Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Disable the AlwaysAdmit Admission Control Plugin
To ensure OpenShift only responses to requests explicitly allowed by the admission control plugin. Check that theconfigConfigMap object does not contain the AlwaysAdmit plugin.Rule Medium Severity -
Ensure that the Admission Control Plugin AlwaysPullImages is not set
TheAlwaysPullImagesadmission control plugin should be disabled, since it can introduce new failure modes for control plane components if an image registry is unreachable.Rule High Severity -
Enable the NamespaceLifecycle Admission Control Plugin
OpenShift enables theNamespaceLifecycleplugin by default.Rule Medium Severity -
Enable the SecurityContextConstraint Admission Control Plugin
To ensure pod permissions are managed, make sure that theSecurityContextConstraintadmission control plugin is used.Rule Medium Severity -
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Instead of using a customized SecurityContext for pods, a Pod Security Policy (PSP) or a SecurityContextConstraint should be used. These are cluster-level resources that control the actions that a ...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Enable the APIPriorityAndFairness feature gate
To limit the rate at which the API Server accepts requests, make sure that the API Priority and Fairness feature is enabled. Using <code>APIPriorityAndFairness</code> feature provides a fine-graine...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Configure the Kubernetes API Server Maximum Retained Audit Logs
To configure how many rotations of audit logs are retained, edit the <code>openshift-kube-apiserver</code> configmap and set the <code>audit-log-maxbackup</code> parameter to <code>10</code> or to ...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.