Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure that LUKS is configured on worker nodes
OpenShift has an installation-time flag that can enable LUKS (TPM2 or TANG) full disk encryption at installation. The object <pre>luks</pre> must be present at install time in the <pre>machineconfi...Rule High Severity -
Ensure that full disk encryption is configured on cluster nodes
When full disk encryption is chosen as a way to protect card data at rest, OpenShift can provide several solutions depending on the hosting environment. While LUKS (with TPM2 or Tang) can be used ...Rule High Severity -
Ensure that EBS volumes declared in storageclasses are encrypted
OpenShift StorageClasses can be configured to enable EBS encryption on EBS volumes that are used later as persistent volumes. By using EBS encryption, disk contents are encrypted using an AWS KMS key.Rule High Severity -
Kubernetes - Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. The same idea applies to...Group -
Restrict Automounting of Service Account Tokens
Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server. To ensure pods do not automatically mount tok...Rule Medium Severity -
OpenShift Kube API Server
This section contains recommendations for kube-apiserver configuration.Group -
API Server Request Timeout
Enter API Server Request TimeoutValue -
Bind Address of secure API endpoint
Bind Address of secure API endpointValue -
OpenShift Kube APIServer client CA
OpenShift Kube APIServer client CAValue -
OpenShift Kube APIServer etcd CA
OpenShift Kube APIServer etcd CAValue -
Disable the AlwaysAdmit Admission Control Plugin
To ensure OpenShift only responses to requests explicitly allowed by the admission control plugin. Check that theconfigConfigMap object does not contain the AlwaysAdmit plugin.Rule Medium Severity -
Ensure that the Admission Control Plugin AlwaysPullImages is not set
TheAlwaysPullImagesadmission control plugin should be disabled, since it can introduce new failure modes for control plane components if an image registry is unreachable.Rule High Severity -
Enable the NamespaceLifecycle Admission Control Plugin
OpenShift enables theNamespaceLifecycleplugin by default.Rule Medium Severity -
Enable the SecurityContextConstraint Admission Control Plugin
To ensure pod permissions are managed, make sure that theSecurityContextConstraintadmission control plugin is used.Rule Medium Severity -
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Instead of using a customized SecurityContext for pods, a Pod Security Policy (PSP) or a SecurityContextConstraint should be used. These are cluster-level resources that control the actions that a ...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Enable the APIPriorityAndFairness feature gate
To limit the rate at which the API Server accepts requests, make sure that the API Priority and Fairness feature is enabled. Using <code>APIPriorityAndFairness</code> feature provides a fine-graine...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Configure the Kubernetes API Server Maximum Retained Audit Logs
To configure how many rotations of audit logs are retained, edit the <code>openshift-kube-apiserver</code> configmap and set the <code>audit-log-maxbackup</code> parameter to <code>10</code> or to ...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.