compliantkubernetes icon indicating copy to clipboard operation
compliantkubernetes copied to clipboard

Published 20 hours ago verified publisher icon elastisys

Document how Compliant Kubernetes maps towards eIDAS

Open simonekman opened this issue 3 years ago • 1 comments

eIDAS is not a relevant regulation for infrastructure/or Compliant Kubernetes. However, companies with eIDAS compliance needs will still require a platform similar to Compliant Kubernetes in order to comply with other important regulations and security standards that CK8s can help with. I did get the questions from two different companies on how Compliant Kubernetes can help with eIDAS compliance it would be great if we have a section under "Compliance" stating why eIDAS is actually a regulation for the application specific part of the tech stack. This way we help our users understand our platform even better, we save them time spent on investigation work by having to figure out themselves how CK8s maps towards eIDAS.

eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 of 23 July 2014 on electronic identification and repeals 1999/93/EC from 13 December 1999.[1][2]

https://skr.se/skr/naringslivarbetedigitalisering/digitalisering/informationsforsorjningdigitalinfrastruktur/elegitimation/eidas.11084.html

https://en.wikipedia.org/wiki/EIDAS

Comment from Robert: Seems outside of CK8s scope; I would guess this doesn't have any bearing on infra implementation?

Comment from Lars: I've skimmed the 18 page PDF. Everything mentioned there about eIDAS is on an application level. It's not something that affects us as a platform for running/deploying applications. So it's out of scope, like Robert said. For eIDAS compliance companies will need to deploy an Identity Provider (IdP) system that can work with SAMLv2 for access to their application. Keycloak could be used.

simonekman avatar Oct 22 '21 06:10 simonekman

Issue #201 should be done before this issue.

simonekman avatar Oct 22 '21 07:10 simonekman

@simonekman Is this issue still relevant?

cristiklein avatar Oct 18 '23 14:10 cristiklein

I guess it could not hurt but I would say that it has a lower prio compared to NSA/CISA, DoD, NIST, NIS2 etc.

simonekman avatar Oct 19 '23 10:10 simonekman

Have you seen the comment from Lars:

Comment from Lars: I've skimmed the 18 page PDF. Everything mentioned there about eIDAS is on an application level. It's not something that affects us as a platform for running/deploying applications. So it's out of scope, like Robert said. For eIDAS compliance companies will need to deploy an Identity Provider (IdP) system that can work with SAMLv2 for access to their application. Keycloak could be used.

So, would you like us to have a short discussion on "eIDAS is out of scope for Compliant Kubernetes"?

cristiklein avatar Oct 19 '23 11:10 cristiklein

Ah, I did not see that comment. Okay, let's close this issue than and focus on other things :)

simonekman avatar Oct 19 '23 14:10 simonekman