ComplianceAsCode · jhrozek · Feb 3, 2022 · Jan 31, 2022
diff --git a/products/ocp4/product.yml b/products/ocp4/product.yml
@@ -26,6 +26,16 @@ cpes:
       title: "Red Hat OpenShift Container Platform 4 Node"
       check_id: installed_app_is_ocp4_node
 
+  - ocp4-node-on-ovn:
+      name: "cpe:/a:redhat:openshift_container_platform_node_on_ovn:4"
+      title: "Red Hat OpenShift Container Platform 4 Node on OVN"
+      check_id: installed_app_is_ocp4_node_on_openshift-ovn
+
+  - ocp4-node-on-sdn:
+      name: "cpe:/a:redhat:openshift_container_platform_node_on_sdn:4"
+      title: "Red Hat OpenShift Container Platform 4 Node on SDN"
+      check_id: installed_app_is_ocp4_node_on_openshift-sdn
+
   - ocp4.6:
       name: "cpe:/a:redhat:openshift_container_platform:4.6"
       title: "Red Hat OpenShift Container Platform 4.6"
@@ -106,5 +116,16 @@ cpes:
       title: "Red Hat OpenShift Container Platform 4 on GCP"
       check_id: installed_app_is_ocp4_on_gcp
 
+  - ocp4-on-ovn:
+      name: "cpe:/a:redhat:openshift_container_platform_on_ovn:4"
+      title: "Red Hat OpenShift Container Platform 4 on OVN"
+      check_id: installed_app_is_ocp4_on_openshiftovn
+
+  - ocp4-on-sdn:
+      name: "cpe:/a:redhat:openshift_container_platform_on_sdn:4"
+      title: "Red Hat OpenShift Container Platform 4 on SDN"
+      check_id: installed_app_is_ocp4_on_openshiftsdn
+
+
 # Requirement string, see: https://setuptools.readthedocs.io/en/latest/pkg_resources.html#requirements-parsing
 # requires: "openscap>=1.3.4"
diff --git a/shared/checks/oval/installed_app_is_ocp4.xml b/shared/checks/oval/installed_app_is_ocp4.xml
@@ -120,5 +120,53 @@
       </ind:value>
   </ind:yamlfilecontent_state>
 
+{{% endfor %}}
+
+  <!-- helpers for ovn/sdn network cpe check-->
+  <local_variable id="ocp4_network_dump_location" datatype="string" comment="The actual filepath of the network file to scan." version="1">
+      <literal_component>/kubernetes-api-resources/apis/config.openshift.io/v1/networks/cluster</literal_component>
+  </local_variable>
+
+  <unix:file_test id="test_file_for_ocp4_network" check="only one" comment="Find the actual file for the network to be scanned." version="1">
+      <unix:object object_ref="object_file_for_ocp4_network"/>
+  </unix:file_test>
+
+  <unix:file_object id="object_file_for_ocp4_network" version="1">
+      <unix:filepath var_ref="ocp4_network_dump_location"/>
+  </unix:file_object>
+
+  <ind:yamlfilecontent_object id="object_ocp4_platform_network" version="1">
+      <ind:filepath var_ref="ocp4_network_dump_location"/>
+      <ind:yamlpath>.status.networkType</ind:yamlpath>
+  </ind:yamlfilecontent_object>
+
+  <!-- Check for OpenShift Container Platform 4 using specific network type -->
+{{% for network in ["OpenShiftSDN", "OpenShiftOVN"] %}}
+  <definition class="inventory" id="installed_app_is_ocp4_on_{{{ network|lower }}}" version="1">
+    <metadata>
+      <title>Red Hat OpenShift Container network 4 on {{{ network }}}</title>
+      <affected family="unix">
+        <platform>Red Hat OpenShift Container network 4 on {{{ network }}}</platform>
+      </affected>
+      <reference ref_id="cpe:/a:redhat:openshift_container_network_on_{{{ network|lower }}}:4" source="CPE" />
+      <description>The application installed installed on the system is OpenShift version 4 on {{{ network }}}.</description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion comment="cluster is OpenShift 4 on {{{ network }}}" test_ref="test_ocp4_on_{{{ network|lower }}}" />
+      <criterion comment="Make sure OCP4 networkstructure/cluster file is present" test_ref="test_file_for_ocp4_network"/>
+    </criteria>
+  </definition>
+
+  <ind:yamlfilecontent_test id="test_ocp4_on_{{{ network|lower }}}" check="at least one" comment="Find one match" version="1">
+      <ind:object object_ref="object_ocp4_platform_network"/>
+      <ind:state state_ref="state_ocp4_on_{{{ network|lower }}}"/>
+  </ind:yamlfilecontent_test>
+
+  <ind:yamlfilecontent_state id="state_ocp4_on_{{{ network|lower }}}" version="1">
+      <ind:value datatype="record">
+          <field name="#" datatype="string" operation="pattern match">^{{{ network }}}$</field>
+      </ind:value>
+  </ind:yamlfilecontent_state>
 {{% endfor %}}
 </def-group>
+
diff --git a/shared/checks/oval/installed_app_is_ocp4_node.xml b/shared/checks/oval/installed_app_is_ocp4_node.xml
@@ -21,4 +21,52 @@
     <unix:filepath>/etc/kubernetes/kubelet.conf</unix:filepath>
   </unix:file_object>
 
+  <!-- helpers for ovn/sdn network cpe check-->
+  <local_variable id="ocp4_node_network_file_location" datatype="string" comment="The actual filepath of the network file to scan." version="1">
+      <literal_component>/etc/kubernetes/cni/net.d/00-multus.conf</literal_component>
+  </local_variable>
+
+  <unix:file_test id="test_file_for_ocp4_node_network" check="only one" comment="Find the actual file for the network to be scanned." version="1">
+      <unix:object object_ref="object_file_for_ocp4_node_network"/>
+  </unix:file_test>
+
+  <unix:file_object id="object_file_for_ocp4_node_network" version="1">
+      <unix:filepath var_ref="ocp4_node_network_file_location"/>
+  </unix:file_object>
+
+  <ind:yamlfilecontent_object id="object_ocp4_platform_node_network" version="1">
+      <ind:filepath var_ref="ocp4_node_network_file_location"/>
+      <ind:yamlpath>.delegates[0].type</ind:yamlpath>
+  </ind:yamlfilecontent_object>
+
+  <!-- Check for OpenShift Container Platform 4 using specific network type -->
+{{% for network in ["OpenShift-SDN", "OpenShift-OVN"] %}}
+  <definition class="inventory" id="installed_app_is_ocp4_node_on_{{{ network|lower }}}" version="1">
+    <metadata>
+      <title>Red Hat OpenShift Container network 4 on {{{ network }}}</title>
+      <affected family="unix">
+        <platform>Red Hat OpenShift Container network 4 on {{{ network }}}</platform>
+      </affected>
+      <reference ref_id="cpe:/a:redhat:openshift_container_node_network_on_{{{ network|lower }}}:4" source="CPE" />
+      <description>The application installed installed on the system is OpenShift version 4 on {{{ network }}}.</description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion comment="cluster is OpenShift 4 on {{{ network }}}" test_ref="test_ocp4_on_{{{ network|lower }}}" />
+      <criterion comment="Make sure OCP4 networkstructure/cluster file is present" test_ref="test_file_for_ocp4_node_network"/>
+    </criteria>
+  </definition>
+
+  <ind:yamlfilecontent_test id="test_ocp4_on_{{{ network|lower }}}" check="at least one" comment="Find one match" version="1">
+      <ind:object object_ref="object_ocp4_platform_node_network"/>
+      <ind:state state_ref="state_ocp4_on_{{{ network|lower }}}"/>
+  </ind:yamlfilecontent_test>
+
+  <ind:yamlfilecontent_state id="state_ocp4_on_{{{ network|lower }}}" version="1">
+      <ind:value datatype="record">
+          <field name="#" datatype="string" operation="pattern match">^{{{ network|lower }}}$</field>
+      </ind:value>
+  </ind:yamlfilecontent_state>
+{{% endfor %}}
+
+
 </def-group>