Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-257566 | CNTR-OS-000810 | SV-257566r961620_rule | Medium |
Description |
---|
OpenShift allows administrators to define resource quotas on a namespace basis. This allows tailoring of the shared resources based on a project needs. However, when a new project is created, unless a default project resource quota is configured, that project will not have any limits or quotas defined. This could allow someone to create a new project and then deploy services that exhaust or overuse the shared cluster resources. It is necessary to ensure that all existing namespaces with user-defined workloads have an applied resource quota configured. Using resource quotas will help to mitigate a DoS attack by limiting how much CPU, memory, and pods may be consumed in a project. This helps protect other projects (namespaces) from being denied resources to process. https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html Satisfies: SRG-APP-000435-CTR-001070, SRG-APP-000246-CTR-000605, SRG-APP-000450-CTR-001105 |
STIG | Date |
---|---|
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide | 2024-06-10 |
Check Text ( C-61301r921639_chk ) |
---|
Note: CNTR-OS-000140 is a prerequisite to this control. A Network Policy must exist to run this check. Verify that each user namespace has a ResourceQuota defined by executing the following: for ns in $(oc get namespaces -ojson | jq -r '.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name '); do oc get resourcequota -n$ns; done If the above returns any lines saying "No resources found in |
Fix Text (F-61225r921640_fix) |
---|
Add a resource quota to an existing project namespace by performing the following steps: 1. Create apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources namespace: spec: hard: pods: "4" requests.cpu: "1" requests.memory: 1Gi requests.ephemeral-storage: 2Gi limits.cpu: "2" limits.memory: 2Gi limits.ephemeral-storage: 4Gi 2. Apply the ResourceQuota definition to the project namespace by executing the following: oc apply -f Details regarding the configuration of resource quotas can be reviewed at https://docs.openshift.com/container-platform/4.8/applications/quotas/quotas-setting-per-project.html. |