From 7b4f8b66d6c4dbbf8f44038b3fc947e82793d965 Mon Sep 17 00:00:00 2001 From: lichtblaugue Date: Thu, 17 Oct 2024 13:21:20 +0200 Subject: [PATCH] Adding manual rule configure_network_bandwidth --- .../configure_network_bandwidth/rule.yml | 38 +++++++++++++++++++ controls/bsi_sys_1_6.yml | 2 +- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 applications/openshift/networking/configure_network_bandwidth/rule.yml diff --git a/applications/openshift/networking/configure_network_bandwidth/rule.yml b/applications/openshift/networking/configure_network_bandwidth/rule.yml new file mode 100644 index 00000000000..a19f8e3a24f --- /dev/null +++ b/applications/openshift/networking/configure_network_bandwidth/rule.yml @@ -0,0 +1,38 @@ +documentation_complete: true + +title: 'Limiting Network Bandwidth in Pods' + +description: |- + Network bandwidth, SHOULD be appropriately reserved and limited. + +rationale: |- + Network bandwidth is limited at the pod level and can be determined separately according + to incoming and outgoing network bandwidth. + For more information about limiting Pod bandwidth on OCP 4 please refer to the Red Hat documentation: + {{{ weblink(link="https://access.redhat.com/solutions/5018951") }}} + + Out of the documetation use the example for the network bandwidth configuration of a pod: +
+    kind: Pod
+    apiVersion: v1
+    metadata:
+      name: hello-openshift
+      annotations:
+        kubernetes.io/ingress-bandwidth: 2M
+        kubernetes.io/egress-bandwidth: 1M
+    spec:
+        containers:
+          - image: openshift/hello-openshift
+            name: hello-openshift
+    
+ +severity: unknown + +identifiers: + +references: + +ocil_clause: 'Limiting Pod bandwidth on OCP 4' + +ocil: |- + Extend pod configuration with bandwidth annotations. diff --git a/controls/bsi_sys_1_6.yml b/controls/bsi_sys_1_6.yml index e5db7b6351f..4fcddeba294 100644 --- a/controls/bsi_sys_1_6.yml +++ b/controls/bsi_sys_1_6.yml @@ -411,7 +411,6 @@ controls: to incoming and outgoing network bandwidth. In addition, outgoing traffic (egress) can be marked at the namespace level with differentiated services code point (DSCP) classifications in order to assign quality of service classes to the outgoing packets in the physical network. - Section 2: This requirement must be implemented organizationally. Note: The behavior of OpenShift completely replicates the standard behavior of Kubernetes. If CPU limits are exceeded, the process is slowed down. If volatile memory is exceeded, @@ -430,6 +429,7 @@ controls: - resource_requests_quota - resource_requests_quota_cluster - resource_requests_quota_per_project + - configure_network_bandwidth - id: SYS.1.6.A16 title: Administrative Remote Access to Containers