Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure that all workloads have liveness and readiness probes
Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and reliability of a system. These probes actively monitor container health and readiness, facilitating a...Rule Medium Severity -
Ensure that the OpenShift OAuth logout URL is set
The user can be redirected to a configured URL upon logout <br> This is achievable via the OAuth object by setting the <code>logoutRedirect</code> attribute. Refer to <a href="https://docs.openshi...Rule Medium Severity -
Ensure that the OpenShift MOTD is set
To configure OpenShift's MOTD, create a <b>ConfigMap</b> called <code>motd</code> in the <code>openshift</code> namespace. The object should look as follows: <pre> --- apiVersion: v1 kind: Config...Rule Medium Severity -
Ensure workloads use resource requests and limits
There are two ways to enable resource requests and limits. To create either: A multi-project quota, defined by a ClusterResourceQuota object, allows quotas to be shared across multiple projects. ...Rule Medium Severity -
Ensure workloads use cluster resource requests and limits
There are two ways to enable resource requests and limits. To create either: A multi-project quota, defined by a ClusterResourceQuota object, allows quotas to be shared across multiple projects. ...Rule Medium Severity -
Ensure TLS v1.2 is minimum for Openshift master and worker nodes
Ensure that the Kubelet is configured to only use strong cryptographic ciphers. To set the cipher suites for the kubelet, create new or modify existing <code>KubeletConfig</code> object along these...Rule Medium Severity -
Disable Anonymous Authentication to the Kubelet
By default, anonymous access to the Kubelet server is enabled. This configuration check ensures that anonymous requests to the Kubelet server are disabled. Edit the Kubelet server configuration fil...Rule Medium Severity -
Kubelet - Ensure Event Creation Is Configured
Security relevant information should be captured. The eventRecordQPS Kubelet option can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events ...Rule Medium Severity -
Ensure That The kubelet Server Key Is Correctly Set
To ensure the kubelet TLS private server key certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet private key file. <pr...Rule Medium Severity -
kubelet - Disable the Read-Only Port
To disable the read-only port, edit the kubelet configuration Edit the <code>openshift-kube-apiserver</code> configmap and set the <code>kubelet-read-only-port</code> parameter to 0: <pre> "apiServ...Rule Medium Severity -
kubelet - Allow Automatic Firewall Configuration
The kubelet has the ability to automatically configure the firewall to allow the containers required ports and connections to networking resources and destinations parameters potentially creating a...Rule Medium Severity -
kubelet - Enable Protect Kernel Defaults
<p> Protect tuned kernel parameters from being overwritten by the kubelet. </p> <p> Before enabling this kernel parameter, it's important and necessary to first create ...Rule Medium Severity -
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults
<p> Setup required tuned kernel parameters before enabling overwritten protection. Note that depending on the Linux distribution and its version that your cluster nodes are running, ...Rule Medium Severity -
kubelet - Enable Server Certificate Rotation
To enable the kubelet to rotate server certificates, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> on the kubelet node(s) and set the below parameter: <pre> serverTL...Rule Medium Severity -
kubelet - Do Not Disable Streaming Timeouts
Timouts for streaming connections should not be disabled as they help to prevent denial-of-service attacks. To configure streaming connection timeouts To set the <code>streamingConnectionIdleTimeou...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.