WIP: ocp4/CIS 1.3.1: Add rules for eviction thresholds

applications/openshift/kubelet/kubelet_eviction_thresholds_set_soft_memory_available/rule.yml

@@ -0,0 +1,75 @@
+documentation_complete: true
+
+prodtype: ocp4
+
+title: 'Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available'
+
+description: |-
+  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
+
+  <ul>
+    <li>Container garbage collection: Removes terminated containers.</li>
+    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
+  </ul>
+
+  <p>
+  Container garbage collection can be performed using eviction thresholds.
+  Image garbage collection relies on disk usage as reported by cAdvisor on the
+  node to decide which images to remove from the node.
+  </p>
+
+  <p>
+  The OpenShift administrator can configure how OpenShift Container Platform
+  performs garbage collection by creating a kubeletConfig object for each
+  Machine Config Pool using any combination of the following:
+  </p>
+
+  <ul>
+    <li>soft eviction for containers</li>
+    <li>hard eviction for containers</li>
+    <li>eviction for images</li>
+  </ul>
+
+  <p>
+  To configure, follow the directions in
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
+              text="the documentation") }}}
+  </p>
+
+  <p>
+  This rule pertains to the <tt>memory.available</tt> setting of the <tt>evictionSoft</tt>
+  section.
+  </p>
+
+rationale: |-
+  Garbage collection is important to ensure sufficient resource availability
+  and avoiding degraded performance and availability. In the worst case, the
+  system might crash or just be unusable for a long period of time.
+  Based on your system resources and tests, choose an appropriate threshold
+  value to activate garbage collection.
+
+severity: medium
+
+references:
+  cis: 1.3.1
+
+identifiers:
+  cce@ocp4: CCE-84222-9
+
+ocil_clause: '<tt>memory.available</tt> is not set in <tt>evictionSoft</tt> section'
+
+ocil: |-
+  Run the following command on the kubelet node(s):
+  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionSoft."memory.available"' /host/etc/kubernetes/kubelet.conf</pre>
+  and make sure it outputs
+  <pre>{{{ xccdf_value("var_kubelet_evictionsoft_memory_available") }}}</pre>
+
+template:
+  name: yamlfile_value
+  vars:
+    filepath: /etc/kubernetes/kubelet.conf
+    yamlpath: ".evictionSoft['memory.available']"
+    values:
+      - value: {{{ xccdf_value("var_kubelet_evictionsoft_memory_available") }}}
+        operation: "equals"
+

applications/openshift/kubelet/var_kubelet_evictionsoft_memory_available.var

@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'Configure Kubelet EvictionSoft Memory Avilable'
+
+description: 'Memory Available for the EvictionSoft threshold to trigger.'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+    default: 500Mi

ocp4/profiles/cis-node.profile

@@ -112,6 +112,8 @@ selections:
     - file_permissions_etcd_pki_cert_files
   # 1.1.21 Ensure that the OpenShift PKI key file permissions are set to 600 
     - file_permissions_openshift_pki_key_files
+  #### 1.3 Controller Manager
+  # 1.3.1 Ensure that garbage collection is configured as appropriate (Manual)
 
   ### 2 etcd
   # 2.7 Ensure that a unique Certificate Authority is used for etcd
@@ -121,6 +123,7 @@ selections:
   ###
   #### 3.2 Logging
   # 3.2.1 Ensure that a minimal audit policy is created
+    - kubelet_eviction_thresholds_set_soft_memory_available
 
   ### 4 Worker Nodes
   ###

ocp4/profiles/cis.profile

@@ -115,7 +115,6 @@ selections:
   # 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers
     - api_server_tls_cipher_suites
   #### 1.3 Controller Manager
-  # 1.3.1 Ensure that garbage collection is configured as appropriate (Manual)
   # 1.3.2 Ensure that controller manager healthz endpoints are protected by RBAC. (Automated)
     - rbac_debug_role_protects_pprof
   # 1.3.3 Ensure that the --use-service-account-credentials argument is set to true

shared/references/cce-redhat-avail.txt

@@ -579,7 +579,6 @@ CCE-84215-3
 CCE-84217-9
 CCE-84218-7
 CCE-84221-1
-CCE-84222-9
 CCE-84223-7
 CCE-84224-5
 CCE-84225-2