one PR per requirement, we will bundle some easy requirements together to not push to many PRs at once.

[openshift-ci]

Hi @sluetze. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[sluetze]

I am not a 100% sure why the tests fails.

as it looks to me the rule is not correctly added to the ocp4 product, but to rhel. This is caused by https://github.com/ComplianceAsCode/content-test-filtering/blob/552403f58c1e72c4261cc049612d46f3f4387fdd/ctf/DiffStruct.py#L103-L114 which sets rhel8 as a default prodtype, if none is defined. Since with #11378 prodtype was removed, this default might be used a lot.

I might be wrong with my analysis, since I am not experienced with the codebase. Due to this I also have no good fix.

Edit: while the prodtype thing seems to be a bug (i opened ComplianceAsCode/content-test-filtering#48 for this), this is not relevant for the failing test see, where i added prodtype back and still got failed tests: https://github.com/sig-bsi-grundschutz/content/actions/runs/7711416833/job/21016736323?pr=53

[BhargaviGudi]

Verification passed with 4.16.0-0.nightly-2024-02-26-013420 + compliance-operator.v1.4.0 + PR #115

1. Install CO v1.4.0

$ oc get pb
NAME              CONTENTIMAGE                                                                                                                               CONTENTFILE         STATUS
ocp4              registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:83399624f8f5ec77d9ff75b1f397abfa040070ba8b78f7103d8546616dff4c34   ssg-ocp4-ds.xml     VALID
rhcos4            registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:83399624f8f5ec77d9ff75b1f397abfa040070ba8b78f7103d8546616dff4c34   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     openscap-ocp4-ds:latest                                                                                                                    ssg-ocp4-ds.xml     VALID
upstream-rhcos4   openscap-ocp4-ds:latest                                                                                                                    ssg-rhcos4-ds.xml   VALID

2. Create ssb

$ oc compliance bind -N test profile/upstream-ocp4-bsi profile/upstream-ocp4-bsi-node
Creating ScanSettingBinding test
$ oc get suite
NAME   PHASE   RESULT
test   DONE    NON-COMPLIANT
$ oc get scan
NAME                            PHASE   RESULT
upstream-ocp4-bsi               DONE    NON-COMPLIANT
upstream-ocp4-bsi-node-master   DONE    COMPLIANT
upstream-ocp4-bsi-node-worker   DONE    COMPLIANT

4. Instruction for rule upstream-ocp4-general-namespace-separation

$  oc get rule upstream-ocp4-general-namespace-separation -o=jsonpath={.instructions}
Run the following command and review the pods and how they are deployed in
namespaces. $ oc get pod -o=custom-columns=NAME:.metadata.name,NAMESPACE:.metadata.namespace,APP:.metadata.labels.app\.kubernetes\.io/name --all-namespaces | grep -v "openshift-"
You can use labels or other data as custom field which helps you to identify parts of an application.
Ensure that there are only components of one application in each namespace.[bgudi@bgudi-thinkpadt14sgen2i content]$ 
$ oc get pod -o=custom-columns=NAME:.metadata.name,NAMESPACE:.metadata.namespace,APP:.metadata.labels.app\.kubernetes\.io/name --all-namespaces | grep -v "openshift-"
NAME                                                                      NAMESPACE                                          APP

[sluetze]

/retest

[openshift-ci]

@sluetze: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[xiaojiey]

/ok-to-test

[sluetze]

/retest

[sluetze]

rebased and force pushed to get the checks running

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11501
This image was built from commit: efe66f2

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11501

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11501 make deploy-local

[codeclimate]

Code Climate has analyzed commit efe66f2 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.8% (0.0% change).

View more on Code Climate.

[yuumasato]

@sluetze This is looking great to me.

Do you expect some other people to review this?

[yuumasato]

The Automatus failures occur on cs8, cs9 and sle15 because these products don't have the new rule in the data stream. These are fine though.

[sluetze]

The Automatus failures occur on cs8, cs9 and sle15 because these products don't have the new rule in the data stream. These are fine though.

@sluetze This is looking great to me.

Do you expect some other people to review this?

thanks for your help. No I do not expect more reviews.
I will discuss this with the team if we will do so in the MRs here in the future to have more transparency.