search

sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://www.open-scap.org/security-policies/scap-security-guide
Other
7 stars 0 forks source link

APP.4.4.A14 #40

Open sluetze opened 10 months ago

sluetze commented 4 months ago

In a Kubernetes cluster, the nodes SHOULD be assigned dedicated tasks and only operate pods that are assigned to the respective task.

This requirement must be solved organizationally. OpenShift can bind applications to specific nodes or node groups (via labels and node selectors). ACM can take over the labeling of nodes and ensure that the nodes are labeled accordingly.

Bastion nodes SHOULD take over all incoming and outgoing data connections from applications to other networks.

OpenShift uses the concept of infra-nodes. The incoming connections can be bound to these and, by using Egress-IP, the incoming connections can also be bound.

Management nodes SHOULD operate the control plane pods and they SHOULD only take over the control plane data connections.

OpenShift uses control plane nodes for management, on which no applications are running. Data connections between applications to the outside world and to one another are not routed via the control plane as standard. The necessary requirements must be taken into account as part of the planning.

If deployed, storage nodes SHOULD only operate the solid storage services pods in the cluster.

OpenShift Data Foundation (ODF) can be linked to its own infra nodes using the OpenShift mechanisms, which only run storage services. This can be implemented equivalently with other storage solutions.

sluetze commented 4 months ago

In a Kubernetes cluster, the nodes SHOULD be assigned dedicated tasks and only operate pods that are assigned to the respective task.

not sure on how to check that. maybe we could look for node-labels. An example would be to check for the infra labels since this might show, that they are separating stuff. Another aspect could be the node feature discovery operator which would help by achieving this. But this are only signs of the right method, but not a validation for the method itself. Maybe a manual rule would be the best to start with.

Bastion nodes SHOULD take over all incoming and outgoing data connections from applications to other networks.

not sure on how to check that automatically. Manual rule would be possible?

Management nodes SHOULD operate the control plane pods and they SHOULD only take over the control plane data connections.

rules:
  - master_taint_noschedule (new rule, which checks, that node-role.kubernetes.io/master:NoSchedule is set)

additionally one could argue, that there should not be any pods, but the pods in openshift- namespaces, which tolerate the taint.

If deployed, storage nodes SHOULD only operate the solid storage services pods in the cluster.

mostly a manual rule. will be hard to automagically detect which storagesystem is deployed and if it is only on specific nodes. would be a lot of different variables.

@nrrso @benruland @ermeratos please feedback/discuss