Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure Controller insecure port argument is unset
To ensure the Controller Manager service is bound to secure loopback address and a secure port, set the <code>RotateKubeletServerCertificate</code> option to <code>true</code> in the <code>openshif...Rule Low Severity -
Ensure that the RotateKubeletServerCertificate argument is set
To enforce kubelet server certificate rotation on the Controller Manager, set the <code>RotateKubeletServerCertificate</code> option to <code>true</code> in the <code>openshift-kube-controller-mana...Rule Medium Severity -
Ensure that use-service-account-credentials is enabled
To ensure individual service account credentials are used, set the <code>use-service-account-credentials</code> option to <code>true</code> in the <code>openshift-kube-controller-manager</code> con...Rule Medium Severity -
Configure Recurring Backups For etcd
<p> Back up your clusters etcd data regularly and store in a secure location ideally outside the OpenShift Container Platform environment. Do not take an etcd backup before the first...Rule Medium Severity -
Enable The Client Certificate Authentication
To ensure the <code>etcd</code> service is serving TLS to clients, make sure the <code>etcd-pod*</code> <code>ConfigMaps</code> in the <code>openshift-etcd</code> namespace contain the follo...Rule Medium Severity -
Maximum number of seconds between descheduler runs
You can configure the maximum amount of time between descheduler runs in seconds.Value -
Known CRDs which are provided by backup solutions
'A regular expression that lists all CRDs that are known to be part of a backup solution'Value -
Namespaces exempt of Daemonset Resource Limit
Namespaces regular expression explicitly allowed through daemonset resource filters, e.g. setting value to "namespace1|namespace2" will exempt namespace "namespace1" and "namespace2" for daemonset ...Value -
Namespaces exempt of Deployment Resource Limit
Namespaces regular expression explicitly allowed through deployment resource filters, e.g. setting value to "namespace1|namespace2" will exempt namespace "namespace1" and "namespace2" for deploymen...Value -
Namespaces exempt of Resource Requests Quota per Project checks
Namespaces regular expression explicitly allowed through deployment resource filters, e.g. setting value to "namespace1|namespace2" will exempt namespace "namespace1" and "namespace2" for deploymen...Value -
Namespaces exempt of Statefulset Resource Limit
Namespaces regular expression explicitly allowed through statefulset resource filters, e.g. setting value to "namespace1|namespace2" will exempt namespace "namespace1" and "namespace2" for stateful...Value -
Ensure that Advanced Cluster Security (ACS) Sensor is deployed
Red Hat Advanced Cluster Security (ACS) for Kubernetes provides comprehensive security for containerized environments. It offers deep visibility into deployed resources across Kubernetes clusters, ...Rule Medium Severity -
Ensure that a OpenShift OAuth login template or a classification banner is set
A legal notice must be configured. <br> This is achievable via the OAuth object by creating a custom login page, storing it in a Kubernetes Secret and referencing it in the appropriate field as <a...Rule Medium Severity -
A Backup Solution Has To Be Installed
Backup and Restore are fundamental practices when it comes to disaster recovery. By utilizing a Backup Software you are able to backup (and restore) data, which is lost, if your cluster crashes bey...Rule Medium Severity -
Manage Image Provenance Using ImagePolicyWebhook
OpenShift administrators can control which images can be imported, tagged, and run in a cluster. There are two facilities for this purpose: (1) Allowed Registries, allowing administrators to restri...Rule Medium Severity -
Each Namespace should only host one application
Use namespaces to isolate your Kubernetes objects.Rule Medium Severity -
Create Network Boundaries between Functional Different Nodes
Use different Networks for Control Plane, Worker and Individual Application Services.Rule Medium Severity -
Create Boundaries between Resources using Nodes or Clusters
Use Nodes or Clusters to isolate Workloads with high protection requirements. Run the following command and review the pods and how they are deployed on Nodes. <pre>$ oc get pod -o=custom-columns=...Rule Medium Severity -
Ensure that the LifecycleAndUtilization Profile for the Kube Descheduler Operator is Enabled
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. No pod should run for more than 24 hours. The availability ...Rule Medium Severity -
Ensure that the Kube Descheduler operator is deployed
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. No pod should run for more than 24 hours. The availability ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.