APP.4.4.A21

[ermeratos]

Pods SHOULD be stopped and restarted regularly if there is an increased risk of external interference and a very high need for protection. No pod SHOULD run for more than 24 hours. The availability of the applications in a pod SHOULD be ensured.

Possible ways to check:

• Pod age
• Rolling restart
• at least 2 replicas/number of pods >=2

[benruland]

I think it is hard to check this, as we need to look into the .status field of each pod. Moreover, the result will be highly dependent on the time, when it is checked (e.g. shortly after a regular cluster reboot it will pass, but a day later it will fail).

[sluetze]

I also do not think it is a good way to check this on a pod basis. We could check

1. if descheduler is installed (https://docs.openshift.com/container-platform/4.14/nodes/scheduling/nodes-descheduler.html)
2. if LifecycleAndUtilization profile is active (which defaults to restart pods after 24h)

[ermeratos]

Agreed, checking on pod basis doesn't make sense.

I cannot find any rule for the descheduler or the specific policy, which means we have to create one.

[ermeratos]

sig-bsi-grundschutz:bsi-app-4.4-a20to21 Update api_resource_collector_cluster_role.yaml

[sluetze]

https://github.com/ComplianceAsCode/content/pull/11997 was merged, closing