Rule ID
SV-257555r1132416_rule
Version
V2R5
CCIs
By setting rate limits, OpenShift can control the number of requests or connections allowed from a single source within a specific period. This prevents an excessive influx of requests that can overwhelm the application and degrade its performance or availability. Setting rate limits ensures fair resource allocation, prevents service degradation, protects backend systems, and enhances overall security. It also helps to maintain the availability, performance, and security of the applications hosted on the platform, contributing to a reliable and robust application infrastructure. OpenShift has an option to set the rate limit for routes (refer to link below) when creating new routes. All routes outside the OpenShift namespaces and the kube namespaces must use the rate-limiting annotations. https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
Verify that all namespaces except those that start with kube-* or openshift-* use the rate-limiting annotation by executing the following:
oc get routes --all-namespaces -o json | jq '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]'
If the above command returns any namespaces, this is a finding.Add the "haproxy.router.openshift.io/rate-limit-connections= true" annotation to any routes outside the kube-* or openshift-* namespaces. oc annotate route <route_name> -n <namespace> --overwrite=true "haproxy.router.openshift.io/timeout=2s" https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html