-
Notifications
You must be signed in to change notification settings - Fork 1
/
ocp-networking-cd.yaml
352 lines (316 loc) · 16.6 KB
/
ocp-networking-cd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
# yaml-language-server: $schema=file:/Volumes/opt/zero-trust/zero-trust-catalog/oscal_component_schema-fixed.json
component-definition:
uuid: fa503e86-5cbb-4e8a-a064-3fe7ded7738b
metadata:
title: OCP 4.16 Networking Component Definition
last-modified: 2024-08-30T16:30:00Z
version: draft
oscal-version: 1.1.2
roles:
- id: provider
title: Provider
parties:
- uuid: eaf941d9-30ad-41ce-b1c9-a75eff031f94
name: Red Hat
type: organization
links:
- href: https://www.redhat.com/
rel: website
components:
- uuid: 1472a52b-c75f-4bf9-b2b7-0567f7db0c07
type: software
title: OpenShift Networking
description: The networking provider and CNI in OpenShift 4.16
responsible-roles:
- role-id: provider
party-uuids:
- eaf941d9-30ad-41ce-b1c9-a75eff031f94
protocols:
- name: coredns
title: Cluster-local DNS provider
port-ranges:
- start: 53
end: 53
transport: TCP
- start: 9153
end: 9153
transport: TCP
- name: etcd
title: Distributed key-value store
port-ranges:
- start: 2379
end: 2380
transport: TCP
- name: ovnkube-control-plane
title: OpenShift Networking control plane
port-ranges:
- start: 9411
end: 9411
transport: TCP
- name: ovnkube-identity
title: OpenShift Networking identity manager
port-ranges:
- start: 9443
end: 9443
transport: TCP
- name: ovs-exporter
title: OpenShift Networking metrics service
port-ranges:
- start: 9310
end: 9310
transport: TCP
- name: ovnkube
title: OpenShift Networking node agent
port-ranges:
- start: 9410
end: 9410
transport: TCP
- start: 9476
end: 9476
transport: TCP
control-implementations:
- uuid: b9021cc5-3b5d-4bcb-880e-99bffc4b5bb0
source: "#9b0c9c43-2722-4bbb-b132-13d34fb94d45"
description: NIST SP 800-53 controls implemented by OpenShift Networking
implemented-requirements:
- uuid: 34379876-b6c3-47ec-a957-1a0f8f31bbff
control-id: ac-3
description: |
TODO
props:
- name: title
value: Access Enforcement
- name: dod-mapping
value: 1.2 Conditional User access
remarks: |
Primary Capability: federated identity access management systems may
integrate with RH Single Sign-On or RHEL IDM via programmatic APIs or LDAP
to retrieve user attributes for policy and access rule adjustments.Note: Red
Hat OCP includes RH SSO which is required to provide indicated primary
capability.
- name: dod-mapping
value: 1.7 Least Privileged Access
remarks: |
Primary Capability: Red Hat Openshift can enforce least privilege access for
hosted workloads, as determined by its own RBAC polciies or external
policies defined and determined by RH SSO or RH SSO, via mutliple
techniques. Use of SDN ingress and egress points allows enforcement of
general policies such as a deny-by-default for unauthorized users by
blocking all access to tenant workloads. RH Appliation Foundations 3Scale
API management can block acess for specific workloads by policy. RH OSSM can
automate the enplacement and configuration of access enforcement proxies
that can block access to fine grained microservices. Each of these
techniques are implemented via custom configuration or tailoring ot these
components, which may be automated via RH OCP or RH AAP to maintain
consistent least privilege access for all workloads.Secondary Capability:
Red Hat Openshift provides standard default workload roles and attributes
including rroles standard and privileged actions. Granted default roles may
be customized and unprivileged changes to these roles locked out.Primary
Capability: all Red Hat products deny access by default and require
authentication and authorization based on user/role attributes. Workloads
hosted on Red Hat OpenShift can readily be connected to inherent SAML/OIDC
SSO services for access control.
- name: dod-mapping
value: 2.4 Remote Access
remarks: |
Primary Capability: Red Hat Openshift allows configuration of networks to a
least privilege baseline via mulitple techniques. RH OCP SDN network ingress
and egress may be individually configured to allow inbound and outbound
access from specifc users, networks, or other factors. Network Policies may
be configured to provide firewall-like allow and deny rules to specific
addresses, ports, and services on the SDN.Primary Capability: Red Hat
Ansible provides enterprise automation to support Configuration as Code,
monitor configuration drift and set/maintain access baselines across a wide
variety of enforcement points and products, both within and outside the Red
Hat portfolio.Partial / Integration Capability: Red Hat ACS may be used to
automate the asssessment of network policies against actual measured usage
to determine the applicable least privilege baseline and automate the
application of the baseline.
- uuid: e57f0d71-533c-4e9a-8572-6a17aef8fdd8
control-id: ac-4
description: |
TODO
props:
- name: title
value: Information Flow Enforcement
- name: dod-mapping
value: 5.2 Software Defined Networking (SDN)
remarks: |
Primary Capability: A Red Hat OpenShift environment defines and uttilizes a
software defined network to route traffic between hosted workloads. This SDN
is managed by OpenShift that acts as the control plane, and instruments
changes against the component nodes and network configuration objects within
the cluster. OpenShift offers a programmatic interface and REST APIs for
instrumentation of the SDN and other OpenShift functions.Primary Capability:
Within the context of Red Hat OpenShift, as described above, OpenShift acts
as the centralized manager for the SDN data plane.Primary Capability: Within
a Red Hat OpenShift environment, Red Hat Advanced Cluster Security
continously monitors ingress, egress, and internal network traffic patterns
and containerized workload compliance/risk and enforces network policies for
positive control over application traffic.
- name: dod-mapping
value: 5.3 Macro Segmentation
remarks: |
Primary Capability
- name: dod-mapping
value: 5.4 Micro Segmentation
remarks: |
Primary Capability: Red Hat OpenShift defines very specific network access
controls between the workloads it hosts. Applications are contstrained to
their namespaces/projects, OpenShift Service Mesh enforces mTLS and other
controls between workloads, and Red Hat Advanced Cluster Security enforces
network poliicies between workloads. All together, these capabiilites
provide very fine-grained network microsegmentation within an OpenShift
application environment.Primary Capability: Red Hat OpenShift inherently
automates the configuration and dynamism of network policies within itself,
and exposes these functions via API. Red Hat Ansible Automation Platform
supports automated configuration and policy deployment for a wide variety of
platforms across the enterprise as well.Primary Capability: Red Hat
OpenShift and Red Hat Enterprise Linux support SELinux for host-based
process segmentation at the kernel level based on user/group atrributes.
- uuid: bc45a2f3-6066-477d-b3ec-1e2cac08670c
control-id: ac-17.1
description: |
TODO
props:
- name: title
value: Remote Access - Monitoring and Control
- name: dod-mapping
value: 2.4 Remote Access
remarks: |
Primary Capability: Red Hat Openshift allows configuration of networks to a
least privilege baseline via mulitple techniques. RH OCP SDN network ingress
and egress may be individually configured to allow inbound and outbound
access from specifc users, networks, or other factors. Network Policies may
be configured to provide firewall-like allow and deny rules to specific
addresses, ports, and services on the SDN.Primary Capability: Red Hat
Ansible provides enterprise automation to support Configuration as Code,
monitor configuration drift and set/maintain access baselines across a wide
variety of enforcement points and products, both within and outside the Red
Hat portfolio.Partial / Integration Capability: Red Hat ACS may be used to
automate the asssessment of network policies against actual measured usage
to determine the applicable least privilege baseline and automate the
application of the baseline.
- uuid: a6015026-7997-429a-a264-6ed28ce299cc
control-id: ac-17.2
description: Protection of Confidentiality and Integrity Using Encryption
- uuid: 64184c4b-6140-4769-b812-8ddc47fdd55e
control-id: au-8
description: |
TODO
props:
- name: title
value: Time Stamps
- name: dod-mapping
value: 7.1 Log All Traffic (Network, Data, Apps, Users)
remarks: |
Primary Capability: Logging and observability capabilities througout the Red
Hat portfolio (syslog, Jaeger, ACS, ACM, OSSM) export logs to arbitarry log
collectors in standard formats for collection and availability.
- uuid: bd46e4af-89b3-4ecf-8423-5eeaa2be53ee
control-id: au-9
description: Protection of Audit Information
- uuid: 2bcad892-3805-41e6-9e2d-ecaa33032e50
control-id: au-12
description: Audit Record Generation
- uuid: d52cfbd7-7ba0-401f-9aa6-c4287d250a6b
control-id: ia-2.1
description: Multi-factor Authentication to Privileged Accounts
- uuid: ebd31ede-3172-4114-83f2-7b637465f10b
control-id: ia-2.2
description: Multi-factor Authentication to Non-privileged Accounts
- uuid: caad2fcd-37bb-4f8c-a29c-0c527b628909
control-id: ia-8
description: Identification and Authentication
- uuid: 48651320-e217-4d9f-9d44-66ce00b0e3fe
control-id: ia-8.1
description: |
PIV credentials from other agencies can be handled by making use of RH Single
Sign-On.
props:
- name: title
value: Acceptance of PIV Credentials from Other Agencies
- name: dod-mapping
value: 1.2 Conditional User access
remarks: |
Primary Capability: federated identity access management systems may
integrate with RH Single Sign-On or RHEL IDM via programmatic APIs or LDAP
to retrieve user attributes for policy and access rule adjustments.Note: Red
Hat OCP includes RH SSO which is required to provide indicated primary
capability.
- uuid: 951b451c-7c12-4212-8228-33e73b2d5c15
control-id: ia-8.2
description: Acceptance of External Authenticators
- uuid: 775d34d7-0651-4f28-8072-2cd0308e4ce5
control-id: ia-8.4
description: Use of Defined Protocols
- uuid: 30b941e9-9bbd-49c7-ab7c-ff640fb665de
control-id: ia-11
description: Re-authentication
- uuid: e2bb225b-41d7-4287-b854-69adeb19bab8
control-id: sc-7
description: Boundary Protection
- uuid: 64ba79d3-c3ad-4c5d-85fe-88f1ba9945b8
control-id: sc-7.8
description: Route Traffic to Authenticated Proxy Servers
- uuid: 54cc20c6-b6de-4095-9f22-69a2244f5d24
control-id: sc-7.18
description: Fail Secure
- uuid: a4b23866-5340-4e3d-a1c8-2e76f2661ed0
control-id: sc-7.21
description: Isolation of System Components
- uuid: 2339ae91-fb69-453e-8955-030e953442b5
control-id: sc-8
description: Transmission Confidentiality and Integrity
- uuid: c4193dd6-5553-4c41-8e49-7cee388bb9d0
control-id: sc-8.1
description: Cryptographic Protection
- uuid: 423e58dd-0ee3-48cb-80e8-3b87414ba2e6
control-id: sc-10
description: Network Disconnect
- uuid: b1252262-6627-4a1d-b991-2aef25e09db9
control-id: sc-12
description: Cryptographic Key Establishment and Management
- uuid: fea55502-935e-498f-a6b8-e43ee5e3fac7
control-id: sc-13
description: Cryptographic Protection
- uuid: 760316a6-fa4a-4edc-8422-d920580a5e07
control-id: sc-5
description: Denial-of-service Protection
# TODO
# - uuid: cbb8f6fd-e6fe-44b1-969b-9558fffc4bc8
# control-id: sc-20
# description: Secure Name/Address Resolution Service (Authoritative Source)
# - uuid: 4bba4255-2e0a-4974-875f-afcae6fc9638
# control-id: sc-21
# description: Secure Name/Address Resolution Service (Recursive or Caching Resolver)
# - uuid: 630ba1a3-bb92-4dac-a904-e92f3c6673a2
# control-id: sc-22
# description: Architecture and Provisioning for Name/Address Resolution Service
- uuid: 3e3d8e28-45ae-4d3d-85cf-39212c919009
control-id: sc-23
description: Session Authenticity
- uuid: e7cfcd5f-fb68-4d88-84b9-a393bb617541
control-id: sc-39
description: Process Isolation
- uuid: 3e35ac73-f9f0-4c00-81be-aa02656182b7
control-id: cm-6
description: Configuration Settings
- uuid: 079371b3-3fb3-4016-a333-ad0936d74db5
control-id: cm-7
description: Least Functionality
- uuid: 8064fcfe-3260-4d93-afdd-991e1a087bc1
control-id: si-4
description: System Monitoring
- uuid: b3229439-fdbd-4e85-af73-94a3568490ac
control-id: si-10
description: Information Input Validation
- uuid: 3a16b25e-700e-4e89-8097-ed4594617c05
control-id: si-11
description: Error Handling
back-matter:
resources:
- uuid: 9b0c9c43-2722-4bbb-b132-13d34fb94d45
title: NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures
rlinks:
- href: file://nist-sp-800-53-rev5-extended.json