diff --git a/applications/openshift/general/general_node_separation/rule.yml b/applications/openshift/general/general_node_separation/rule.yml new file mode 100644 index 00000000000..ec7f9850542 --- /dev/null +++ b/applications/openshift/general/general_node_separation/rule.yml @@ -0,0 +1,25 @@ +documentation_complete: true + +title: 'Create Boundaries between Resources using Nodes or Clusters' + +description: |- + Use Nodes or Clusters to isolate Workloads with high protection requirements. + + Run the following command and review the pods and how they are deployed on Nodes.
$ oc get pod -o=custom-columns=NAME:.metadata.name,NAMESPACE:.metadata.namespace,APP:.metadata.labels.app\.kubernetes\.io/name,NODE:.spec.nodeName --all-namespaces | grep -v "openshift-"+ You can use labels or other data as custom field which helps you to identify parts of an application. + Ensure that Applications with high protection requirements are not colocated on Nodes or in Clusters with workloads of lower protection requirements. + +rationale: |- + Assigning workloads with high protection requirements to specific nodes creates and additional boundary (the node) between workloads of high protection requirements and workloads which might follow less strict requirements. An adversary which attacked a lighter protected workload now has additional obstacles for their movement towards the higher protected workloads. + +references: + bsi: APP.4.4.A15 + +severity: medium + +ocil_clause: 'Application placement on Nodes and Clusters needs review' + +ocil: |- + Run the following command and review the pods and how they are deployed on nodes.
$ oc get pod -o=custom-columns=NAME:.metadata.name,NAMESPACE:.metadata.namespace,APP:.metadata.labels.app\.kubernetes\.io/name,NODE:.spec.nodeName --all-namespaces | grep -v "openshift-"+ You can use labels or other data as custom field which helps you to identify parts of an application. + Ensure that applications with high protection requirements are not colocated on nodes or in clusters with workloads of lower protection requirements. diff --git a/applications/openshift/general/general_node_separation/tests/ocp4/e2e.yml b/applications/openshift/general/general_node_separation/tests/ocp4/e2e.yml new file mode 100644 index 00000000000..69a7d085eb4 --- /dev/null +++ b/applications/openshift/general/general_node_separation/tests/ocp4/e2e.yml @@ -0,0 +1,2 @@ +--- +default_result: MANUAL diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index f85c958be73..9812ae41c4e 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -318,12 +318,11 @@ controls: levels: - elevated description: >- - Applications with very high protection needs SHOULD each use their own Kubernetes clusters - or dedicated nodes that are not available for other applications - notes: >- - TBD - status: pending - rules: [] + Applications with very high protection needs SHOULD each use their own Kubernetes clusters or dedicated nodes that are not available for other applications + notes: '' + status: manual + rules: + - general_node_separation - id: APP.4.4.A16 title: Use of Operators