Capacity
CIP-003-8 R6
5
Rule
Severity: Medium
Disable Anonymous Authentication to the Kubelet
5
Rule
Severity: Medium
Ensure authorization is set to Webhook
5
Rule
Severity: Medium
kubelet - Configure the Client CA Certificate
5
Rule
Severity: Medium
kubelet - Enable Certificate Rotation
4
Rule
Severity: Medium
kubelet - Enable Client Certificate Rotation
5
Rule
Severity: Medium
kubelet - Allow Automatic Firewall Configuration
2
Rule
Severity: Medium
kubelet - Enable Protect Kernel Defaults
5
Rule
Severity: Medium
kubelet - Enable Server Certificate Rotation
6
Rule
Severity: Medium
kubelet - Do Not Disable Streaming Timeouts
5
Rule
Severity: Medium
kubelet - Ensure that the --read-only-port is secured
2
Rule
Severity: High
Ensure that application Namespaces have Network Policies defined.
2
Rule
Severity: Medium
Verify Group Who Owns The Kubelet Configuration File
2
Rule
Severity: Medium
Verify Group Who Owns The Worker Kubeconfig File
3
Rule
Severity: Medium
Verify User Who Owns The Kubelet Configuration File
2
Rule
Severity: Medium
Verify User Who Owns The Worker Kubeconfig File
3
Rule
Severity: Medium
Verify Permissions on The Kubelet Configuration File
2
Rule
Severity: Medium
Verify Permissions on the Worker Kubeconfig File
1
Rule
Severity: Medium
Ensure that File Integrity Operator is scanning the cluster
1
Rule
Severity: Medium
Restrict Automounting of Service Account Tokens
1
Rule
Severity: Medium
Ensure Usage of Unique Service Accounts
1
Rule
Severity: Medium
Disable the AlwaysAdmit Admission Control Plugin
1
Rule
Severity: High
Ensure that the Admission Control Plugin AlwaysPullImages is not set
1
Rule
Severity: Medium
Enable the NamespaceLifecycle Admission Control Plugin
1
Rule
Severity: Medium
Enable the NodeRestriction Admission Control Plugin
1
Rule
Severity: Medium
Enable the SecurityContextConstraint Admission Control Plugin
1
Rule
Severity: Medium
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
1
Rule
Severity: Medium
Enable the ServiceAccount Admission Control Plugin
1
Rule
Severity: Medium
Ensure that anonymous requests to the API Server are authorized
3
Rule
Severity: Medium
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
1
Rule
Severity: Medium
Enable the APIPriorityAndFairness feature gate
1
Rule
Severity: Medium
Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)
1
Rule
Severity: Low
Configure the Kubernetes API Server Maximum Retained Audit Logs
1
Rule
Severity: Medium
Configure Kubernetes API Server Maximum Audit Log Size
2
Rule
Severity: High
Configure the Audit Log Path
1
Rule
Severity: Medium
The authorization-mode cannot be AlwaysAllow
1
Rule
Severity: Medium
Ensure authorization-mode Node is configured
1
Rule
Severity: Medium
Ensure authorization-mode RBAC is configured
1
Rule
Severity: Medium
Disable basic-auth-file for the API Server
1
Rule
Severity: Low
Ensure that the bindAddress is set to a relevant secure port
1
Rule
Severity: Medium
Configure the etcd Certificate for the API Server
1
Rule
Severity: Medium
Configure the etcd Certificate Key for the API Server
1
Rule
Severity: Medium
Ensure that the --kubelet-https argument is set to true
1
Rule
Severity: Medium
Disable Use of the Insecure Bind Address
1
Rule
Severity: Medium
Prevent Insecure Port Access
1
Rule
Severity: High
Configure the kubelet Certificate Authority for the API Server
1
Rule
Severity: High
Configure the kubelet Certificate File for the API Server
1
Rule
Severity: High
Configure the kubelet Certificate Key for the API Server
1
Rule
Severity: Medium
Ensure all admission control plugins are enabled
2
Rule
Severity: Medium
Ensure the openshift-oauth-apiserver service uses TLS
2
Rule
Severity: Medium
Profiling is protected by RBAC
1
Rule
Severity: Medium
Configure the API Server Minimum Request Timeout
1
Rule
Severity: Medium
Ensure that the service-account-lookup argument is set to true
1
Rule
Severity: Medium
Configure the Service Account Public Key for the API Server
1
Rule
Severity: High
Disable Token-based Authentication
1
Rule
Severity: Low
Ensure Controller insecure port argument is unset
1
Rule
Severity: Medium
Ensure that the RotateKubeletServerCertificate argument is set
1
Rule
Severity: Low
Ensure Controller secure-port argument is set
1
Rule
Severity: Medium
Configure the Service Account Certificate Authority Key for the Controller Manager
1
Rule
Severity: Medium
Configure the Service Account Private Key for the Controller Manager
1
Rule
Severity: Medium
Ensure that use-service-account-credentials is enabled
1
Rule
Severity: Medium
Disable etcd Self-Signed Certificates
1
Rule
Severity: Medium
Ensure That The etcd Client Certificate Is Correctly Set
1
Rule
Severity: Medium
Enable The Client Certificate Authentication
1
Rule
Severity: Medium
Ensure That The etcd Key File Is Correctly Set
1
Rule
Severity: Medium
Disable etcd Peer Self-Signed Certificates
1
Rule
Severity: Medium
Enable The Peer Client Certificate Authentication
1
Rule
Severity: Medium
Configure A Unique CA Certificate for etcd
1
Rule
Severity: Medium
Apply Security Context to Your Pods and Containers
1
Rule
Severity: Medium
Manage Image Provenance Using ImagePolicyWebhook
1
Rule
Severity: Medium
The default namespace should not be used
1
Rule
Severity: Medium
Ensure Seccomp Profile Pod Definitions
1
Rule
Severity: Medium
Create administrative boundaries between resources using namespaces
4
Rule
Severity: Medium
Kubelet - Ensure Event Creation Is Configured
4
Rule
Severity: Medium
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
1
Rule
Severity: Medium
kubelet - Disable the Read-Only Port
1
Rule
Severity: Medium
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults
1
Rule
Severity: Medium
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check sysctl configuration file exist
1
Rule
Severity: Medium
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxbytes
1
Rule
Severity: Medium
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxkeys
1
Rule
Severity: Medium
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic
1
Rule
Severity: Medium
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic_on_oops
1
Rule
Severity: Medium
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.overcommit_memory
1
Rule
Severity: Medium
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.panic_on_oom
3
Rule
Severity: Medium
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
3
Rule
Severity: Medium
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree
3
Rule
Severity: Medium
Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
3
Rule
Severity: Medium
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
3
Rule
Severity: Medium
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
3
Rule
Severity: Medium
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available
3
Rule
Severity: Medium
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree
3
Rule
Severity: Medium
Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available
3
Rule
Severity: Medium
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available
3
Rule
Severity: Medium
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree
20
Rule
Severity: High
Verify and Correct File Permissions with RPM
15
Rule
Severity: High
Verify and Correct Ownership with RPM
13
Rule
Severity: High
Ensure Red Hat GPG Key Installed
29
Rule
Severity: Medium
Verify that Shared Library Directories Have Restrictive Permissions
1
Rule
Severity: Medium
Ensure that the cluster's audit profile is properly set
1
Rule
Severity: Medium
Verify Group Who Owns The OpenShift Container Network Interface Files
1
Rule
Severity: Medium
Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
1
Rule
Severity: Medium
Verify Group Who Owns The Etcd Database Directory
1
Rule
Severity: Medium
Verify Group Who Owns The Etcd Write-Ahead-Log Files
1
Rule
Severity: Medium
Verify Group Who Owns The etcd Member Pod Specification File
1
Rule
Severity: Medium
Verify Group Who Owns The Etcd PKI Certificate Files
1
Rule
Severity: Medium
Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
1
Rule
Severity: Medium
Verify Group Who Owns The Kubernetes API Server Pod Specification File
1
Rule
Severity: Medium
Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
1
Rule
Severity: Medium
Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
1
Rule
Severity: Medium
Verify Group Who Owns The OpenShift Admin Kubeconfig Files
1
Rule
Severity: Medium
Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
1
Rule
Severity: Medium
Verify Group Who Owns The OpenShift PKI Certificate Files
1
Rule
Severity: Medium
Verify Group Who Owns The OpenShift PKI Private Key Files
1
Rule
Severity: Medium
Verify Group Who Owns The OpenShift SDN CNI Server Config
1
Rule
Severity: Medium
Verify Group Who Owns The OVNKubernetes Socket
1
Rule
Severity: Medium
Verify Group Who Owns The OVNKubernetes DB files
3
Rule
Severity: Medium
Verify Group Who Owns The Open vSwitch Configuration Database
3
Rule
Severity: Medium
Verify Group Who Owns The Open vSwitch Configuration Database Lock
1
Rule
Severity: Medium
Verify Group Who Owns The Open vSwitch Process ID File
3
Rule
Severity: Medium
Verify Group Who Owns The Open vSwitch Persistent System ID
1
Rule
Severity: Medium
Verify Group Who Owns The Open vSwitch Daemon PID File
1
Rule
Severity: Medium
Verify Group Who Owns The Open vSwitch Database Server PID
1
Rule
Severity: Medium
Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
1
Rule
Severity: Medium
Verify User Who Owns The OpenShift Container Network Interface Files
1
Rule
Severity: Medium
Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
1
Rule
Severity: Medium
Verify User Who Owns The Etcd Database Directory
1
Rule
Severity: Medium
Verify User Who Owns The Etcd Write-Ahead-Log Files
1
Rule
Severity: Medium
Verify User Who Owns The Etcd Member Pod Specification File
1
Rule
Severity: Medium
Verify User Who Owns The Etcd PKI Certificate Files
1
Rule
Severity: Medium
Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
1
Rule
Severity: Medium
Verify User Who Owns The Kubernetes API Server Pod Specification File
1
Rule
Severity: Medium
Verify User Who Owns The Kubernetes Controller Manager Pod Specification File
1
Rule
Severity: Medium
Verify User Who Owns The Kubernetes Scheduler Pod Specification File
1
Rule
Severity: Medium
Verify User Who Owns The OpenShift Admin Kubeconfig Files
1
Rule
Severity: Medium
Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
1
Rule
Severity: Medium
Verify User Who Owns The OpenShift PKI Certificate Files
1
Rule
Severity: Medium
Verify User Who Owns The OpenShift PKI Private Key Files
1
Rule
Severity: Medium
Verify User Who Owns The OpenShift SDN CNI Server Config
1
Rule
Severity: Medium
Verify User Who Owns The OVNKubernetes Socket
1
Rule
Severity: Medium
Verify Who Owns The OVNKubernetes DB files
1
Rule
Severity: Medium
Verify User Who Owns The Open vSwitch Configuration Database
1
Rule
Severity: Medium
Verify User Who Owns The Open vSwitch Configuration Database Lock
1
Rule
Severity: Medium
Verify User Who Owns The Open vSwitch Process ID File
1
Rule
Severity: Medium
Verify User Who Owns The Open vSwitch Persistent System ID
1
Rule
Severity: Medium
Verify User Who Owns The Open vSwitch Daemon PID File
1
Rule
Severity: Medium
Verify User Who Owns The Open vSwitch Database Server PID
1
Rule
Severity: Medium
Verify User Who Owns The Kubernetes Scheduler Kubeconfig File
1
Rule
Severity: Medium
Verify Permissions on the OpenShift Container Network Interface Files
1
Rule
Severity: Medium
Verify Permissions on the OpenShift Controller Manager Kubeconfig File
1
Rule
Severity: Medium
Verify Permissions on the Etcd Database Directory
1
Rule
Severity: Medium
Verify Permissions on the Etcd Write-Ahead-Log Files
1
Rule
Severity: Medium
Verify Permissions on the Etcd Member Pod Specification File
1
Rule
Severity: Medium
Verify Permissions on the Etcd PKI Certificate Files
1
Rule
Severity: Medium
Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
1
Rule
Severity: Medium
Verify Permissions on the Kubernetes API Server Pod Specification File
1
Rule
Severity: Medium
Verify Permissions on the Kubernetes Controller Manager Pod Specification File
1
Rule
Severity: Medium
Verify Permissions on the OpenShift Admin Kubeconfig Files
1
Rule
Severity: Medium
Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files
1
Rule
Severity: Medium
Verify Permissions on the OpenShift PKI Certificate Files
1
Rule
Severity: Medium
Verify Permissions on the OVNKubernetes socket
1
Rule
Severity: Medium
Verify Permissions on the OVNKubernetes DB files
1
Rule
Severity: Medium
Verify Permissions on the Open vSwitch Configuration Database
1
Rule
Severity: Medium
Verify Permissions on the Open vSwitch Configuration Database Lock
1
Rule
Severity: Medium
Verify Permissions on the Open vSwitch Process ID File
1
Rule
Severity: Medium
Verify Permissions on the Open vSwitch Persistent System ID
1
Rule
Severity: Medium
Verify Permissions on the Open vSwitch Daemon PID File
1
Rule
Severity: Medium
Verify Permissions on the Open vSwitch Database Server PID
1
Rule
Severity: Medium
Verify Permissions on the Kubernetes Scheduler Pod Specification File
1
Rule
Severity: Medium
Verify Permissions on the Kubernetes Scheduler Kubeconfig File
1
Rule
Severity: Medium
Verify Permissions on the OpenShift SDN CNI Server Config
1
Rule
Severity: High
Ensure that the CNI in use supports Network Policies
1
Rule
Severity: Low
Configure the OpenShift API Server Maximum Retained Audit Logs
1
Rule
Severity: Medium
Configure OpenShift API Server Maximum Audit Log Size
1
Rule
Severity: Medium
Ensure that the cluster-admin role is only used where required
1
Rule
Severity: Medium
Limit Access to Kubernetes Secrets
1
Rule
Severity: Medium
Minimize Access to Pod Creation
1
Rule
Severity: Medium
Minimize Wildcard Usage in Cluster and Local Roles
1
Rule
Severity: Medium
Ensure that Compliance Operator is scanning the cluster
1
Rule
Severity: Medium
Drop Container Capabilities
1
Rule
Severity: Medium
Limit Container Capabilities
1
Rule
Severity: Medium
Limit Access to the Host IPC Namespace
1
Rule
Severity: Medium
Limit Use of the CAP_NET_RAW
1
Rule
Severity: Medium
Limit Access to the Host Network Namespace
1
Rule
Severity: Medium
Limit Containers Ability to Escalate Privileges
1
Rule
Severity: Medium
Limit Privileged Container Use
1
Rule
Severity: Medium
Limit Access to the Host Process ID Namespace
1
Rule
Severity: Medium
Limit Container Running As Root User
1
Rule
Severity: Medium
Ensure that the bind-address parameter is not used
1
Rule
Severity: Medium
Consider external secret storage
1
Rule
Severity: Medium
Do Not Use Environment Variables with Secrets
1
Rule
Severity: Medium
Verify Group Who Owns The Worker Proxy Kubeconfig File
1
Rule
Severity: Medium
Verify Group Who Owns the Worker Certificate Authority File
1
Rule
Severity: Medium
Verify Group Who Owns The OpenShift Node Service File
1
Rule
Severity: Medium
Verify User Who Owns The Worker Proxy Kubeconfig File
1
Rule
Severity: Medium
Verify User Who Owns the Worker Certificate Authority File
1
Rule
Severity: Medium
Verify User Who Owns The OpenShift Node Service File
1
Rule
Severity: Medium
Verify Permissions on the Worker Proxy Kubeconfig File
1
Rule
Severity: Medium
Verify Permissions on the Worker Certificate Authority File
1
Rule
Severity: Medium
Verify Permissions on the OpenShift Node Service File
2
Rule
Severity: High
Ensure SUSE GPG Key Installed
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules