Disable Anonymous Authentication to the Kubelet
Ensure authorization is set to Webhook
kubelet - Configure the Client CA Certificate
kubelet - Enable Certificate Rotation
kubelet - Enable Client Certificate Rotation
kubelet - Allow Automatic Firewall Configuration
kubelet - Enable Protect Kernel Defaults
kubelet - Enable Server Certificate Rotation
kubelet - Do Not Disable Streaming Timeouts
Verify Group Who Owns The Kubelet Configuration File
Verify Group Who Owns The Worker Kubeconfig File
Verify User Who Owns The Kubelet Configuration File
Verify User Who Owns The Worker Kubeconfig File
Verify Permissions on The Kubelet Configuration File
Verify Permissions on the Worker Kubeconfig File
Ensure that File Integrity Operator is scanning the cluster
Restrict Automounting of Service Account Tokens
Ensure Usage of Unique Service Accounts
Disable the AlwaysAdmit Admission Control Plugin
Ensure that the Admission Control Plugin AlwaysPullImages is not set
Enable the NamespaceLifecycle Admission Control Plugin
Enable the NodeRestriction Admission Control Plugin
Enable the SecurityContextConstraint Admission Control Plugin
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Enable the ServiceAccount Admission Control Plugin
Ensure that anonymous requests to the API Server are authorized
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Enable the APIPriorityAndFairness feature gate
Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)
Configure the Kubernetes API Server Maximum Retained Audit Logs
Configure Kubernetes API Server Maximum Audit Log Size
Configure the Audit Log Path
The authorization-mode cannot be AlwaysAllow
Ensure authorization-mode Node is configured
Ensure authorization-mode RBAC is configured
Disable basic-auth-file for the API Server
Ensure that the bindAddress is set to a relevant secure port
Configure the etcd Certificate for the API Server
Configure the etcd Certificate Key for the API Server
Ensure that the --kubelet-https argument is set to true
Disable Use of the Insecure Bind Address
Prevent Insecure Port Access
Configure the kubelet Certificate Authority for the API Server
Configure the kubelet Certificate File for the API Server
Configure the kubelet Certificate Key for the API Server
Ensure all admission control plugins are enabled
Ensure the openshift-oauth-apiserver service uses TLS
Profiling is protected by RBAC
Configure the API Server Minimum Request Timeout
Ensure that the service-account-lookup argument is set to true
Configure the Service Account Public Key for the API Server
Use Strong Cryptographic Ciphers on the API Server
Disable Token-based Authentication
Ensure Controller insecure port argument is unset
Ensure that the RotateKubeletServerCertificate argument is set
Ensure Controller secure-port argument is set
Configure the Service Account Certificate Authority Key for the Controller Manager
Configure the Service Account Private Key for the Controller Manager
Ensure that use-service-account-credentials is enabled
Disable etcd Self-Signed Certificates
Ensure That The etcd Client Certificate Is Correctly Set
Enable The Client Certificate Authentication
Ensure That The etcd Key File Is Correctly Set
Disable etcd Peer Self-Signed Certificates
Enable The Peer Client Certificate Authentication
Configure A Unique CA Certificate for etcd
Apply Security Context to Your Pods and Containers
Manage Image Provenance Using ImagePolicyWebhook
The default namespace should not be used
Ensure Seccomp Profile Pod Definitions
Create administrative boundaries between resources using namespaces
Kubelet - Ensure Event Creation Is Configured
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
kubelet - Disable the Read-Only Port
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check sysctl configuration file exist
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxbytes
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxkeys
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic_on_oops
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.overcommit_memory
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.panic_on_oom
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree
Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree
Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree
Verify Group Who Owns The OpenShift Container Network Interface Files
Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
Verify Group Who Owns The Etcd Database Directory
Verify Group Who Owns The Etcd Write-Ahead-Log Files
Verify Group Who Owns The etcd Member Pod Specification File
Verify Group Who Owns The Etcd PKI Certificate Files
Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
Verify Group Who Owns The Kubernetes API Server Pod Specification File
Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
Verify Group Who Owns The OpenShift Admin Kubeconfig Files
Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
Verify Group Who Owns The OpenShift PKI Certificate Files
Verify Group Who Owns The OpenShift PKI Private Key Files
Verify Group Who Owns The OpenShift SDN CNI Server Config
Verify Group Who Owns The OVNKubernetes Socket
Verify Group Who Owns The OVNKubernetes DB files
Verify Group Who Owns The Open vSwitch Configuration Database
Verify Group Who Owns The Open vSwitch Configuration Database Lock
Verify Group Who Owns The Open vSwitch Process ID File
Verify Group Who Owns The Open vSwitch Persistent System ID
Verify Group Who Owns The Open vSwitch Daemon PID File
Verify Group Who Owns The Open vSwitch Database Server PID
Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
Verify User Who Owns The OpenShift Container Network Interface Files
Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
Verify User Who Owns The Etcd Database Directory
Verify User Who Owns The Etcd Write-Ahead-Log Files
Verify User Who Owns The Etcd Member Pod Specification File
Verify User Who Owns The Etcd PKI Certificate Files
Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
Verify User Who Owns The Kubernetes API Server Pod Specification File
Verify User Who Owns The Kubernetes Controller Manager Pod Specification File
Verify User Who Owns The Kubernetes Scheduler Pod Specification File
Verify User Who Owns The OpenShift Admin Kubeconfig Files
Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
Verify User Who Owns The OpenShift PKI Certificate Files
Verify User Who Owns The OpenShift PKI Private Key Files
Verify User Who Owns The OpenShift SDN CNI Server Config
Verify User Who Owns The OVNKubernetes Socket
Verify Who Owns The OVNKubernetes DB files
Verify User Who Owns The Open vSwitch Configuration Database
Verify User Who Owns The Open vSwitch Configuration Database Lock
Verify User Who Owns The Open vSwitch Process ID File
Verify User Who Owns The Open vSwitch Persistent System ID
Verify User Who Owns The Open vSwitch Daemon PID File
Verify User Who Owns The Open vSwitch Database Server PID
Verify User Who Owns The Kubernetes Scheduler Kubeconfig File
Verify Permissions on the OpenShift Container Network Interface Files
Verify Permissions on the OpenShift Controller Manager Kubeconfig File
Verify Permissions on the Etcd Database Directory
Verify Permissions on the Etcd Write-Ahead-Log Files
Verify Permissions on the Etcd Member Pod Specification File
Verify Permissions on the Etcd PKI Certificate Files
Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
Verify Permissions on the Kubernetes API Server Pod Specification File
Verify Permissions on the Kubernetes Controller Manager Pod Specification File
Verify Permissions on the OpenShift Admin Kubeconfig Files
Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files
Verify Permissions on the OpenShift PKI Certificate Files
Verify Permissions on the OpenShift PKI Private Key Files
Verify Permissions on the OVNKubernetes socket
Verify Permissions on the OVNKubernetes DB files
Verify Permissions on the Open vSwitch Configuration Database
Verify Permissions on the Open vSwitch Configuration Database Lock
Verify Permissions on the Open vSwitch Process ID File
Verify Permissions on the Open vSwitch Persistent System ID
Verify Permissions on the Open vSwitch Daemon PID File
Verify Permissions on the Open vSwitch Database Server PID
Verify Permissions on the Kubernetes Scheduler Pod Specification File
Verify Permissions on the Kubernetes Scheduler Kubeconfig File
Verify Permissions on the OpenShift SDN CNI Server Config
Configure the OpenShift API Server Maximum Retained Audit Logs
Configure OpenShift API Server Maximum Audit Log Size
Ensure that the cluster-admin role is only used where required
Limit Access to Kubernetes Secrets
Minimize Access to Pod Creation
Minimize Wildcard Usage in Cluster and Local Roles
Drop Container Capabilities
Limit Container Capabilities
Limit Access to the Host IPC Namespace
Limit Use of the CAP_NET_RAW
Limit Containers Ability to Escalate Privileges
Limit Access to the Host Process ID Namespace
Ensure that the bind-address parameter is not used
Consider external secret storage
Do Not Use Environment Variables with Secrets
Verify Group Who Owns The Worker Proxy Kubeconfig File
Verify Group Who Owns the Worker Certificate Authority File
Verify Group Who Owns The OpenShift Node Service File
Verify User Who Owns The Worker Proxy Kubeconfig File
Verify User Who Owns the Worker Certificate Authority File
Verify User Who Owns The OpenShift Node Service File
Verify Permissions on the Worker Proxy Kubeconfig File
Verify Permissions on the Worker Certificate Authority File
Verify Permissions on the OpenShift Node Service File