-
Notifications
You must be signed in to change notification settings - Fork 694
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Defined notes and Rules for BSI APP.4.4.A6-7 #11794
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
documentation_complete: true | ||
|
||
|
||
title: 'Create Network Boundaries between Functional Different Nodes' | ||
|
||
description: |- | ||
Use different Networks for Control Plane, Worker and Individual Application Services. | ||
|
||
rationale: |- | ||
Separation on a Network level might help to hinder lateral movement of an attacker and subsequently reduce the impact of an attack. It might also enable you to provide additional external network control (like firewalls). | ||
|
||
references: | ||
bsi: APP.4.4.A7 | ||
|
||
severity: medium | ||
|
||
identifiers: | ||
cce@ocp4: CCE-86851-3 | ||
|
||
ocil_clause: 'Network separation needs review' | ||
|
||
ocil: |- | ||
Create separate Ingress Controllers for the API and your Applications. Also setup your environment in a way, that Control Plane Nodes are in another network than your worker nodes. If you implement multiple Nodes for different purposes evaluate if these should be in different network segments (i.e. Infra-Nodes, Storage-Nodes, ...). |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: MANUAL |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -162,35 +162,46 @@ controls: | |
levels: | ||
- standard | ||
description: >- | ||
If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take | ||
place in a separate Init container. It SHOULD be ensured that the initialisation terminates all | ||
processes that are already running. Kubernetes SHOULD ONLY start the other containers if | ||
the initialisation is successful. | ||
If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take place in a separate Init container. It SHOULD be ensured that the initialisation terminates all processes that are already running. Kubernetes SHOULD ONLY start the other containers if the initialisation is successful. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @sluetze I see this paragraph now matches exactly the text on BSI pdf. Is this intentional? I'd rather avoid very long lines to ease readability. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes this is intentional and true for all controls in bsi_app_4_4 and bsi_sys_1_6 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I definitely support having descriptions identical to the pdf. |
||
notes: >- | ||
TBD | ||
status: pending | ||
OpenShift provides the necessary resource configurations via Kubernetes. Kubernetes ensures the (process) dependencies between init containers and “normal” containers of a pod. | ||
|
||
The requirement must be implemented by application development. | ||
status: inherently met | ||
rules: [] | ||
|
||
- id: APP.4.4.A7 | ||
title: Separation of Networks for Kubernetes | ||
levels: | ||
- standard | ||
description: >- | ||
Networks for the administration of nodes, the control plane, and the individual networks of | ||
application services SHOULD be separated. | ||
Only the network ports of the pods necessary for operation SHOULD be released into the | ||
designated networks. If a Kubernetes cluster contains multiple applications, all the network | ||
connections between the Kubernetes namespaces SHOULD first be prohibited and only | ||
required network connections permitted (whitelisting). The network ports necessary for the | ||
administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD | ||
ONLY be accessible from the corresponding administration network and from pods that need | ||
them. | ||
Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and | ||
create or change rules for the network. | ||
(1) Networks for the administration of nodes, the control plane, and the individual networks of application services SHOULD be separated. | ||
(2) Only the network ports of the pods necessary for operation SHOULD be released into the designated networks. (3) If a Kubernetes cluster contains multiple applications, all the network connections between the Kubernetes namespaces SHOULD first be prohibited and only required network connections permitted (whitelisting). (4) The network ports necessary for the administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD ONLY be accessible from the corresponding administration network and from pods that need them. | ||
(5) Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and create or change rules for the network. | ||
notes: >- | ||
TBD | ||
status: pending | ||
rules: [] | ||
Section 1-3: | ||
The requirements for restricting network ports and network connections between Kubernetes namespaces are already supported by OpenShift as standard using network policies and the option for default network policies (security by design). | ||
|
||
The separation of the management network can also be implemented at the namespace level via network policies (incoming, the responsibility of the namespace administrator) and egress firewalls (outgoing, the responsibility of the cluster admins). | ||
|
||
Externally exposed services can receive their own IP and thus data traffic can also be separated outside the platform. Inter-node communication is carried out via suitable tunnel protocols (VXLAN, GENEVE) and can also be encrypted using IPSec. | ||
|
||
The determination of the necessary network policies for applications is supported by the network policy generator in ACS. | ||
Section 4 is true by default | ||
Section 5 maps to principle of least privilege | ||
status: partial | ||
rules: | ||
# Section 1 | ||
- general_network_separation | ||
# Section 2 | ||
- configure_network_policies | ||
- configure_network_policies_namespaces | ||
# Section 3 | ||
- project_config_and_template_network_policy | ||
# Section 4, default | ||
# Section 5 | ||
- rbac_least_privilege | ||
|
||
|
||
- id: APP.4.4.A8 | ||
title: Securing Configuration Files on Kubernetes | ||
|
@@ -237,7 +248,7 @@ controls: | |
start pods via automation software, this SHOULD be done for each group through separate | ||
processes that only have the rights necessary for the respective user group. | ||
notes: >- | ||
This control needs to be adressed on an organizational level. All service accounts used by | ||
This control needs to be adressed on an organizational level. All service accounts used by | ||
automation software need to adhere to the principle of least privilege. | ||
status: not applicable | ||
rules: [] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The control files now support automated assignment of references to the rules.
https://complianceascode.readthedocs.io/en/latest/manual/developer/03_creating_content.html#using-controls-for-automated-reference-assignment-to-rules
With it there is no need to manually add
bsi
reference to each rule.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no need to change the PR, I mention for awareness, and to make development a bit easier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds great. I will add the necessary info to the control file in a later PR.