APP.4.4.A21 - Githubissues

sig-bsi-grundschutz / content

Security automation content in SCAP, Bash, Ansible, and other formats

https://www.open-scap.org/security-policies/scap-security-guide

Other

7 stars 0 forks source link

APP.4.4.A21 #47

Open sluetze opened 10 months ago

ermeratos commented 9 months ago

Pods SHOULD be stopped and restarted regularly if there is an increased risk of external interference and a very high need for protection. No pod SHOULD run for more than 24 hours. The availability of the applications in a pod SHOULD be ensured.

Possible ways to check:

Pod age
Rolling restart
at least 2 replicas/number of pods >=2

benruland commented 9 months ago

I think it is hard to check this, as we need to look into the .status field of each pod. Moreover, the result will be highly dependent on the time, when it is checked (e.g. shortly after a regular cluster reboot it will pass, but a day later it will fail).

sluetze commented 8 months ago

I also do not think it is a good way to check this on a pod basis. We could check

if descheduler is installed (https://docs.openshift.com/container-platform/4.14/nodes/scheduling/nodes-descheduler.html)
if LifecycleAndUtilization profile is active (which defaults to restart pods after 24h)

ermeratos commented 7 months ago

Agreed, checking on pod basis doesn't make sense.

I cannot find any rule for the descheduler or the specific policy, which means we have to create one.

ermeratos commented 4 months ago

sig-bsi-grundschutz:bsi-app-4.4-a20to21 Update api_resource_collector_cluster_role.yaml