From 4e7c45ddfa6998df80b76339a76c4ce68e3d5c6f Mon Sep 17 00:00:00 2001 From: Frederico Bittencourt Date: Thu, 27 Oct 2022 18:09:52 +0200 Subject: [PATCH 1/4] X-Smart-Branch-Parent: master From f55aa60b5452e57124e87212dda68b11e2477f39 Mon Sep 17 00:00:00 2001 From: Frederico Bittencourt Date: Thu, 27 Oct 2022 18:18:27 +0200 Subject: [PATCH 2/4] correct issues with default policy not being correctly updated --- .../migration.go | 51 ++++++ ...deployment_has_ingress_network_policy.json | 149 ++++++++++++++++++ ...deployment_has_ingress_network_policy.json | 147 +++++++++++++++++ migrator/runner/all.go | 1 + ...deployment_has_ingress_network_policy.json | 2 + pkg/migrations/internal/seq_num.go | 2 +- 6 files changed, 351 insertions(+), 1 deletion(-) create mode 100644 migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/migration.go create mode 100644 migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/policies_before_and_after/after/deployment_has_ingress_network_policy.json create mode 100644 migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/policies_before_and_after/before/deployment_has_ingress_network_policy.json diff --git a/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/migration.go b/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/migration.go new file mode 100644 index 0000000000000..c2eabd7605570 --- /dev/null +++ b/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/migration.go @@ -0,0 +1,51 @@ +package m103tom104 + +import ( + "embed" + + "github.com/pkg/errors" + "github.com/stackrox/rox/generated/storage" + "github.com/stackrox/rox/migrator/migrations" + "github.com/stackrox/rox/migrator/migrations/policymigrationhelper" + "github.com/stackrox/rox/migrator/types" + bolt "go.etcd.io/bbolt" +) + +var ( + migration = types.Migration{ + StartingSeqNum: 109, + VersionAfter: storage.Version{SeqNum: 110}, + Run: func(databases *types.Databases) error { + err := updatePolicies(databases.BoltDB) + if err != nil { + return errors.Wrap(err, "updating policies") + } + return nil + }, + } + + //go:embed policies_before_and_after + policyDiffFS embed.FS + + // We want to migrate only if the existing policy sections and title haven't changed. + fieldsToCompare = []policymigrationhelper.FieldComparator{ + policymigrationhelper.DescriptionComparator, + policymigrationhelper.RationaleComparator, + policymigrationhelper.RemediationComparator, + } + + policyDiffs = []policymigrationhelper.PolicyDiff{ + { + FieldsToCompare: fieldsToCompare, + PolicyFileName: "deployment_has_ingress_network_policy.json", + }, + } +) + +func updatePolicies(db *bolt.DB) error { + return policymigrationhelper.MigratePoliciesWithDiffs(db, policyDiffFS, policyDiffs) +} + +func init() { + migrations.MustRegisterMigration(migration) +} diff --git a/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/policies_before_and_after/after/deployment_has_ingress_network_policy.json b/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/policies_before_and_after/after/deployment_has_ingress_network_policy.json new file mode 100644 index 0000000000000..1c54d00b42894 --- /dev/null +++ b/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/policies_before_and_after/after/deployment_has_ingress_network_policy.json @@ -0,0 +1,149 @@ +{ + "id": "38bf79e7-48bf-4ab1-b72f-38e8ad8b4ec3", + "name": "Deployments should have at least one ingress Network Policy", + "description": "Alerts if deployments are missing an ingress Network Policy", + "rationale": "Pods that lack ingress Network Policies have unrestricted reachability on the network and may be exposed to attacks", + "remediation": "Create and apply an appropriate Network Policy of type ingress to all Deployments. See https://kubernetes.io/docs/concepts/services-networking/network-policies/ for details", + "disabled": true, + "categories": [ + "Security Best Practices" + ], + "lifecycleStages": [ + "DEPLOY" + ], + "exclusions": [ + { + "name": "Don't alert on kube-system namespace", + "deployment": { + "scope": { + "namespace": "kube-system" + } + } + }, + { + "name": "Don't alert on openshift-kube-apiserver namespace", + "deployment": { + "scope": { + "namespace": "openshift-kube-apiserver" + } + } + }, + { + "name": "Don't alert on openshift-kube-scheduler namespace", + "deployment": { + "scope": { + "namespace": "openshift-kube-scheduler" + } + } + }, + { + "name": "Don't alert on openshift-kube-controller-manager namespace", + "deployment": { + "scope": { + "namespace": "openshift-kube-controller-manager" + } + } + }, + { + "name": "Don't alert on openshift-sdn namespace", + "deployment": { + "scope": { + "namespace": "openshift-sdn" + } + } + }, + { + "name": "Don't alert on openshift-network-operator namespace", + "deployment": { + "scope": { + "namespace": "openshift-network-operator" + } + } + }, + { + "name": "Don't alert on openshift-multus namespace", + "deployment": { + "scope": { + "namespace": "openshift-multus" + } + } + }, + { + "name": "Don't alert on openshift-cluster-version namespace", + "deployment": { + "scope": { + "namespace": "openshift-cluster-version" + } + } + }, + { + "name": "Don't alert on node-ca DaemonSet in the openshift-image-registry namespace", + "deployment": { + "name": "node-ca", + "scope": { + "namespace": "openshift-image-registry" + } + } + }, + { + "name": "Don't alert on host network usage within the openshift-etcd namespace", + "deployment": { + "scope": { + "namespace": "openshift-etcd" + } + } + }, + { + "name": "Don't alert on host network usage within the openshift-machine-config-operator namespace", + "deployment": { + "scope": { + "namespace": "openshift-machine-config-operator" + } + } + }, + { + "name": "Don't alert on host network usage within the openshift-monitoring namespace", + "deployment": { + "scope": { + "namespace": "openshift-monitoring" + } + } + }, + { + "name": "Don't alert on host network usage within the openshift-machine-api namespace", + "deployment": { + "scope": { + "namespace": "openshift-machine-api" + } + } + }, + { + "name": "Don't alert on host network usage within the openshift-cluster-node-tuning-operator namespace", + "deployment": { + "scope": { + "namespace": "openshift-cluster-node-tuning-operator" + } + } + } + ], + "severity": "MEDIUM_SEVERITY", + "policyVersion": "1.1", + "policySections": [ + { + "sectionName": "Alert on missing ingres Network Policy", + "policyGroups": [ + { + "fieldName": "Has Ingress Network Policy", + "values": [ + { + "value": "false" + } + ] + } + ] + } + ], + "criteriaLocked": true, + "mitreVectorsLocked": true, + "isDefault": true +} diff --git a/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/policies_before_and_after/before/deployment_has_ingress_network_policy.json b/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/policies_before_and_after/before/deployment_has_ingress_network_policy.json new file mode 100644 index 0000000000000..b34f10805447b --- /dev/null +++ b/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2/policies_before_and_after/before/deployment_has_ingress_network_policy.json @@ -0,0 +1,147 @@ +{ + "id": "38bf79e7-48bf-4ab1-b72f-38e8ad8b4ec3", + "name": "Deployments should have at least one ingress Network Policy", + "description": "Alerts if deployments are missing an ingress Network Policy", + "disabled": true, + "categories": [ + "Security Best Practices" + ], + "lifecycleStages": [ + "DEPLOY" + ], + "exclusions": [ + { + "name": "Don't alert on kube-system namespace", + "deployment": { + "scope": { + "namespace": "kube-system" + } + } + }, + { + "name": "Don't alert on openshift-kube-apiserver namespace", + "deployment": { + "scope": { + "namespace": "openshift-kube-apiserver" + } + } + }, + { + "name": "Don't alert on openshift-kube-scheduler namespace", + "deployment": { + "scope": { + "namespace": "openshift-kube-scheduler" + } + } + }, + { + "name": "Don't alert on openshift-kube-controller-manager namespace", + "deployment": { + "scope": { + "namespace": "openshift-kube-controller-manager" + } + } + }, + { + "name": "Don't alert on openshift-sdn namespace", + "deployment": { + "scope": { + "namespace": "openshift-sdn" + } + } + }, + { + "name": "Don't alert on openshift-network-operator namespace", + "deployment": { + "scope": { + "namespace": "openshift-network-operator" + } + } + }, + { + "name": "Don't alert on openshift-multus namespace", + "deployment": { + "scope": { + "namespace": "openshift-multus" + } + } + }, + { + "name": "Don't alert on openshift-cluster-version namespace", + "deployment": { + "scope": { + "namespace": "openshift-cluster-version" + } + } + }, + { + "name": "Don't alert on node-ca DaemonSet in the openshift-image-registry namespace", + "deployment": { + "name": "node-ca", + "scope": { + "namespace": "openshift-image-registry" + } + } + }, + { + "name": "Don't alert on host network usage within the openshift-etcd namespace", + "deployment": { + "scope": { + "namespace": "openshift-etcd" + } + } + }, + { + "name": "Don't alert on host network usage within the openshift-machine-config-operator namespace", + "deployment": { + "scope": { + "namespace": "openshift-machine-config-operator" + } + } + }, + { + "name": "Don't alert on host network usage within the openshift-monitoring namespace", + "deployment": { + "scope": { + "namespace": "openshift-monitoring" + } + } + }, + { + "name": "Don't alert on host network usage within the openshift-machine-api namespace", + "deployment": { + "scope": { + "namespace": "openshift-machine-api" + } + } + }, + { + "name": "Don't alert on host network usage within the openshift-cluster-node-tuning-operator namespace", + "deployment": { + "scope": { + "namespace": "openshift-cluster-node-tuning-operator" + } + } + } + ], + "severity": "MEDIUM_SEVERITY", + "policyVersion": "1.1", + "policySections": [ + { + "sectionName": "Alert on missing ingres Network Policy", + "policyGroups": [ + { + "fieldName": "Has Ingress Network Policy", + "values": [ + { + "value": "false" + } + ] + } + ] + } + ], + "criteriaLocked": true, + "mitreVectorsLocked": true, + "isDefault": true +} diff --git a/migrator/runner/all.go b/migrator/runner/all.go index 42fc661a99ffd..5633e26d25bb8 100644 --- a/migrator/runner/all.go +++ b/migrator/runner/all.go @@ -11,6 +11,7 @@ import ( _ "github.com/stackrox/rox/migrator/migrations/m_106_to_m_107_policy_categories" _ "github.com/stackrox/rox/migrator/migrations/m_107_to_m_108_remove_auth_plugin" _ "github.com/stackrox/rox/migrator/migrations/m_108_to_m_109_compliance_run_schedules" + _ "github.com/stackrox/rox/migrator/migrations/m_109_to_m_110_networkpolicy_guidance_2" _ "github.com/stackrox/rox/migrator/migrations/m_55_to_m_56_node_scanning_empty" _ "github.com/stackrox/rox/migrator/migrations/m_56_to_m_57_compliance_policy_categories" _ "github.com/stackrox/rox/migrator/migrations/m_57_to_m_58_update_run_secrets_volume_policy_regex" diff --git a/pkg/defaults/policies/files/deployment_has_ingress_network_policy.json b/pkg/defaults/policies/files/deployment_has_ingress_network_policy.json index b34f10805447b..1c54d00b42894 100644 --- a/pkg/defaults/policies/files/deployment_has_ingress_network_policy.json +++ b/pkg/defaults/policies/files/deployment_has_ingress_network_policy.json @@ -2,6 +2,8 @@ "id": "38bf79e7-48bf-4ab1-b72f-38e8ad8b4ec3", "name": "Deployments should have at least one ingress Network Policy", "description": "Alerts if deployments are missing an ingress Network Policy", + "rationale": "Pods that lack ingress Network Policies have unrestricted reachability on the network and may be exposed to attacks", + "remediation": "Create and apply an appropriate Network Policy of type ingress to all Deployments. See https://kubernetes.io/docs/concepts/services-networking/network-policies/ for details", "disabled": true, "categories": [ "Security Best Practices" diff --git a/pkg/migrations/internal/seq_num.go b/pkg/migrations/internal/seq_num.go index e3813ba7932da..011be8c0a2a45 100644 --- a/pkg/migrations/internal/seq_num.go +++ b/pkg/migrations/internal/seq_num.go @@ -4,7 +4,7 @@ var ( // CurrentDBVersionSeqNum is the current DB version number. // This must be incremented every time we write a migration. // It is a shared constant between central and the migrator binary. - CurrentDBVersionSeqNum = 109 + CurrentDBVersionSeqNum = 110 // PostgresDBVersionPlus is the current DB version number with Postgres DB data migration. PostgresDBVersionPlus = 56 ) From 50b10f25e4871c0db6a4d38762e6f1a1da47a9fc Mon Sep 17 00:00:00 2001 From: Frederico Bittencourt Date: Thu, 27 Oct 2022 18:24:54 +0200 Subject: [PATCH 3/4] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b879ae260a7d3..deb460dc7cb16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,7 @@ Please avoid adding duplicate information across this changelog and JIRA/doc inp to allow using the `restricted` and `restricted-v2` SCCs. - The service account "central", which is used by the central deployment, will now include `get` and `list` access to the following resources in the namespace where central is deployed to: `pods`, `events`, and `namespaces`. This fixes an issue when generating diagnostic bundles to now correctly include all relevant information within the namespace of central. +- ROX-13265: Fix missing rationale and remediation texts for default policy "Deployments should have at least one ingress Network Policy" on new installations ## [3.72.0] From 1853910e6bf1046180a122802f362f5f9e0f6147 Mon Sep 17 00:00:00 2001 From: Frederico Bittencourt Date: Thu, 27 Oct 2022 21:57:35 +0200 Subject: [PATCH 4/4] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index deb460dc7cb16..6791477458a8c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,7 +36,7 @@ Please avoid adding duplicate information across this changelog and JIRA/doc inp to allow using the `restricted` and `restricted-v2` SCCs. - The service account "central", which is used by the central deployment, will now include `get` and `list` access to the following resources in the namespace where central is deployed to: `pods`, `events`, and `namespaces`. This fixes an issue when generating diagnostic bundles to now correctly include all relevant information within the namespace of central. -- ROX-13265: Fix missing rationale and remediation texts for default policy "Deployments should have at least one ingress Network Policy" on new installations +- ROX-13265: Fix missing rationale and remediation texts for default policy "Deployments should have at least one ingress Network Policy" ## [3.72.0]