add egress traffic filter

Author: wurstbrot

data/Infrastructure.yml

@@ -2,7 +2,7 @@
 Infrastructure Hardening:
   The cluster is hardened:
     risk: Using default configurations for a cluster environment leads to potential risks.
-    measure: Harden cluster environments according to best practices.
+    measure: Harden cluster environments according to best practices. Level 1 and partiually level 2 from hardening practices like 'CIS Kubernetes Bench for Security' should considered.
     difficultyOfImplementation:
       knowledge: 4
       time: 3
@@ -63,6 +63,23 @@ Infrastructure Hardening:
     iso27001-2017:
       - virtual environments are not explicitly covered by ISO 27001 - too specific
       - 13.1.3
+  Filter for outcoing traffic:
+    risk: A compromised infrastructure component might try to send out stolen data.
+    measure: Having a whitelist and explizitly allowing egress traffic provides the ability to stop unauthorized data leackage.
+    difficultyOfImplementation:
+      knowledge: 3
+      time: 3
+      resources: 3
+    usefulness: 2
+    level: 2
+    dependsOn: []
+    implementation:
+      - Open Policy Agent
+      - firewalls
+    samm2: o-environment-management|A|1
+    iso27001-2017:
+      - virtual environments are not explicitly covered by ISO 27001 - too specific
+      - 13.1.3
   Infrastructure as Code:
     risk: No tracking of changes in systems might lead to errors in the configuration. In additions, it might lead to unauthorized changes. An examples is jenkins.
     measure: Systems are setup by code. A full environment can be provisioned. In addition, software like Jenkins 2 can be setup and configured in in code too. The code should be stored in a version control system.