Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Namespaces exempt of Statefulset Resource Limit
Namespaces regular expression explicitly allowed through statefulset resource filters, e.g. setting value to "namespace1|namespace2" will exempt namespace "namespace1" and "namespace2" for stateful...Value -
Ensure that Advanced Cluster Security (ACS) Sensor is deployed
Red Hat Advanced Cluster Security (ACS) for Kubernetes provides comprehensive security for containerized environments. It offers deep visibility into deployed resources across Kubernetes clusters, ...Rule Medium Severity -
Ensure that a OpenShift OAuth login template or a classification banner is set
A legal notice must be configured. <br> This is achievable via the OAuth object by creating a custom login page, storing it in a Kubernetes Secret and referencing it in the appropriate field as <a...Rule Medium Severity -
A Backup Solution Has To Be Installed
Backup and Restore are fundamental practices when it comes to disaster recovery. By utilizing a Backup Software you are able to backup (and restore) data, which is lost, if your cluster crashes bey...Rule Medium Severity -
Manage Image Provenance Using ImagePolicyWebhook
OpenShift administrators can control which images can be imported, tagged, and run in a cluster. There are two facilities for this purpose: (1) Allowed Registries, allowing administrators to restri...Rule Medium Severity -
Each Namespace should only host one application
Use namespaces to isolate your Kubernetes objects.Rule Medium Severity -
Create Network Boundaries between Functional Different Nodes
Use different Networks for Control Plane, Worker and Individual Application Services.Rule Medium Severity -
Create Boundaries between Resources using Nodes or Clusters
Use Nodes or Clusters to isolate Workloads with high protection requirements. Run the following command and review the pods and how they are deployed on Nodes. <pre>$ oc get pod -o=custom-columns=...Rule Medium Severity -
Ensure that the LifecycleAndUtilization Profile for the Kube Descheduler Operator is Enabled
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. No pod should run for more than 24 hours. The availability ...Rule Medium Severity -
Ensure that the Kube Descheduler operator is deployed
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. No pod should run for more than 24 hours. The availability ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.