sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 1 forks source link

APP.4.4.A6 #32

Closed sluetze closed 4 months ago

sluetze commented 10 months ago

If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take place in a separate Init container. It SHOULD be ensured that the initialisation terminates all processes that are already running. Kubernetes SHOULD ONLY start the other containers if the initialisation is successful.

rules:
- no init scripts for permanently running containers
- init containers where initialisation is needed
- init containers are completed

there doesn't seem to be anything existing in rules, we have to write them

benruland commented 10 months ago

For me, this feels like a mix of Kubernetes built-in functionality (init containers) and organizational requirements.

If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take place in a separate Init container

Organizational requirement for app developer / manifest owner: Do not put init scripts into the main container but in an init container

It SHOULD be ensured that the initialisation terminates all processes that are already running

I do not understand this requirement in the container context. In the context of a deployment / multiple pods, initialization might also be performed when other pods of the application are still running (e.g. init version 6 during rolling upgrade, while version 5 is still running). In the context of a single Pod, init containers are inherently run at first by Kubernetes.

Kubernetes SHOULD ONLY start the other containers if the initialisation is successful.

This is a standard Kubernetes behaviour, isn't it?

benruland commented 9 months ago

Feedback is required @sluetze @ermeratos: For me this is an org-only requirement, or at maximum a manual rule. What's your opionion?

sluetze commented 9 months ago

OpenShift provides the necessary resource configurations via Kubernetes. Kubernetes ensures the (process) dependencies between init containers and “normal” containers of a pod. The requirement must be implemented by application development.

I agree, its a mixture of inherently met and organizational rule.

sluetze commented 6 months ago

https://github.com/ComplianceAsCode/content/pull/11794

sluetze commented 4 months ago

Upstream PR merged