Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure the openshift-oauth-apiserver service uses TLS
By default, the OpenShift OAuth API Server uses TLS. HTTPS should be used for connections between openshift-oauth-apiserver and kube-apiserver. By default, the OpenShift OAuth API Server uses Inter...Rule Medium Severity -
OAuth Token Inactivity Timeout
Enter OAuth Token Inactivity TimeoutValue -
Ensure that the service-account-lookup argument is set to true
Validate service account before validating token.Rule Medium Severity -
Configure the Service Account Public Key for the API Server
To ensure the API Server utilizes its own key pair, edit the <code>openshift-kube-apiserver</code> configmap and set the <code>serviceAccountPublicKeyFiles</code> parameter to the public key file f...Rule Medium Severity -
Configure the Certificate for the API Server
To ensure the API Server utilizes its own TLS certificates, the <code>tls-cert-file</code> must be configured. Verify that the <code>apiServerArguments</code> section has the <code>tls-cert-file</c...Rule Medium Severity -
Use Strong Cryptographic Ciphers on the API Server
To ensure that the API Server is configured to only use strong cryptographic ciphers, verify the <code>openshift-kube-apiserver</code> configmap contains the following set of ciphers, with no addit...Rule Medium Severity -
Configure the Certificate Key for the API Server
To ensure the API Server utilizes its own TLS certificates, the <code>tls-private-key-file</code> must be configured. Verify that the <code>apiServerArguments</code> section has the <code>tls-priva...Rule Medium Severity -
Ensure custom tlsSecurityProfile configured for APIServer uses secure TLS version
The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transport mode is used fo...Rule Medium Severity -
Ensure APIServer is not configured with Old tlsSecurityProfile
The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transport mode is used fo...Rule Medium Severity -
Ensure that Audit Log Webhook Is Configured
Audit is on by default and the best practice is to ship audit logs off an cluster for retention. HyperShift is able to do this with the a audit webhook, which is configured in the HostedCluster cus...Rule Medium Severity -
Authentication
In cloud workloads, there are many ways to create and configure to multiple authentication services. Some of these authentication methods by not be secure or common methodologies, or they may not b...Group -
OAuth Clients Token Inactivity Timeout
Enter OAuth Clients Token Inactivity Timeout in SecondsValue -
Configure OAuth tokens to expire after a set period of inactivity
<p> You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set. </p> <p> The inactivity timeout can be ei...Rule Medium Severity -
Configure OAuth tokens to expire after a set period of inactivity
<p> You can configure OAuth tokens to have have a custom duration. By default, the tokens are valid for 24 hours (86400 seconds). </p> <p> The maximum age can be either...Rule Medium Severity -
Configure OAuth server so that tokens have a maximum age set
<p> You can configure OAuth tokens to have have a custom duration. By default, the tokens are valid for 24 hours (86400 seconds). </p> <p> The maximum age can be either...Rule Medium Severity -
Only Use LDAP-based IdPs with TLS
<p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the...Rule High Severity -
OpenShift Controller Settings
This section contains recommendations for the kube-controller-manager configurationGroup -
OpenShift - Logging Settings
Contains evaluations for the cluster's logging configuration settings.Group -
Ensure Controller secure-port argument is set
To ensure the Controller Manager service is bound to secure loopback address using a secure port, set the <code>RotateKubeletServerCertificate</code> option to <code>true</code> in the <code>opensh...Rule Low Severity -
Configure the Service Account Certificate Authority Key for the Controller Manager
To ensure the API Server utilizes its own key pair, set the <code>masterCA</code> parameter to the public key file for service accounts in the <code>openshift-kube-controller-manager</code> configm...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.