Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APP.4.4.A6 #32

Closed
sluetze opened this issue Nov 7, 2023 · 6 comments
Closed

APP.4.4.A6 #32

sluetze opened this issue Nov 7, 2023 · 6 comments
Assignees
@sluetze
Labels
new-rules Issue which requires us to write new rules org-only This Requirement of BSI is ONLY an organizational Requirement

Comments

@sluetze
Copy link

sluetze commented Nov 7, 2023

No description provided.

@sluetze sluetze added not-checkable Requirement can not be checked with Compliance Operator new-rules Issue which requires us to write new rules and removed not-checkable Requirement can not be checked with Compliance Operator labels Dec 5, 2023
@sluetze
Copy link
Author

sluetze commented Dec 5, 2023

If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take
place in a separate Init container. It SHOULD be ensured that the initialisation terminates all
processes that are already running. Kubernetes SHOULD ONLY start the other containers if
the initialisation is successful.

rules:
- no init scripts for permanently running containers
- init containers where initialisation is needed
- init containers are completed

there doesn't seem to be anything existing in rules, we have to write them

@benruland
Copy link

benruland commented Dec 20, 2023
edited
Loading

For me, this feels like a mix of Kubernetes built-in functionality (init containers) and organizational requirements.

If an initialisation (e.g. of an application) takes place in a pod at start-up, this SHOULD take
place in a separate Init container

Organizational requirement for app developer / manifest owner: Do not put init scripts into the main container but in an init container

It SHOULD be ensured that the initialisation terminates all processes that are already running

I do not understand this requirement in the container context. In the context of a deployment / multiple pods, initialization might also be performed when other pods of the application are still running (e.g. init version 6 during rolling upgrade, while version 5 is still running). In the context of a single Pod, init containers are inherently run at first by Kubernetes.

Kubernetes SHOULD ONLY start the other containers if the initialisation is successful.

This is a standard Kubernetes behaviour, isn't it?

@benruland benruland added the org-only This Requirement of BSI is ONLY an organizational Requirement label Dec 20, 2023
@benruland
Copy link

Feedback is required @sluetze @ermeratos: For me this is an org-only requirement, or at maximum a manual rule. What's your opionion?

@sluetze
Copy link
Author

sluetze commented Jan 12, 2024

OpenShift provides the necessary resource configurations via Kubernetes. Kubernetes ensures the (process) dependencies between init containers and “normal” containers of a pod.
The requirement must be implemented by application development.

I agree, its a mixture of inherently met and organizational rule.

@sluetze sluetze self-assigned this Jan 16, 2024
@sluetze
Copy link
Author

sluetze commented Apr 8, 2024

ComplianceAsCode#11794

@sluetze
Copy link
Author

sluetze commented Jun 28, 2024

Upstream PR merged

@sluetze sluetze closed this as completed Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sluetze sluetze

Labels
new-rules Issue which requires us to write new rules org-only This Requirement of BSI is ONLY an organizational Requirement
Projects
sig-bsi-grundschutz tracking
Status: Done
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

app-4-4-A3 sig-bsi-grundschutz/content
2 participants
@benruland @sluetze