CIS 1.2.21: Ensure that the metrics are protected by RBAC

Vanilla CIS k8s benchmark prescribes that profiling should be disabled. In OCP however, profiling is on by default and used by Prometheus. So instead of making sure profiling is disabled, let's make sure it is explicitly protected by RBAC by checking the cluster-debugger role for including the /metrics endpoint The previous rule is unused now and was removed.
brett060102 · Feb 3, 2021 · 1a00cfa · 1a00cfa
1 parent 47855cd
commit 1a00cfa
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 41 deletions.
diff --git a/applications/openshift/api-server/api_server_profiling/rule.yml b/applications/openshift/api-server/api_server_profiling/rule.yml
diff --git a/applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml
@@ -0,0 +1,50 @@
+prodtype: ocp4
+
+title: 'Profiling is protected by RBAC'
+
+description: |-
+  Ensure that the cluster-debugger cluster role includes the /metrics
+  resource URL. This demonstrates that profiling is protected by RBAC, with a
+  specific cluster role to allow access.
+
+rationale: |-
+  Profiling allows for the identification of specific performance bottlenecks.
+  It generates a significant amount of program data that could potentially be
+  exploited to uncover system and program details. 
+  To ensure the collected data is not exploited, profiling endpoints are secured
+  via RBAC (see cluster-debugger role). By default, the profiling endpoints are
+  accessible only by users bound to cluster-admin or cluster-debugger role.
+  Profiling can not be disabled.
+
+identifiers:
+  cce@ocp4: CCE-84212-0
+
+references:
+  cis: 1.2.21
+
+severity: medium
+
+ocil_clause: |-
+    The <tt>cluster-debugger</tt> role isn't protecting <tt>/metrics</tt>
+
+ocil: |-
+    To verify that the <tt>cluster-debugger</tt> role is configured correctly,
+    run the following command:
+    <pre>$ oc get clusterroles cluster-debugger -o jsonpath='{.rules[0].nonResourceURLs}'</pre>
+    and verify that the <tt>/metrics</tt> path is included there.
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger") | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger
+    yamlpath: '.rules[0].nonResourceURLs[:]'
+    entity_check: 'at least one'
+    values:
+    - value: '\/metrics'
+      operation: 'pattern match'
+      entity_check: 'at least one'
diff --git a/applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: PASS
diff --git a/ocp4/profiles/cis.profile b/ocp4/profiles/cis.profile
@@ -75,9 +75,7 @@ selections:
   # 1.2.20 Ensure that the --secure-port argument is not set to 0
     - api_server_bind_address
   # 1.2.21 Ensure that the --profiling argument is set to false
-    # (jhrozek): This rule should temporarily be commented out as OCP diverges from CIS
-    #            and we need to improve our reply to this control
-    # - api_server_profiling
+    - api_server_profiling_protected_by_rbac
   # 1.2.22 Ensure that the --audit-log-path argument is set
     - api_server_audit_log_path
     - openshift_api_server_audit_log_path

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -559,7 +559,6 @@ CCE-84203-9
 CCE-84205-4
 CCE-84206-2
 CCE-84210-4
-CCE-84212-0
 CCE-84213-8
 CCE-84214-6
 CCE-84215-3