APP.4.4.A1

[sluetze]

Before going live, the manner in which the applications running in the pods in question and their different test and production operating environments will be separated MUST be planned. Based on the protection needs of the applications, the planning MUST determine which architecture of namespaces, meta tags, clusters, and networks adequately addresses the risks at hand and whether virtualised servers and networks should also be used. The planning MUST include provisions separating for networks, CPUs, and persistent volumes.

- not checkable, since planning is outside of technical checkable actions

The separation SHOULD also take into account and be aligned with the network zone concept and the protection requirements at hand.

- not checkable, since network zone concept is unkown

Each application SHOULD run in a separate Kubernetes namespace that includes all the programs of the application.

- MANUAL Check

Only applications with similar protection needs and similar possible attack vectors SHOULD share a Kubernetes cluster.

- not checkable, since we can only make checks in ONE cluster.

[benruland]

I see limited value in providing a manual rule to check if applications run in different namespaces. From my perspective this is an org-only control.

edit: I might need to reconsider the relevance of manual checks. If we do not provide those, the controls will not be visible to the OpenShift admins, will they? Then, providing guidance in the form of manual checks might indeed be valuable here.

[sluetze]

will take this over to a customer meeting to get some feedback from them.

[sluetze]

https://github.com/ComplianceAsCode/content/pull/11501 was merged