Skip to content

BSI IT-Grundschutz Controls

The BSI IT-Grundschutz framework, developed by Germany’s Federal Office for Information Security (BSI), provides a structured, modular approach to implementing information security management.

Its "building blocks" (Bausteine) address specific components, processes, and technologies, offering concrete safeguards that can be tailored to different protection needs.

These modules are grouped into thematic layers—such as Applications (APP), Systems (SYS), and Networks (NET)—and link security objectives with implementation guidance and verification steps, forming a cohesive, auditable framework.

Within the Applications layer, APP.4.4 – Kubernetes focuses on securing container orchestration environments. Introduced in the 2022 edition of the IT-Grundschutz Compendium, this module addresses risks specific to Kubernetes Clusters, from configuration management and access control to backup and recovery. APP.4.4 complements SYS.1.6 (Containerisation) by translating general container security principles into Kubernetes-specific measures, ensuring that both operational practices and technical configurations meet robust, verifiable security standards.

Important

Many requirements in APP.4.4 cannot be fulfilled by an application platform alone, because they depend on factors outside the product's scope—such as how Welkin is deployed, integrated, and operated in a specific environment, as well as how the application on top is developed and deployed. While a platform can provide features and guardrails (e.g., RBAC, audit logs) to support these controls, full compliance depends on correct configuration, secure surrounding infrastructure, and disciplined operational processes.

That is why this documentation does not present an "all green checkboxes" compliance table for APP.4.4. Instead, it maps each relevant requirement to the parts of the product documentation that explain how Welkin can support or enable it. This approach allows platform administrators to combine Welkin's capabilities with their own environment-specific configurations, policies, and processes, ensuring a realistic and verifiable assessment rather than a misleading implication of complete, out-of-the-box compliance.

Click on the links below to navigate the documentation by control.

BSI IT-Grundschutz APP.4.4.A1

BSI IT-Grundschutz APP.4.4.A2

BSI IT-Grundschutz APP.4.4.A3

BSI IT-Grundschutz APP.4.4.A5

BSI IT-Grundschutz APP.4.4.A7

BSI IT-Grundschutz APP.4.4.A10

BSI IT-Grundschutz APP.4.4.A13

BSI IT-Grundschutz APP.4.4.A14

BSI IT-Grundschutz APP.4.4.A15

BSI IT-Grundschutz APP.4.4.A16

BSI IT-Grundschutz APP.4.4.A18

BSI IT-Grundschutz APP.4.4.A21

Other IT-Grundschutz Controls

APP.4.4.A17 Attestierung von Nodes (H)

The Kubespray layer in Welkin ensures that Data Plane Nodes and Control Plane Nodes are mutually authenticated via mutual TLS.

BSI IT-Grundschutz Controls outside the scope of Welkin

Pending official translation into English, the controls are written in German.

APP.4.4.A6 Initialisierung von Pods (S)

Application Developers must make sure that initialization happens in init containers.

APP.4.4.A11 Überwachung der Container (S)

Application Developers must ensure that their application has a liveliness and readiness probe, which are configured in the Deployment. This is illustrated by our user demo.

APP.4.4.A12 Absicherung der Infrastruktur-Anwendungen (S)

This requirement essentially states that the Welkin environments are only as secure as the infrastructure around them. Make sure you have a proper IT policy in place. Regularly review the systems where you store backups and configuration of Welkin.

APP.4.4.A20 Verschlüsselte Datenhaltung bei Pods (H)

Welkin recommends disk encryption to be provided at the infrastructure level. If you have this requirement, check for full-disk encryption via the provider audit.