Details
-
Story
-
Resolution: Done
-
Major
-
None
-
None
-
None
Description
SC-5 protects workloads against DoS attacks. The CaC rule that would implement SC-5 would check for:
- all routes outside the openshift- namespaces should use the rate-limiting annotations
- all workloads outside the openshift namespaces should use resource requests and limits
- maybe pods in workloads that are not exposed should limit bandwidth as well? Maybe an INFO-level rule? See the doc at https://docs.openshift.com/container-platform/4.7/nodes/pods/nodes-pods-configuring.html#nodes-pods-configuring-bandwidth_nodes-pods-configuring|http://example.com
Acceptance criteria:
- there is a rule that checks all namespaces that do not start with openshift or kube for the existence of rate-limiting annotations on all routes in those namespaces
- there is a rule that checks that either one clusterResourceQuota object exists of if there is a resourceQuota object per namespace for all namespaces but those that start with openshift-* or kube-*
- e2e tests exist for the rules above