Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APP.4.4.A18 #44

Open
sluetze opened this issue Nov 7, 2023 · 7 comments
Open

APP.4.4.A18 #44

sluetze opened this issue Nov 7, 2023 · 7 comments
Assignees
@benruland
Labels
existing-rules Existing rules exist for the requirement

Comments

@sluetze
Copy link

sluetze commented Nov 7, 2023

No description provided.

@ermeratos ermeratos added org-only This Requirement of BSI is ONLY an organizational Requirement not-checkable Requirement can not be checked with Compliance Operator labels Dec 15, 2023
@ermeratos
Copy link

Pods SHOULD ONLY be able to communicate with each other through the necessary network
ports, even within a Kubernetes namespace. There SHOULD be rules within the CNI that
disallow all but the necessary network connections within the Kubernetes namespace. These
rules SHOULD precisely define the source and destination of the allowed connections using at
least one of the following criteria: service name, metadata (“labels”), Kubernetes service
accounts, or certificate-based authentication.

All the criteria used as labels for a connection SHOULD be secured in such a way that they can
only be changed by authorised persons and management services.

mTLS and/or service mesh?

But I'd say this is not really checkable and is an organizational control outside the scope of OpenShift configuration

@benruland
Copy link

benruland commented Dec 18, 2023
edited by sluetze
Loading

We could:

  • Ensure that the CNI in use supports Network Policies (configure_network_policies and configure_network_policies_hypershift_hosted)
  • Ensure that application Namespaces have Network Policies defined (configure_network_policies_namespaces)
  • Ensure that project templates autocreate Network Policies (project_config_and_template_network_policy)
rules:
  - configure_network_policies
  - configure_network_policies_hypershift_hosted
  - configure_network_policies_namespaces
  - project_config_and_template_network_policy

@benruland benruland added existing-rules Existing rules exist for the requirement and removed org-only This Requirement of BSI is ONLY an organizational Requirement not-checkable Requirement can not be checked with Compliance Operator labels Dec 18, 2023
@sluetze
Copy link
Author

sluetze commented Jan 5, 2024

I agree with you benruland for the basic ifnrastructure.
emeratos has a point with ServiceMesh and mTLS. This is also seen by c puppe in his interpretations of the building block. IMHO most companies won't have servicemesh and mTLS. So we might start with network policies and later on create something for ServiceMesh?

@ermeratos
Copy link

As you mentioned the usage of service mesh is probably pretty rare. I'd rather focus on the network policy part. Altough, the simple presence of network policies doesn't yet meet these requirements, does it?

@benruland benruland self-assigned this Mar 6, 2024
@benruland
Copy link

In the end, we are only giving some indication, if this control can be met. The existance of suitable policies that satisfy all requirements needs to be ensured by the application owner.

@benruland
Copy link

Implementation completed in ComplianceAsCode#11659

@benruland
Copy link

During rebasing, I accidentially closed the previous PR. For better reviewability, I created a new PR: ComplianceAsCode#12154

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benruland benruland

Labels
existing-rules Existing rules exist for the requirement
Projects
sig-bsi-grundschutz tracking
Status: Upstream PR
Milestone
No milestone
Development

No branches or pull requests
3 participants
@benruland @sluetze @ermeratos