Adding manual rule configure_network_bandwidth

sig-bsi-grundschutz · Oct 17, 2024 · 7b4f8b6 · 7b4f8b6
1 parent aeb1768
commit 7b4f8b6
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/applications/openshift/networking/configure_network_bandwidth/rule.yml b/applications/openshift/networking/configure_network_bandwidth/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Limiting Network Bandwidth in Pods'
+
+description: |-
+    Network bandwidth, SHOULD be appropriately reserved and limited.
+
+rationale: |-
+    Network bandwidth is limited at the pod level and can be determined separately according
+    to incoming and outgoing network bandwidth.
+    For more information about limiting Pod bandwidth on OCP 4 please refer to the Red Hat documentation:
+    {{{ weblink(link="https://access.redhat.com/solutions/5018951") }}}
+
+    Out of the documetation use the example for the network bandwidth configuration of a pod: 
+    <pre>
+    kind: Pod
+    apiVersion: v1
+    metadata:
+      name: hello-openshift
+      annotations:
+        kubernetes.io/ingress-bandwidth: 2M
+        kubernetes.io/egress-bandwidth: 1M
+    spec:
+        containers:
+          - image: openshift/hello-openshift
+            name: hello-openshift
+    </pre>
+
+severity: unknown
+
+identifiers:
+
+references:
+
+ocil_clause: 'Limiting Pod bandwidth on OCP 4'
+
+ocil: |-
+    Extend pod configuration with bandwidth annotations.
diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml
@@ -411,7 +411,6 @@ controls:
       to incoming and outgoing network bandwidth. In addition, outgoing traffic (egress) can be
       marked at the namespace level with differentiated services code point (DSCP) classifications
       in order to assign quality of service classes to the outgoing packets in the physical network.
-      
       Section 2: This requirement must be implemented organizationally.
       Note: The behavior of OpenShift completely replicates the standard behavior of Kubernetes.
       If CPU limits are exceeded, the process is slowed down. If volatile memory is exceeded,
@@ -430,6 +429,7 @@ controls:
       - resource_requests_quota
       - resource_requests_quota_cluster
       - resource_requests_quota_per_project
+      - configure_network_bandwidth
 
   - id: SYS.1.6.A16
     title: Administrative Remote Access to Containers