sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 1 forks source link

APP.4.4.A11 #37

Closed sluetze closed 4 months ago

benruland commented 10 months ago

In pods, each container SHOULD define a health check for start-up and operation ("readiness" and "liveness"). These checks SHOULD provide information about the availability of the software running in a pod. The checks SHOULD fail if the monitored software cannot perform its tasks properly. For each of these checks, a time period SHOULD be defined that is appropriate for the service running in the pod. Based on these checks, Kubernetes SHOULD delete or restart the pods.

The existance of readiness und liveness probes can be validated technically. This check needs to be performed for each container in every pod individually. Therefore, the check is better suited as part of the Kubernetes admission control process or manually.

The adequacy of the checks and the configured time periods needs to be ensured by the application owner.

To discuss: Does it make sense to build a check for all deployments, statefulsets, daemonsets in the cluster? There are rules (resource_requests_limits_in_deployment, resource_requests_limits_in_daemonset, resource_requests_limits_in_statefulset) that we could use as a template, but I don't think the compliance operator is a good place for that. Likely, this check will always fail... What do you mean @sluetze @ermeratos?

sluetze commented 9 months ago

Why do you think the Checks will always fail? Because there often will be at least a container without a probe?

I think it is not that much work if looking at the existing checks to create this for the probes.

Questions which come to mind, which I cant answer right now:

benruland commented 8 months ago

To wrap up that point: I have created a manual rule for readiness and liveness probe

benruland commented 7 months ago

PR created: https://github.com/ComplianceAsCode/content/pull/11559

sluetze commented 4 months ago

/closed

merged upstream