Skip to content
Log In

Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Verify Permissions on the Open vSwitch Persistent System ID

    To properly set the permissions of /etc/openvswitch/system-id.conf, run the command: 
    $ sudo chmod 0644 /etc/openvswitch/system-id.conf
    Rule Medium Severity
    Show

  • Verify Permissions on the Open vSwitch Daemon PID File

    To properly set the permissions of /run/openvswitch/ovs-vswitchd.pid, run the command: 
    $ sudo chmod 0644 /run/openvswitch/ovs-vswitchd.pid
    Rule Medium Severity
    Show

  • Verify Permissions on the Open vSwitch Database Server PID

    To properly set the permissions of /run/openvswitch/ovsdb-server.pid, run the command: 
    $ sudo chmod 0644 /run/openvswitch/ovsdb-server.pid
    Rule Medium Severity
    Show

  • Verify Permissions on the Kubernetes Scheduler Kubeconfig File

    To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</code>, run the command: <pre>$ sudo chmod 0600 /etc/k...
    Rule Medium Severity
    Show

  • The OpenShift etcd Data Directory Must Have Mode 0700

    To properly set the permissions of /var/lib/etcd, run the command: 
    $ sudo chmod 0700 /var/lib/etcd
    Rule Medium Severity
    Show

  • Verify Permissions on the OpenShift SDN CNI Server Config

    To properly set the permissions of /var/run/openshift-sdn/cniserver/config.json, run the command: 
    $ sudo chmod 0444 /var/run/openshift-sdn/cniserver/config.json
    Rule Medium Severity
    Show

  • Kubernetes - Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...
    Group
    Show

  • Verify User Who Owns The OpenShift Node Service File

    ' To properly set the owner of /etc/systemd/system/kubelet.service, run the command: 
    $ sudo chown root /etc/systemd/system/kubelet.service
    '
    Rule Medium Severity
    Show

  • Ensure that the CNI in use supports Network Policies

    There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster. OpenShift sup...
    Rule High Severity
    Show

  • Ensure that HyperShift Hosted Namespaces have Network Policies defined.

    Use network policies to isolate traffic in your cluster network.
    Rule High Severity
    Show

  • Ensure that application Namespaces have Network Policies defined.

    Use network policies to isolate traffic in your cluster network.
    Rule High Severity
    Show

  • Ensure that the default Ingress CA (wildcard issuer) has been replaced

    Check that the default Ingress CA has been replaced.
    Rule Medium Severity
    Show

  • Ensure that the default Ingress certificate has been replaced

    Check that the default Ingress certificate has been replaced.
    Rule Medium Severity
    Show

  • Ensure IngressController is configured to use secure tlsSecurityProfile

    <p> The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transp...
    Rule Medium Severity
    Show

  • Ensure custom tlsSecurityProfile configured for IngressController uses secure TLS version

    The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transport mode is used fo...
    Rule Medium Severity
    Show

  • Ensure IngressController is not configured to use Old tlsSecurityProfile

    The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transport mode is used fo...
    Rule Medium Severity
    Show

  • Ensure that project templates autocreate Network Policies

    Configure a template for newly created projects to use default network policies and make sure this template is referenced from the default project template. The OpenShift Container Platform API se...
    Rule Medium Severity
    Show

  • Ensure that project templates autocreate Network Policies

    Configure a template for newly created projects to use default network policies. For more information, follow <a href="https://docs.openshift.com/container-platform/latest/networking/network_policy...
    Rule Medium Severity
    Show

  • Ensure that all OpenShift Routes prefer TLS

    OpenShift Container Platform provides methods for communicating from outside the cluster with services running in the cluster. TLS must be used to protect these communications. OpenShift Routes pro...
    Rule Medium Severity
    Show

  • Configure OpenShift API Server Maximum Audit Log Size

    To rotate audit logs upon reaching a maximum size, edit the <code>openshift-apiserver</code> configmap and set the <code>audit-log-maxsize</code> parameter to an appropriate size in MB. For example...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules