APP.4.4.A18 - Githubissues

sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats

https://www.open-scap.org/security-policies/scap-security-guide

Other

7 stars 0 forks source link

APP.4.4.A18 #44

Open sluetze opened 9 months ago

ermeratos commented 8 months ago

Pods SHOULD ONLY be able to communicate with each other through the necessary network ports, even within a Kubernetes namespace. There SHOULD be rules within the CNI that disallow all but the necessary network connections within the Kubernetes namespace. These rules SHOULD precisely define the source and destination of the allowed connections using at least one of the following criteria: service name, metadata (“labels”), Kubernetes service accounts, or certificate-based authentication.

All the criteria used as labels for a connection SHOULD be secured in such a way that they can only be changed by authorised persons and management services.

mTLS and/or service mesh?

But I'd say this is not really checkable and is an organizational control outside the scope of OpenShift configuration

benruland commented 8 months ago

We could:

Ensure that the CNI in use supports Network Policies (configure_network_policies and configure_network_policies_hypershift_hosted)
Ensure that application Namespaces have Network Policies defined (configure_network_policies_namespaces)
Ensure that project templates autocreate Network Policies (project_config_and_template_network_policy)

rules:
  - configure_network_policies
  - configure_network_policies_hypershift_hosted
  - configure_network_policies_namespaces
  - project_config_and_template_network_policy

sluetze commented 7 months ago

I agree with you benruland for the basic ifnrastructure. emeratos has a point with ServiceMesh and mTLS. This is also seen by c puppe in his interpretations of the building block. IMHO most companies won't have servicemesh and mTLS. So we might start with network policies and later on create something for ServiceMesh?

ermeratos commented 7 months ago

As you mentioned the usage of service mesh is probably pretty rare. I'd rather focus on the network policy part. Altough, the simple presence of network policies doesn't yet meet these requirements, does it?

benruland commented 5 months ago

In the end, we are only giving some indication, if this control can be met. The existance of suitable policies that satisfy all requirements needs to be ensured by the application owner.

benruland commented 5 months ago

Implementation completed in https://github.com/ComplianceAsCode/content/pull/11659

benruland commented 1 month ago

During rebasing, I accidentially closed the previous PR. For better reviewability, I created a new PR: https://github.com/ComplianceAsCode/content/pull/12154