From c31ee3a2d8051b8885099154410b99b76f7f576e Mon Sep 17 00:00:00 2001 From: Benjamin Ruland Date: Fri, 12 Jan 2024 15:04:40 +0100 Subject: [PATCH] Defined notes and rules for control BSI APP4.4.A8 --- controls/bsi_app_4_4.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/controls/bsi_app_4_4.yml b/controls/bsi_app_4_4.yml index bf3d3da777e8..7e9935e5253a 100644 --- a/controls/bsi_app_4_4.yml +++ b/controls/bsi_app_4_4.yml @@ -150,8 +150,19 @@ controls: manner. Read and write access rights to the configuration files of the control plane SHOULD be assigned and restricted with particular care. notes: >- - TBD - status: pending + This control needs to be adressed on an organizational level and in external systems. + + OpenShift is fully configured using Kubernetes resources including CustomResources (CR). All + resources that are created after the initial cluster installation can be considered configuration + files as described in this control. The relevant Kubernetes resources for configuring the control + plane are protected by Kubernetes RBAC and can only be modified by cluster administrators. + + To achieve versioning, the configuration files should be stored in a Git repository. + The Git repository is considered the only source of truth and provides a visible and auditable + trail of changes. To automatically apply the configuration, GitOps processes and tools like + OpenShift GitOps can be used. Access rights to the Git repository and GitOps controller should + be granted in a restrictive manner. + status: manual rules: [] - id: APP.4.4.A9