APP.4.4.A8

[sluetze]

The configuration files of a Kubernetes cluster, including all its extensions and applications, SHOULD be versioned and annotated. Access rights to configuration file management software SHOULD be granted in a restrictive manner. Read and write access rights to the configuration files of the control plane SHOULD be assigned and restricted with particular care

this is outside of the openshift/kubernetes cluster. org-only

[benruland]

One might argue, that "configuration files of the control plane" also include the actual configuration files on the control plane nodes. Then, a vast amount of "standard file permission" checks could be performed. I would, however, rather not include that, and interpret "configuration files" as those, who are stored outside the cluster (Git) and applied to the Kubernetes API.

Therefore, I agree with org-only. The assessment in BSI Quick check document brings it pretty much on-point. Maybe, we can add this into the notes for this control (translated)?

Diese Anforderung muss organisatorisch umgesetzt werden. OpenShift wird vollständig über Kubernetes-Ressourcen und Custom-Resources (CR) gesteuert. Alle CRs, die nach der initialen Cluster-Installation im Rahmen des "Day-1" oder "Day-2" ausgeführt werden, gehören zu den Konfigurationsdateien. Diese CRs liegen in System-Namespaces, auf die ausschließlich Cluster-Administratoren Zugriff haben. Eine Versionierung erfolgt über ein Versionssystem wie Git. Zugriffsbeschränkungen sind dort zu implementieren. Red Hat Openshift unterstützt den Rollout der Konfigurationen aus Git beispielsweise mittels Openshift GitOps.

[ermeratos]

For the sake of completeness, I also agree with org-only.

[benruland]

PR Created: https://github.com/ComplianceAsCode/content/pull/11559

[sluetze]

merged upstream