Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure that all workloads have liveness and readiness probes
Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and reliability of a system. These probes actively monitor container health and readiness, facilitating a...Rule Medium Severity -
Ensure that the OpenShift OAuth logout URL is set
The user can be redirected to a configured URL upon logout <br> This is achievable via the OAuth object by setting the <code>logoutRedirect</code> attribute. Refer to <a href="https://docs.openshi...Rule Medium Severity -
Ensure that the OpenShift MOTD is set
To configure OpenShift's MOTD, create a <b>ConfigMap</b> called <code>motd</code> in the <code>openshift</code> namespace. The object should look as follows: <pre> --- apiVersion: v1 kind: Config...Rule Medium Severity -
Ensure workloads use resource requests and limits
There are two ways to enable resource requests and limits. To create either: A multi-project quota, defined by a ClusterResourceQuota object, allows quotas to be shared across multiple projects. ...Rule Medium Severity -
Ensure workloads use cluster resource requests and limits
There are two ways to enable resource requests and limits. To create either: A multi-project quota, defined by a ClusterResourceQuota object, allows quotas to be shared across multiple projects. ...Rule Medium Severity -
Ensure TLS v1.2 is minimum for Openshift master and worker nodes
Ensure that the Kubelet is configured to only use strong cryptographic ciphers. To set the cipher suites for the kubelet, create new or modify existing <code>KubeletConfig</code> object along these...Rule Medium Severity -
Disable Anonymous Authentication to the Kubelet
By default, anonymous access to the Kubelet server is enabled. This configuration check ensures that anonymous requests to the Kubelet server are disabled. Edit the Kubelet server configuration fil...Rule Medium Severity -
Kubelet - Ensure Event Creation Is Configured
Security relevant information should be captured. The eventRecordQPS Kubelet option can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events ...Rule Medium Severity -
Ensure That The kubelet Server Key Is Correctly Set
To ensure the kubelet TLS private server key certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet private key file. <pr...Rule Medium Severity -
kubelet - Disable the Read-Only Port
To disable the read-only port, edit the kubelet configuration Edit the <code>openshift-kube-apiserver</code> configmap and set the <code>kubelet-read-only-port</code> parameter to 0: <pre> "apiServ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.