Closed sluetze closed 2 weeks ago
I have created a PR: ComplianceAsCode/content#11394
Of all the requirements, we could only check one: (Encrypted communication on all network ports for the image registry):
I do not agree.
Use of personal and service accounts for access
rules: # existing kubeadmin would show, that you do not follow personal and service accounts but may use a global privileged user - kubeadmin_removed
Encrypted communication on all network ports
rules: - ocp_insecure_registries - ocp_insecure_allowed_registries_for_import !!!!
Restrictive assignment of permissions to user and service accounts
rules: - rbac_cluster_roles_defined - rbac_roles_defined - rbac_least_privilege - rbac_limit_cluster_admin - rbac_limit_secret_access - rbac_wildcard_use
Logging of changes this is auditing imho
rules: - audit_profile_set # for me it is debatable if additional rules could apply, like # cluster_logging_operator_exist # audit_error_alert_exists # audit_log_forwarding_uses_tls
Regular data backups there dont seem to be checks at the moment. But I maybe it is useful to check if velero APIs exist, or Red Hat OpenShift API for Data Protection is installed?
Hier ist eine breitere Meinung sicherlich sinnvoll, ob wir die beschriebenen Anforderungen auch für Kubernetes und etcd betrachten oder nur für externe Systeme, wie Registry etc. @oliverbutanowitz @ermeratos
IG BVC:
Plattformbetreiber sollte zum Zugriffsmanagement einen zentralen Verzeichnisdienst nutzen.
(https://wikijs.opencode.de/igbvc-app-4-4.pdf)
rules:
- idp_is_configured
@benruland , while the associated PR is merged upstream, we miss a) the later decided sectioning b) the idp_is_configured (if you would also assume this as a match).
How do we proceed? Shall I keep this issue open or do we recreate one?
Also: Regarding if this is relevant for external systems or also for Kubernetes we should have talked with the customers on our meeting yesterday. Missed that opportunity, will add to the notes
@sluetze, from my understanding in our discussions we decided to keep the scope on OpenShift and not look at external systems like the container registry.
Hence, I would also not include the idp_is_configured rule, because the focus of that rule is OpenShift whereas the BSI control adresses external systems like the container registry.
If you agree, I will add the sectioning to my next PR which is for https://github.com/sig-bsi-grundschutz/content/issues/10
Yes, you are right. Its external and thus the idp rule does not address it.
This requirement needs to be adressed in the respective separate systems.
Of all the requirements, we could only check one: (Encrypted communication on all network ports for the image registry):