Defined notes and rules for BSI SYS.1.6.A26

[sluetze]

Description:

Added notes and controls for BSI SYS.1.6 A17-A21

Rationale:

As we have multiple customers asking for a BSI profile to be included in the compliance-operator, we are contributing a profile. To provide a better review process, the individual controle are implemented as separate PRs.

• SYS.1.6.A26 sig-bsi-grundschutz/content#26

Review Hints:

sandboxed_containers_operator_configured:

• needs additional permissions these are in add read permission for kataconfig compliance-operator#618
• the e2e test can take a long time, as it adds a mcp and needs to restart all nodes. The timeout is 3600s which is quite long and might need adjustments
• for the compliancecheck to succeed the finish of mcp is not needed, thus we might delete that testing alltogether
• OR adjust the compliancecheck to check if nodes provide the separation... which is another level of complication and access permissions
• the compliancecheck checks for a kataconfig, but this is only enough on baremetal deployments. on Azure, AWS, IBM Z and IBM LinuxOne there are additional configurations needed, which we do not check for (peerpods, and others)

[openshift-ci]

Hi @sluetze. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_general_node_separation'.
--- xccdf_org.ssgproject.content_rule_general_node_separation
+++ xccdf_org.ssgproject.content_rule_general_node_separation
@@ -20,6 +20,9 @@
 [reference]:
 SYS.1.6.A3
 
+[reference]:
+SYS.1.6.A26
+
 [rationale]:
 Assigning workloads with high protection requirements to specific nodes creates and additional
 boundary (the node) between workloads of high protection requirements and workloads which might

[yuumasato]

/ok-to-test

[yuumasato]

/test 4.17-e2e-aws-ocp4-bsi
/test 4.17-e2e-aws-ocp4-bsi-node
/test 4.17-e2e-aws-rhcos4-bsi

[yuumasato]

/test 4.17-e2e-aws-ocp4-bsi

[yuumasato]

/test 4.17-e2e-aws-ocp4-bsi

[sluetze]

There still seems to be an issue with the remediation script. I am investigating

[sluetze]

If I analysed it correctly there are multiple issues:

1. the clusterscoped kataconfig ressource is not included in the artifacts, so I cant verify how it looks and where the check fails. But I am quite sure it installed, since I can see the CRD and a deployment under namespaces/openshift-sandboxed-containers-operator/apps/deployments.yaml which only gets created by kataconfig iirc.
2. the sandboxed containers does not install successfully, since my e2e script deploys sandboxed containers for baremetal (my installation is baremetal) it the container fails to start on aws, since this needs peerpods - this should not be relevant for the fail of the check

   containerStatuses:
  - image: registry.redhat.io/openshift-sandboxed-containers/osc-monitor-rhel9@sha256:03381ad7a468abc1350b229a8a7f9375fcb315e59786fdacac8e5539af4a3cdc
    imageID: ""
    lastState: {}
    name: kata-monitor
    ready: false
    restartCount: 0
    started: false
    state:
      waiting:
        message: |
          container create failed: time="2024-12-09T15:07:36Z" level=error msg="runc create failed: unable to start container process: error during container init: write /proc/self/attr/keycreate: invalid argument"
        reason: CreateContainerError

3. I am not sure, if this test-run runs with the needed permissions from add read permission for kataconfig compliance-operator#618 if not, this would explain the fail even though the requirements are met for the check to succeed.

@yuumasato I could try to adapt the e2e-remediation script to apply to AWS so the sandboxed-containers operator get installed correctly. Do you think this is the right way?

[yuumasato]

@sluetze CI is not picking the PR for kataconfig as it is not merged yet.

[yuumasato]

@sluetze with permissions to read kataconfig merged in CO, could you rebase this?

Also, I see that a new required check Ensure No Merge Commits was added, so a rebase will ensure this test is run.

[codeclimate]

Code Climate has analyzed commit 788fd73 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

[yuumasato]

/ok-to-test

[yuumasato]

/test 4.17-e2e-aws-ocp4-bsi
/test 4.17-e2e-aws-ocp4-bsi-node
/test 4.17-e2e-aws-rhcos4-bsi

[openshift-ci]

@sluetze: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.17-e2e-aws-ocp4-bsi	788fd73	link	true	/test 4.17-e2e-aws-ocp4-bsi

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[yuumasato]

Failures in ci/prow/4.17-e2e-aws-ocp4-bsi are unrelated to this PR.