Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OpenShift Kube APIServer TLS cert
OpenShift Kube APIServer TLS certValue -
OpenShift Kube APIServer TLS private key
OpenShift Kube APIServer TLS private keyValue -
OpenShift Kube APIServer kubelet certificate authority
OpenShift Kube APIServer kubelet certificate authorityValue -
OpenShift Kube APIServer kubelet client cert
OpenShift Kube APIServer kubelet client certValue -
Root of files obtained from OCP nodes
When scanning OpenShift clusters, some settings are not exposed as files. In the case that they are exported from the cluster (typically as yaml fi...Value -
OpenShift Kube APIServer kubelet client key
OpenShift Kube APIServer kubelet client keyValue -
Introduction
The purpose of this guidance is to provide security configuration recommendations and baselines for Red Hat OpenShift Container Platform 4. The gui...Group -
General Principles
The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not expli...Group -
Encrypt Transmitted Data Whenever Possible
Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such ...Group -
Least Privilege
Grant the least privilege necessary for user accounts and software to perform tasks. For example, <code>sudo</code> can be implemented to limit aut...Group -
Run Different Network Services on Separate Systems
Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compro...Group -
Configure Security Tools to Improve System Robustness
Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve rob...Group -
How to Use This Guide
Readers should heed the following points when using the guide.Group -
Formatting Conventions
Commands intended for shell execution, as well as configuration file text, are featured in a <code>monospace font</code>. <i>Italics</i> are used t...Group -
Read Sections Completely and in Order
Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instr...Group -
Reboot Required
A system or service reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the cha...Group -
Root Shell Environment Assumed
Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the <code>/bin/bash...Group -
Test in Non-Production Environment
This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which t...Group -
Kubernetes Settings
Each section of this configuration guide includes information about the configuration of a Kubernetes cluster and a set of recommendations for hard...Group -
HyperShift Cluster Name
When this parameter is set, we will assume the cluster is a HyperShift cluster, and we will fetch the OCP version api resource for HyperShift clusterValue
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.