Capacity
Req-2.2
2
Rule
Severity: High
Ensure that application Namespaces have Network Policies defined.
1
Rule
Severity: Medium
Restrict Automounting of Service Account Tokens
1
Rule
Severity: Medium
Ensure Usage of Unique Service Accounts
1
Rule
Severity: Medium
Disable the AlwaysAdmit Admission Control Plugin
1
Rule
Severity: High
Ensure that the Admission Control Plugin AlwaysPullImages is not set
1
Rule
Severity: Medium
Enable the NamespaceLifecycle Admission Control Plugin
1
Rule
Severity: Medium
Enable the NodeRestriction Admission Control Plugin
1
Rule
Severity: Medium
Enable the SecurityContextConstraint Admission Control Plugin
1
Rule
Severity: Medium
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
1
Rule
Severity: Medium
Enable the ServiceAccount Admission Control Plugin
1
Rule
Severity: Medium
Ensure that anonymous requests to the API Server are authorized
3
Rule
Severity: Medium
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
1
Rule
Severity: Medium
Enable the APIPriorityAndFairness feature gate
1
Rule
Severity: Medium
Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)
1
Rule
Severity: Low
Configure the Kubernetes API Server Maximum Retained Audit Logs
1
Rule
Severity: Medium
Configure Kubernetes API Server Maximum Audit Log Size
2
Rule
Severity: High
Configure the Audit Log Path
1
Rule
Severity: Medium
The authorization-mode cannot be AlwaysAllow
1
Rule
Severity: Medium
Ensure authorization-mode Node is configured
1
Rule
Severity: Medium
Ensure authorization-mode RBAC is configured
1
Rule
Severity: Medium
Disable basic-auth-file for the API Server
1
Rule
Severity: Low
Ensure that the bindAddress is set to a relevant secure port
1
Rule
Severity: Medium
Configure the Client Certificate Authority for the API Server
1
Rule
Severity: Medium
Configure the Encryption Provider Cipher
1
Rule
Severity: Medium
Configure the etcd Certificate Authority for the API Server
1
Rule
Severity: Medium
Configure the etcd Certificate for the API Server
1
Rule
Severity: Medium
Configure the etcd Certificate Key for the API Server
1
Rule
Severity: Medium
Ensure that the --kubelet-https argument is set to true
1
Rule
Severity: Medium
Disable Use of the Insecure Bind Address
1
Rule
Severity: Medium
Prevent Insecure Port Access
1
Rule
Severity: High
Configure the kubelet Certificate Authority for the API Server
1
Rule
Severity: High
Configure the kubelet Certificate File for the API Server
1
Rule
Severity: High
Configure the kubelet Certificate Key for the API Server
1
Rule
Severity: Medium
Ensure all admission control plugins are enabled
2
Rule
Severity: Medium
Ensure the openshift-oauth-apiserver service uses TLS
2
Rule
Severity: Medium
Profiling is protected by RBAC
1
Rule
Severity: Medium
Configure the API Server Minimum Request Timeout
1
Rule
Severity: Medium
Ensure that the service-account-lookup argument is set to true
1
Rule
Severity: Medium
Configure the Service Account Public Key for the API Server
1
Rule
Severity: Medium
Configure the Certificate for the API Server
1
Rule
Severity: Medium
Use Strong Cryptographic Ciphers on the API Server
1
Rule
Severity: Medium
Configure the Certificate Key for the API Server
1
Rule
Severity: High
Disable Token-based Authentication
1
Rule
Severity: Medium
Ensure that Audit Log Forwarding Is Enabled
1
Rule
Severity: Medium
Ensure that Audit Log Webhook Is Configured
1
Rule
Severity: Medium
Configure An Identity Provider
1
Rule
Severity: Low
Ensure Controller insecure port argument is unset
1
Rule
Severity: Medium
Ensure that the RotateKubeletServerCertificate argument is set
1
Rule
Severity: Low
Ensure Controller secure-port argument is set
1
Rule
Severity: Medium
Configure the Service Account Certificate Authority Key for the Controller Manager
1
Rule
Severity: Medium
Configure the Service Account Private Key for the Controller Manager
1
Rule
Severity: Medium
Ensure that use-service-account-credentials is enabled
1
Rule
Severity: Medium
Disable etcd Self-Signed Certificates
1
Rule
Severity: Medium
Ensure That The etcd Client Certificate Is Correctly Set
1
Rule
Severity: Medium
Enable The Client Certificate Authentication
1
Rule
Severity: Medium
Ensure That The etcd Key File Is Correctly Set
1
Rule
Severity: Medium
Disable etcd Peer Self-Signed Certificates
1
Rule
Severity: Medium
Ensure That The etcd Peer Client Certificate Is Correctly Set
1
Rule
Severity: Medium
Enable The Peer Client Certificate Authentication
1
Rule
Severity: Medium
Ensure That The etcd Peer Key File Is Correctly Set
1
Rule
Severity: Medium
Apply Security Context to Your Pods and Containers
1
Rule
Severity: Medium
Manage Image Provenance Using ImagePolicyWebhook
1
Rule
Severity: Medium
The default namespace should not be used
1
Rule
Severity: Medium
Ensure Seccomp Profile Pod Definitions
1
Rule
Severity: Medium
Create administrative boundaries between resources using namespaces
1
Rule
Severity: Medium
Ensure That The kubelet Client Certificate Is Correctly Set
1
Rule
Severity: Medium
Ensure That The kubelet Server Key Is Correctly Set
1
Rule
Severity: Medium
kubelet - Disable the Read-Only Port
16
Rule
Severity: High
Configure Libreswan to use System Crypto Policy
16
Rule
Severity: Medium
Configure OpenSSL library to use System Crypto Policy
16
Rule
Severity: Medium
Configure SSH to use System Crypto Policy
1
Rule
Severity: Medium
Ensure that the cluster's audit profile is properly set
1
Rule
Severity: High
Ensure that the CNI in use supports Network Policies
1
Rule
Severity: High
Ensure that HyperShift Hosted Namespaces have Network Policies defined.
1
Rule
Severity: Low
Configure the OpenShift API Server Maximum Retained Audit Logs
1
Rule
Severity: Medium
Configure OpenShift API Server Maximum Audit Log Size
1
Rule
Severity: Medium
Ensure that the cluster-admin role is only used where required
1
Rule
Severity: Medium
Limit Access to Kubernetes Secrets
1
Rule
Severity: Medium
Minimize Access to Pod Creation
1
Rule
Severity: Medium
Minimize Wildcard Usage in Cluster and Local Roles
1
Rule
Severity: Medium
Drop Container Capabilities
1
Rule
Severity: Medium
Limit Container Capabilities
1
Rule
Severity: Medium
Limit Access to the Host IPC Namespace
1
Rule
Severity: Medium
Limit Use of the CAP_NET_RAW
1
Rule
Severity: Medium
Limit Access to the Host Network Namespace
1
Rule
Severity: Medium
Limit Containers Ability to Escalate Privileges
1
Rule
Severity: Medium
Limit Privileged Container Use
1
Rule
Severity: Medium
Limit Access to the Host Process ID Namespace
1
Rule
Severity: Medium
Limit Container Running As Root User
1
Rule
Severity: Medium
Ensure that the bind-address parameter is not used
1
Rule
Severity: Medium
Consider external secret storage
1
Rule
Severity: Medium
Do Not Use Environment Variables with Secrets
1
Rule
Severity: Medium
Verify Group Who Owns The Worker Proxy Kubeconfig File
1
Rule
Severity: Medium
Verify User Who Owns The Worker Proxy Kubeconfig File
1
Rule
Severity: Medium
Verify Permissions on the Worker Proxy Kubeconfig File
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules