ocp4/CIS: Complete 1.3.1

applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/rule.yml

@@ -0,0 +1,72 @@
+documentation_complete: true
+
+prodtype: ocp4
+
+title: 'Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available'
+
+description: |-
+  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
+
+  <ul>
+    <li>Container garbage collection: Removes terminated containers.</li>
+    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
+  </ul>
+
+  <p>
+  Container garbage collection can be performed using eviction thresholds.
+  Image garbage collection relies on disk usage as reported by cAdvisor on the
+  node to decide which images to remove from the node.
+  </p>
+
+  <p>
+  The OpenShift administrator can configure how OpenShift Container Platform
+  performs garbage collection by creating a kubeletConfig object for each
+  Machine Config Pool using any combination of the following:
+  </p>
+
+  <ul>
+    <li>soft eviction for containers</li>
+    <li>hard eviction for containers</li>
+    <li>eviction for images</li>
+  </ul>
+
+  <p>
+  To configure, follow the directions in
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
+              text="the documentation") }}}
+  </p>
+
+  <p>
+  This rule pertains to the <tt>imagefs.available</tt> setting of the <tt>evictionHard</tt>
+  section.
+  </p>
+
+rationale: |-
+  Garbage collection is important to ensure sufficient resource availability
+  and avoiding degraded performance and availability. In the worst case, the
+  system might crash or just be unusable for a long period of time.
+  Based on your system resources and tests, choose an appropriate threshold
+  value to activate garbage collection.
+
+severity: medium
+
+references:
+  cis: 1.3.1
+
+identifiers:
+  cce@ocp4: CCE-84144-5
+
+ocil_clause: '<tt>imagefs.available</tt> is not set in <tt>evictionHard</tt> section'
+
+ocil: |-
+  Run the following command on the kubelet node(s):
+  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionHard."imagefs.available"' /host/etc/kubernetes/kubelet.conf</pre>
+  and make sure it outputs
+  <pre>{{{ xccdf_value("var_kubelet_evictionhard_imagefs_available") }}}</pre>
+
+template:
+  name: yamlfile_value
+  vars:
+    filepath: /etc/kubernetes/kubelet.conf
+    yamlpath: ".evictionHard['imagefs.available']"
+    xccdf_variable: var_kubelet_evictionhard_imagefs_available

applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/tests/ocp4/e2e-remediation.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+set -xe
+
+echo "applying sysctls"
+oc apply --server-side -f ${ROOT_DIR}/ocp-resources/kubelet-sysctls-mc.yaml
+
+sleep 30
+
+echo "waiting for workers to update"
+while true; do
+    status=$(oc get mcp/worker | grep worker | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+echo "waiting for masters to update"
+while true; do
+    status=$(oc get mcp/master | grep master | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+echo "applying kubeletConfig"
+oc apply --server-side -f ${ROOT_DIR}/ocp-resources/kubelet-config-mc.yaml
+
+sleep 30
+
+echo "waiting for workers to update"
+while true; do
+    status=$(oc get mcp/worker | grep worker | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+echo "waiting for masters to update"
+while true; do
+    status=$(oc get mcp/master | grep master | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+exit 0

applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS

applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/rule.yml

@@ -0,0 +1,72 @@
+documentation_complete: true
+
+prodtype: ocp4
+
+title: 'Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree'
+
+description: |-
+  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
+
+  <ul>
+    <li>Container garbage collection: Removes terminated containers.</li>
+    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
+  </ul>
+
+  <p>
+  Container garbage collection can be performed using eviction thresholds.
+  Image garbage collection relies on disk usage as reported by cAdvisor on the
+  node to decide which images to remove from the node.
+  </p>
+
+  <p>
+  The OpenShift administrator can configure how OpenShift Container Platform
+  performs garbage collection by creating a kubeletConfig object for each
+  Machine Config Pool using any combination of the following:
+  </p>
+
+  <ul>
+    <li>soft eviction for containers</li>
+    <li>hard eviction for containers</li>
+    <li>eviction for images</li>
+  </ul>
+
+  <p>
+  To configure, follow the directions in
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
+              text="the documentation") }}}
+  </p>
+
+  <p>
+  This rule pertains to the <tt>imagefs.inodesFree</tt> setting of the <tt>evictionHard</tt>
+  section.
+  </p>
+
+rationale: |-
+  Garbage collection is important to ensure sufficient resource availability
+  and avoiding degraded performance and availability. In the worst case, the
+  system might crash or just be unusable for a long period of time.
+  Based on your system resources and tests, choose an appropriate threshold
+  value to activate garbage collection.
+
+severity: medium
+
+references:
+  cis: 1.3.1
+
+identifiers:
+  cce@ocp4: CCE-84147-8
+
+ocil_clause: '<tt>imagefs.inodesFree</tt> is not set in <tt>evictionHard</tt> section'
+
+ocil: |-
+  Run the following command on the kubelet node(s):
+  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionHard."imagefs.inodesFree"' /host/etc/kubernetes/kubelet.conf</pre>
+  and make sure it outputs
+  <pre>{{{ xccdf_value("var_kubelet_evictionhard_imagefs_inodesfree") }}}</pre>
+
+template:
+  name: yamlfile_value
+  vars:
+    filepath: /etc/kubernetes/kubelet.conf
+    yamlpath: ".evictionHard['imagefs.inodesFree']"
+    xccdf_variable: var_kubelet_evictionhard_imagefs_inodesfree

applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/tests/ocp4/e2e-remediation.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+set -xe
+
+echo "applying sysctls"
+oc apply --server-side -f ${ROOT_DIR}/ocp-resources/kubelet-sysctls-mc.yaml
+
+sleep 30
+
+echo "waiting for workers to update"
+while true; do
+    status=$(oc get mcp/worker | grep worker | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+echo "waiting for masters to update"
+while true; do
+    status=$(oc get mcp/master | grep master | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+echo "applying kubeletConfig"
+oc apply --server-side -f ${ROOT_DIR}/ocp-resources/kubelet-config-mc.yaml
+
+sleep 30
+
+echo "waiting for workers to update"
+while true; do
+    status=$(oc get mcp/worker | grep worker | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+echo "waiting for masters to update"
+while true; do
+    status=$(oc get mcp/master | grep master | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+exit 0

applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_inodesfree/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS

applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/rule.yml

@@ -0,0 +1,72 @@
+documentation_complete: true
+
+prodtype: ocp4
+
+title: 'Ensure Eviction threshold Settings Are Set - evictionHard: memory.available'
+
+description: |-
+  <p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p>
+
+  <ul>
+    <li>Container garbage collection: Removes terminated containers.</li>
+    <li>Image garbage collection: Removes images not referenced by any running pods.</li>
+  </ul>
+
+  <p>
+  Container garbage collection can be performed using eviction thresholds.
+  Image garbage collection relies on disk usage as reported by cAdvisor on the
+  node to decide which images to remove from the node.
+  </p>
+
+  <p>
+  The OpenShift administrator can configure how OpenShift Container Platform
+  performs garbage collection by creating a kubeletConfig object for each
+  Machine Config Pool using any combination of the following:
+  </p>
+
+  <ul>
+    <li>soft eviction for containers</li>
+    <li>hard eviction for containers</li>
+    <li>eviction for images</li>
+  </ul>
+
+  <p>
+  To configure, follow the directions in
+  {{{ weblink(link="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring",
+              text="the documentation") }}}
+  </p>
+
+  <p>
+  This rule pertains to the <tt>memory.available</tt> setting of the <tt>evictionHard</tt>
+  section.
+  </p>
+
+rationale: |-
+  Garbage collection is important to ensure sufficient resource availability
+  and avoiding degraded performance and availability. In the worst case, the
+  system might crash or just be unusable for a long period of time.
+  Based on your system resources and tests, choose an appropriate threshold
+  value to activate garbage collection.
+
+severity: medium
+
+references:
+  cis: 1.3.1
+
+identifiers:
+  cce@ocp4: CCE-84135-3
+
+ocil_clause: '<tt>memory.available</tt> is not set in <tt>evictionHard</tt> section'
+
+ocil: |-
+  Run the following command on the kubelet node(s):
+  <pre>$ oc debug -q node/$NODE -- jq -r '.evictionHard."memory.available"' /host/etc/kubernetes/kubelet.conf</pre>
+  and make sure it outputs
+  <pre>{{{ xccdf_value("var_kubelet_evictionhard_memory_available") }}}</pre>
+
+template:
+  name: yamlfile_value
+  vars:
+    filepath: /etc/kubernetes/kubelet.conf
+    yamlpath: ".evictionHard['memory.available']"
+    xccdf_variable: var_kubelet_evictionhard_memory_available

applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/tests/ocp4/e2e-remediation.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+set -xe
+
+echo "applying sysctls"
+oc apply --server-side -f ${ROOT_DIR}/ocp-resources/kubelet-sysctls-mc.yaml
+
+sleep 30
+
+echo "waiting for workers to update"
+while true; do
+    status=$(oc get mcp/worker | grep worker | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+echo "waiting for masters to update"
+while true; do
+    status=$(oc get mcp/master | grep master | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+echo "applying kubeletConfig"
+oc apply --server-side -f ${ROOT_DIR}/ocp-resources/kubelet-config-mc.yaml
+
+sleep 30
+
+echo "waiting for workers to update"
+while true; do
+    status=$(oc get mcp/worker | grep worker | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+echo "waiting for masters to update"
+while true; do
+    status=$(oc get mcp/master | grep master | awk '{ print $3 $4 }')
+    if [ "$status" == "TrueFalse" ]; then
+      break
+    fi
+    sleep 1
+done
+
+exit 0

applications/openshift/kubelet/kubelet_eviction_thresholds_set_hard_memory_available/tests/ocp4/e2e.yml

@@ -0,0 +1,3 @@
+---
+default_result: FAIL
+result_after_remediation: PASS