sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 1 forks source link

SYS.1.6.A15 #15

Open sluetze opened 11 months ago

sluetze commented 3 months ago

For each container, resources on the host system, such as CPU, volatile and persistent memory, and network bandwidth, SHOULD be appropriately reserved and limited.

OpenShift supports the configuration of quotas for a project (client). Applications can have their resources appropriately limited using limits/requests.

Network bandwidth is limited at the pod level and can be determined separately according to incoming and outgoing network bandwidth. In addition, outgoing traffic (egress) can be marked at the namespace level with differentiated services code point (DSCP) classifications in order to assign quality of service classes to the outgoing packets in the physical network.

It SHOULD be defined and documented how the system reacts if these limitations are exceeded.

This requirement must be implemented organizationally.

Note: The behavior of OpenShift completely replicates the standard behavior of Kubernetes. If CPU limits are exceeded, the process is slowed down. If volatile memory is exceeded, the process is stopped and restarted by the scheduler. The persistent memory management is responsible for exceeding the persistent memory - OpenShift will not enforce or limit anything here. Compliance with the limited network bandwidth is enforced by dropping packets that exceed the limit.

lichtblaugue commented 4 weeks ago

@sluetze Not sure about which existing rules are you talking. (CPU and RAM)?

As far as I know egress traffic control is only possible with OVN. There is no option with SDN. Can we please discuss both topics?

sluetze commented 3 weeks ago

@sluetze Not sure about which existing rules are you talking. (CPU and RAM)?

imho existing rules for the quota / limits / requests could be:

rules:
  - project_config_and_template_resource_quota
  - project_template_resource_quota
  - resource_requests_limits_in_daemonset
  - resource_requests_limits_in_deployment
  - resource_requests_limits_in_statefulset
  - resource_requests_quota
  - resource_requests_quota_cluster
  - resource_requests_quota_per_project

As far as I know egress traffic control is only possible with OVN. There is no option with SDN. Can we please discuss both topics?

What do you mean with SDN? OpenShiftSDN? because that is deprecated. Or do you mean other SDNs?

But there is no existing rule for checking the KubernetesOVN Annotation (see https://access.redhat.com/solutions/5018951 )

I am also not sure if this would be a good automatic check, since I believe not many will use this limitation as it has operational impacts. We could make it a manual rule with example of KubernetesOVN which would make it apply to a broader set of Network Plugins.