UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.


Overview

Finding ID Version Rule ID IA Controls Severity
V-257566 CNTR-OS-000810 SV-257566r961620_rule Medium
Description
OpenShift allows administrators to define resource quotas on a namespace basis. This allows tailoring of the shared resources based on a project needs. However, when a new project is created, unless a default project resource quota is configured, that project will not have any limits or quotas defined. This could allow someone to create a new project and then deploy services that exhaust or overuse the shared cluster resources. It is necessary to ensure that all existing namespaces with user-defined workloads have an applied resource quota configured. Using resource quotas will help to mitigate a DoS attack by limiting how much CPU, memory, and pods may be consumed in a project. This helps protect other projects (namespaces) from being denied resources to process. https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html Satisfies: SRG-APP-000435-CTR-001070, SRG-APP-000246-CTR-000605, SRG-APP-000450-CTR-001105
STIG Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-61301r921639_chk )
Note: CNTR-OS-000140 is a prerequisite to this control. A Network Policy must exist to run this check.

Verify that each user namespace has a ResourceQuota defined by executing the following:

for ns in $(oc get namespaces -ojson | jq -r '.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name '); do oc get resourcequota -n$ns; done

If the above returns any lines saying "No resources found in namespace.", this is a finding. Empty output is not a finding.
Fix Text (F-61225r921640_fix)
Add a resource quota to an existing project namespace by performing the following steps:

1. Create .yaml and insert the desired resource quota content. The following is an example resource quota definition.

apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resources
namespace:
spec:
hard:
pods: "4"
requests.cpu: "1"
requests.memory: 1Gi
requests.ephemeral-storage: 2Gi
limits.cpu: "2"
limits.memory: 2Gi
limits.ephemeral-storage: 4Gi

2. Apply the ResourceQuota definition to the project namespace by executing the following:

oc apply -f .yaml -n

Details regarding the configuration of resource quotas can be reviewed at https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html.