Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APP.4.4.A21 #47

Closed
sluetze opened this issue Nov 7, 2023 · 6 comments
Closed

APP.4.4.A21 #47

sluetze opened this issue Nov 7, 2023 · 6 comments
Assignees
@ermeratos
Labels
new-rules Issue which requires us to write new rules

Comments

@sluetze
Copy link

sluetze commented Nov 7, 2023

No description provided.

@ermeratos ermeratos added the new-rules Issue which requires us to write new rules label Dec 5, 2023
@ermeratos
Copy link

ermeratos commented Dec 5, 2023
edited
Loading

Pods SHOULD be stopped and restarted regularly if there is an increased risk of external
interference and a very high need for protection. No pod SHOULD run for more than 24
hours. The availability of the applications in a pod SHOULD be ensured.

Possible ways to check:

  • Pod age
  • Rolling restart
  • at least 2 replicas/number of pods >=2

@benruland
Copy link

I think it is hard to check this, as we need to look into the .status field of each pod. Moreover, the result will be highly dependent on the time, when it is checked (e.g. shortly after a regular cluster reboot it will pass, but a day later it will fail).

@benruland benruland added the not-checkable Requirement can not be checked with Compliance Operator label Dec 18, 2023
@sluetze
Copy link
Author

sluetze commented Jan 5, 2024
edited
Loading

I also do not think it is a good way to check this on a pod basis.
We could check

  1. if descheduler is installed (https://docs.openshift.com/container-platform/4.14/nodes/scheduling/nodes-descheduler.html)
  2. if LifecycleAndUtilization profile is active (which defaults to restart pods after 24h)

@ermeratos
Copy link

ermeratos commented Jan 30, 2024
edited
Loading

Agreed, checking on pod basis doesn't make sense.

I cannot find any rule for the descheduler or the specific policy, which means we have to create one.

@ermeratos ermeratos removed the not-checkable Requirement can not be checked with Compliance Operator label Jan 30, 2024
@ermeratos ermeratos self-assigned this Feb 8, 2024
@ermeratos
Copy link

sig-bsi-grundschutz:bsi-app-4.4-a20to21
Update api_resource_collector_cluster_role.yaml

@sluetze
Copy link
Author

sluetze commented Oct 1, 2024

ComplianceAsCode#11997 was merged, closing

@sluetze sluetze closed this as completed Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ermeratos ermeratos

Labels
new-rules Issue which requires us to write new rules
Projects
sig-bsi-grundschutz tracking
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@benruland @sluetze @ermeratos