APP.4.4.A4

[sluetze]

The operating system kernel of the nodes MUST have isolation mechanisms to limit the visibility and resource usage of the pods among themselves (see Linux namespaces and cgroups). The separation MUST include at least process IDs, inter-process communication, user IDs, file system and network including host name.

OpenShift uses Red Hat Enterprise Linux CoreOS, which is aimed at container operations, for the nodes. Optionally, Red Hat Enterprise Linux (RHEL) can also be used for worker nodes. In both configurations, CRI-O is the container runtime. At the system level in particular, cgroups Seccomp SELinux in 'enforcing' mode enforce the separation of the pods. OpenShift already operates according to the principle of least privilege and the need-to-know principle and uses these together with predefined security profiles (Security Context Constraints / [SCC]) as part of security-by-design and security-by-default in the standard automatically. The separation has already been implemented in OpenShift; no further measures are usually required.

NODE BASED CONTROLS!!

 rules:
  - coreos_enable_selinux_kernel_argument
  - var_selinux_policy_name=targeted
  - selinux_policytype
  - var_selinux_state=enforcing
  - selinux_state

this rules seem to have no automatic check:

scc_limit_ipc_namespace
scc_limit_process_id_namespace

scc_limit_host_dir_volume_plugin

scc_limit_privileged_containers
scc_limit_root_containers

scc_limit_net_raw_capability
scc_limit_network_namespace

[benruland]

Beside those rules, we might set the status to inherently met, as OpenShift fulfils this control without further configuration

[sluetze]

implemented with https://github.com/ComplianceAsCode/content/commit/e17a17c934001d20001a270f489289967c6cbc5f and https://github.com/ComplianceAsCode/content/pull/11437