Defined notes and rules for control BSI APP4.4.A8

sig-bsi-grundschutz · Jan 12, 2024 · c31ee3a · c31ee3a
1 parent 4ac3ea8
commit c31ee3a
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml
@@ -150,8 +150,19 @@ controls:
       manner. Read and write access rights to the configuration files of the control plane SHOULD
       be assigned and restricted with particular care.
     notes: >-
-      TBD
-    status: pending
+      This control needs to be adressed on an organizational level and in external systems.
+
+      OpenShift is fully configured using Kubernetes resources including CustomResources (CR). All 
+      resources that are created after the initial cluster installation can be considered configuration
+      files as described in this control. The relevant Kubernetes resources for configuring the control 
+      plane are protected by Kubernetes RBAC and can only be modified by cluster administrators.
+
+      To achieve versioning, the configuration files should be stored in a Git repository.
+      The Git repository is considered the only source of truth and provides a visible and auditable
+      trail of changes. To automatically apply the configuration, GitOps processes and tools like
+      OpenShift GitOps can be used. Access rights to the Git repository and GitOps controller should
+      be granted in a restrictive manner.
+    status: manual
     rules: []
 
   - id: APP.4.4.A9