Uploaded image for project: 'Virtualization Strategy'
  1. Virtualization Strategy
  2. VIRTSTRAT-103

[VIRT] Protect from unintended data leaks / attacks via tailored Network Policies

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • None
    • None
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • 14% To Do, 57% In Progress, 29% Done

      *FIMXE needs to be updated for virt*

      Outcome Overview

      Once all this work is completed, we will have 1) reduced attack vectors for the control plane per RH ProdSec guidance and 2) added compliance with a newer CIS Kube benchmark recommendation "5.3.2 Ensure that all Namespaces have Network Policies defined (Manual)"

      Threat: Without network policies, any pod within the Openshift cluster can communicate freely with other pods, regardless of their intended level of access. Attackers or compromised pods can exploit this lack of restriction to move laterally within the cluster and potentially compromise critical components. In the absence of network policies, pods may have unrestricted communication with external networks, this can result in unintended data leakage, where sensitive information is transmitted to unauthorized destinations.

      The control plane threat assessment document listed networking policies as a potential threat here - https://docs.google.com/document/d/1B7ZCfwEfl0AqPoQHqeoAIuBQNoCMAeWwEkMSV_TItjg/edit#bookmark=id.ywnfpwunk3t8

      Success Criteria

      A Kube NP YAML file is delivered with each control plane operator that restricts ingress as well as egress communication to only the necessary communication. We may also choose to deliver a default Admin Network Policy that is applied when an OpenShift cluster is installed.

      RH ProdSec signs off that we have met their requirements. 

      A CIS OpenShift benchmark scan shows that we have comply with item 5.3.2 for all control plane components. 

      Note: AdminNetworkingPolicy is a K8s mechanism to set strict secure rules for the cluster. The work under this Jira card should consider and prefer the use of AdminNetworkPolicy resources.

      Expected Results (what, how, when)

      A default installation of the OpenShift control plane will be able to meet another CIS Kube benchmark control which will reduce friction with prospects and customers. 

      A default installation of the OpenShift control plane will meet ProdSec guidance. 

      A default installation of the OpenShift control plane will have additional hardening that moves the deployment toward zero trust. 

       

      Post Completion Review - Actual Results

      After completing the work (as determined by the "when" in Expected Results above), list the actual results observed / measured during Post Completion review(s).

              kmajcher@redhat.com Krzysztof Majcher
              fdeutsch@redhat.com Fabian Deutsch
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: