Add CEL CustomRules from CO

Author: yuumasato

applications/openshift-virtualization/kubevirt-enforce-trusted-tls-registries/rule.yml

@@ -0,0 +1,48 @@
+documentation_complete: true
+
+title: 'Only Trusted Registries Using TLS Can Be Used'
+
+description: |-
+    By only pulling container images from trusted registries using TLS, organizations
+    can reduce the risk of introducing unknown vulnerabilities or malicious
+    software into their systems. This helps ensure that their applications and systems
+    remain secure and stable. All container image registries used by KubeVirt should
+    require TLS connections to protect the integrity and authenticity of images.
+
+rationale: |-
+    When the <tt>.spec.storageImport.insecureRegistries</tt> field contains entries in
+    the <tt>kubevirt-hyperconverged</tt> resource, KubeVirt is configured to allow
+    connections to container registries that do not use TLS encryption. This creates
+    a significant security risk as images could be intercepted or tampered with during
+    transit. Man-in-the-middle attacks could result in malicious images being pulled
+    and executed within virtual machines. To maintain security, only registries using
+    TLS should be permitted, and the insecureRegistries list should be empty.
+
+failureReason: |-
+    There are registries not using TLS in '.spec.storageImport.insecureRegistries' in
+    the 'kubevirt-hyperconverged' resource.
+
+severity: medium
+
+ocil_clause: 'insecure registries are configured'
+
+ocil: |-
+    Run the following command to check for insecure registries:
+    <pre>$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.storageImport.insecureRegistries}'</pre>
+    The output should be empty or the field should not exist.
+
+checkType: Platform
+
+scannerType: CEL
+
+inputs:
+  - name: hco
+    kubernetesInputSpec:
+      apiVersion: hco.kubevirt.io/v1beta1
+      resource: hyperconvergeds
+      resourceName: kubevirt-hyperconverged
+      resourceNamespace: openshift-cnv
+
+expression: |-
+  !has(hco.spec.storageImport) ||
+  hco.spec.storageImport.insecureRegistries.size() == 0

applications/openshift-virtualization/kubevirt-no-permitted-host-devices/rule.yml

@@ -0,0 +1,60 @@
+documentation_complete: true
+
+title: 'KubeVirt Must Not Permit Host Devices'
+
+description: |-
+    Host devices should not be permitted to virtualization workloads unless
+    absolutely necessary for workload execution. Allowing host devices provides
+    direct access to host hardware, which can introduce security risks including
+    unauthorized access to sensitive hardware resources, potential for privilege
+    escalation, and bypass of virtualization security boundaries.
+
+    By default, no host devices should be trusted or permitted for use by
+    virtualization workloads.
+
+rationale: |-
+    The <tt>.spec.permittedHostDevices</tt> field in the <tt>kubevirt-hyperconverged</tt>
+    resource controls which host devices can be used by virtualization workloads.
+    Permitting host devices allows virtual machines to bypass virtualization boundaries
+    and directly access host hardware, which introduces significant security risks.
+    This can lead to unauthorized access to sensitive hardware resources, privilege
+    escalation opportunities, and potential compromise of the host system. Unless
+    explicitly required, no host devices should be permitted.
+
+failureReason: |-
+    The '.spec.permittedHostDevices' field is set in the 'kubevirt-hyperconverged'
+    resource, allowing host devices to be used by virtualization workloads.
+
+severity: medium
+
+ocil_clause: 'permittedHostDevices are configured in kubevirt-hyperconverged'
+
+ocil: |-
+    Run the following command to check the HyperConverged configuration:
+    <pre>$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.permittedHostDevices}'</pre>
+    The output should be empty or show empty lists for both <tt>pciHostDevices</tt> and <tt>mediatedDevices</tt>.
+
+checkType: Platform
+
+scannerType: CEL
+
+inputs:
+  - name: hcoList
+    kubernetesInputSpec:
+      apiVersion: hco.kubevirt.io/v1beta1
+      resource: hyperconvergeds
+
+expression: |
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).size() == 1 &&
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).all(h,
+      !has(h.spec.permittedHostDevices) ||
+      h.spec.permittedHostDevices == null ||
+      (has(h.spec.permittedHostDevices.pciHostDevices) && size(h.spec.permittedHostDevices.pciHostDevices) == 0) &&
+      (has(h.spec.permittedHostDevices.mediatedDevices) && size(h.spec.permittedHostDevices.mediatedDevices) == 0)
+  )

applications/openshift-virtualization/kubevirt-no-vms-overcommitting-guest-memory/rule.yml

@@ -0,0 +1,52 @@
+documentation_complete: true
+
+title: 'VMs Must Not Overcommit Guest Memory'
+
+description: |-
+    The <tt>overcommitGuestOverhead</tt> configuration option enables the request for
+    additional virtual machine management memory inside the virt-launcher pod.
+    The overcommit feature is used to increase virtual machine density on the
+    node, as long as the virtual machine doesn't request all the memory that it
+    would need if fully loaded. However, if the VM were to use all of the
+    memory it could, this would lead to the OpenShift Scheduler killing the
+    workload.
+
+rationale: |-
+    When the <tt>.spec.template.spec.domain.resources.overcommitGuestOverhead</tt> field is
+    set to <tt>true</tt> in the <tt>VirtualMachine</tt> resource, VMs are allowed to
+    overcommit KubeVirt's memory which may lead to guests crashing and
+    interrupting workloads causing malfunctions. To prevent memory-related failures
+    and ensure workload stability, this setting should not be enabled.
+
+failureReason: |-
+    The '.spec.template.spec.domain.resources.overcommitGuestOverhead' field exists and is
+    set to "true" in the 'VirtualMachine' resource, allowing VMs to
+    overcommit KubeVirt's memory which may lead to guests crashing and
+    interrupting workloads causing malfunctions.
+
+severity: medium
+
+ocil_clause: 'VMs have overcommitGuestOverhead set to true'
+
+ocil: |-
+    Run the following command to check VirtualMachine configurations:
+    <pre>$ oc get virtualmachines -A -o jsonpath='{range .items[*]}{.metadata.namespace}{"/"}{.metadata.name}{": "}{.spec.template.spec.domain.resources.overcommitGuestOverhead}{"\n"}{end}'</pre>
+    Make sure no VirtualMachine has <tt>overcommitGuestOverhead</tt> set to <tt>true</tt>.
+
+checkType: Platform
+
+scannerType: CEL
+
+inputs:
+  - name: vms
+    kubernetesInputSpec:
+      apiVersion: kubevirt.io/v1
+      resource: VirtualMachine
+
+expression: |
+  vms.all(h,
+      !has(h.spec.template.spec.domain.resources) ||
+      !has(h.spec.template.spec.domain.resources.overcommitGuestOverhead) ||
+      (has(h.spec.template.spec.domain.resources.overcommitGuestOverhead) &&
+       h.spec.template.spec.domain.resources.overcommitGuestOverhead == false)
+  )

applications/openshift-virtualization/kubevirt-nonroot-feature-gate-is-enabled/rule.yml

@@ -0,0 +1,56 @@
+documentation_complete: true
+
+title: 'KubeVirt nonRoot Feature Gate Must Be Enabled'
+
+description: |-
+    The <tt>nonRoot</tt> feature gate in KubeVirt enables restrictions that prevent
+    virtual machines from running with root privileges. This feature enforces
+    security boundaries and helps prevent privilege escalation attacks. All virtual
+    machines should operate with the minimum necessary privileges, and the nonRoot
+    feature gate ensures this principle is enforced at the platform level.
+
+rationale: |-
+    Unauthorized access to a root account without restrictions implemented by
+    the nonRoot feature introduces the risk of unintended or unauthorized
+    access to privilege elevation and the ability to perform administrative
+    tasks. When the <tt>.spec.featureGates.nonRoot</tt> field is set to <tt>true</tt>
+    in the <tt>kubevirt-hyperconverged</tt> resource, KubeVirt enforces non-root
+    execution for virtual machine workloads, significantly reducing the attack
+    surface and limiting the potential impact of security vulnerabilities.
+
+failureReason: |-
+    The '.spec.featureGates.nonRoot' field is missing or not set to 'true' in
+    the 'kubevirt-hyperconverged' resource.
+
+severity: medium
+
+ocil_clause: 'nonRoot feature gate is not set to true'
+
+ocil: |-
+    Run the following command to check the feature gate configuration:
+    <pre>$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.featureGates.nonRoot}'</pre>
+    The output should be <tt>true</tt>.
+
+checkType: Platform
+
+scannerType: CEL
+
+inputs:
+  - name: hcoList
+    kubernetesInputSpec:
+      apiVersion: hco.kubevirt.io/v1beta1
+      resource: hyperconvergeds
+
+expression: |
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).size() == 1 &&
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).all(h,
+      has(h.spec.featureGates) &&
+      has(h.spec.featureGates.nonRoot) &&
+      h.spec.featureGates.nonRoot == true
+  )

applications/openshift-virtualization/kubevirt-persistent-reservation-disabled/rule.yml

@@ -0,0 +1,58 @@
+documentation_complete: true
+
+title: 'KubeVirt Persistent Reservation Feature Gate Must Be Disabled'
+
+description: |-
+    The persistent reservation feature gate in KubeVirt allows virtual machines
+    to use SCSI persistent reservations, which provide exclusive access to shared
+    storage. This feature should be disabled unless explicitly required for
+    workload operation, as it can introduce security risks by allowing VMs to
+    claim exclusive access to storage resources, potentially impacting availability
+    and enabling resource manipulation outside normal access controls.
+
+rationale: |-
+    The <tt>.spec.featureGates.persistentReservation</tt> field in the
+    <tt>kubevirt-hyperconverged</tt> resource controls whether virtual machines can
+    use SCSI persistent reservations. When enabled, this feature allows VMs to claim
+    exclusive access to shared storage resources, which can be exploited to cause
+    denial of service conditions or manipulate storage access in ways that bypass
+    normal Kubernetes access controls. Unless this capability is explicitly required
+    for specific workload requirements, it should remain disabled to minimize the
+    attack surface.
+
+failureReason: |-
+    The '.spec.featureGates.persistentReservation' field is missing, not set,
+    or not set to 'false' in the 'kubevirt-hyperconverged' resource.
+
+severity: medium
+
+ocil_clause: 'persistentReservation feature gate is not explicitly set to false'
+
+ocil: |-
+    Run the following command to check the feature gate configuration:
+    <pre>$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.featureGates.persistentReservation}'</pre>
+    The output should be <tt>false</tt>.
+
+checkType: Platform
+
+scannerType: CEL
+
+inputs:
+  - name: hcoList
+    kubernetesInputSpec:
+      apiVersion: hco.kubevirt.io/v1beta1
+      resource: hyperconvergeds
+
+expression: |
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).size() == 1 &&
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).all(h,
+      has(h.spec.featureGates) &&
+      has(h.spec.featureGates.persistentReservation) &&
+      h.spec.featureGates.persistentReservation == false
+  )