Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure no RoleBindings set for default Service Account
Using the <code>default</code> service account prevents accurate application rights review and audit tracing. Instead of <code>default</code>, create a new and unique service account and associate ...Rule Medium Severity -
Ensure Usage of Unique Service Accounts
Using the <code>default</code> service account prevents accurate application rights review and audit tracing. Instead of <code>default</code>, create a new and unique service account with the follo...Rule Medium Severity -
Enable the NodeRestriction Admission Control Plugin
To limit the <code>Node</code> and <code>Pod</code> objects that a kubelet could modify, ensure that the <code>NodeRestriction</code> plugin on kubelets is enabled in the api-server configuration b...Rule Medium Severity -
Enable the ServiceAccount Admission Control Plugin
To ensure <code>ServiceAccount</code> objects must be created and granted before pod creation is allowed, follow the documentation and create <code>ServiceAccount</code> objects as per your environ...Rule Medium Severity -
Ensure that anonymous requests to the API Server are authorized
By default, anonymous access to the OpenShift API is enabled, but at the same time, all requests must be authorized. If no authentication mechanism is used, the request is assigned the <code>system...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Ensure that Audit Log Forwarding Is Enabled
OpenShift audit works at the API server level, logging all requests coming to the server. Audit is on by default and the best practice is to ship audit logs off the cluster for retention. The clust...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Configure the Client Certificate Authority for the API Server
Certificates must be provided to fully setup TLS client certificate authentication. To ensure the API Server utilizes its own TLS certificates, the <code>clientCA</code> must be configured. Verify ...Rule Medium Severity -
Configure the Encryption Provider Cipher
<p> When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted: <ul> <li>Secrets</li> <li>ConfigMaps</li> <li>Routes</li> <...Rule Medium Severity -
Prevent Insecure Port Access
By default, traffic for the OpenShift API server is served over HTTPS with authentication and authorization, and the secure API endpoint is bound to <code>0.0.0.0:8443</code>. To ensure that the in...Rule Medium Severity -
Configure the API Server Minimum Request Timeout
The API server minimum request timeout defines the minimum number of seconds a handler must keep a request open before timing it out. To set this, edit the <code>openshift-kube-apiserver</code> con...Rule Medium Severity -
Ensure APIServer is configured with secure tlsSecurityProfile
<p> The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transp...Rule Medium Severity -
OAuth Token Maximum Age
Enter OAuth Token Maximum Age TimeoutValue -
Configure An Identity Provider
<p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the...Rule Medium Severity -
Configure OAuth server so that tokens expire after a set period of inactivity
<p> You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set. </p> <p> The inactivity timeout can be ei...Rule Medium Severity -
Configure OAuth clients so that tokens have a maximum age set
<p> You can configure OAuth tokens to have have a custom duration. By default, the tokens are valid for 24 hours (86400 seconds). </p> <p> The maximum age can be either...Rule Medium Severity -
Do Not Use htpasswd-based IdP
<p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the...Rule Medium Severity -
OpenShift - Confinement
Contains evaluations to configure and assess the confinement of the cluster's applications and workloads.Group -
Make sure the Security Profiles Operator is installed
Security Profiles Operator provides a way to define secure computing (seccomp) profiles and SELinux profiles as custom resources that are syncrhonized to every node in a given namespace. Using sec...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.