Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
To properly set the group owner of <code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</code>, run the command: <pre>$ sudo chgrp root /etc/k...Rule Medium Severity -
Verify User Who Owns The OpenShift Container Network Interface Files
To properly set the owner of/etc/cni/net.d/*, run the command:$ sudo chown root /etc/cni/net.d/*
Rule Medium Severity -
Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
To properly set the owner of <code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</code>, run the command: <pre>$ sudo chown...Rule Medium Severity -
Verify User Who Owns The Etcd Database Directory
To properly set the owner of/var/lib/etcd/member/, run the command:$ sudo chown root /var/lib/etcd/member/
Rule Medium Severity -
Verify User Who Owns The Etcd Write-Ahead-Log Files
To properly set the owner of/var/lib/etcd/member/wal/*, run the command:$ sudo chown root /var/lib/etcd/member/wal/*
Rule Medium Severity -
Verify User Who Owns The Kubernetes API Server Pod Specification File
To properly set the owner of <code>/etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</code>, run the command: <pre>$ sudo chown root /etc/kubernetes/static-pod-reso...Rule Medium Severity -
Verify User Who Owns The Kubernetes Controller Manager Pod Specification File
To properly set the owner of <code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</code>, run the command: <pre>$ sudo chown root /etc/kubernet...Rule Medium Severity -
Verify User Who Owns The Kubernetes Scheduler Pod Specification File
To properly set the owner of <code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</code>, run the command: <pre>$ sudo chown root /etc/kubernetes/static-pod-reso...Rule Medium Severity -
Verify User Who Owns The OpenShift Admin Kubeconfig File
To properly set the owner of/etc/kubernetes/kubeconfig, run the command:$ sudo chown root /etc/kubernetes/kubeconfig
Rule Medium Severity -
Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
To properly set the owner of/var/run/multus/cni/net.d/*, run the command:$ sudo chown root /var/run/multus/cni/net.d/*
Rule Medium Severity -
Verify User Who Owns The OpenShift PKI Certificate Files
To properly set the owner of/etc/kubernetes/static-pod-resources/*/*/*/tls.crt, run the command:$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt
Rule Medium Severity -
Verify User Who Owns The OpenShift Open vSwitch Files
To properly set the owner of/etc/openvswitch/.*, run the command:$ sudo chown root /etc/openvswitch/.*
Rule Medium Severity -
Verify User Who Owns The OVNKubernetes Socket
To properly set the owner of/run/ovn-kubernetes/cni/ovn-cni-server.sock, run the command:$ sudo chown root /run/ovn-kubernetes/cni/ovn-cni-server.sock
Rule Medium Severity -
Verify Who Owns The OVNKubernetes DB files
To properly set the owner of/var/lib/ovn/etc/*.db, run the command:$ sudo chown root /var/lib/ovn/etc/*.db
Rule Medium Severity -
Verify User Who Owns The Open vSwitch Configuration Database
To properly set the owner of/etc/openvswitch/conf.db, run the command:$ sudo chown openvswitch /etc/openvswitch/conf.db
Rule Medium Severity -
Verify User Who Owns The Open vSwitch Configuration Database Lock
To properly set the owner of/etc/openvswitch/.conf.db.~lock~, run the command:$ sudo chown openvswitch /etc/openvswitch/.conf.db.~lock~
Rule Medium Severity -
Verify User Who Owns The Open vSwitch Process ID File
To properly set the owner of/var/run/openvswitch/ovs-vswitchd.pid, run the command:$ sudo chown openvswitch /var/run/openvswitch/ovs-vswitchd.pid
Rule Medium Severity -
Verify User Who Owns The Open vSwitch Persistent System ID
To properly set the owner of/etc/openvswitch/system-id.conf, run the command:$ sudo chown openvswitch /etc/openvswitch/system-id.conf
Rule Medium Severity -
Verify User Who Owns The Open vSwitch Daemon PID File
To properly set the owner of/run/openvswitch/ovs-vswitchd.pid, run the command:$ sudo chown openvswitch /run/openvswitch/ovs-vswitchd.pid
Rule Medium Severity -
Verify User Who Owns The Open vSwitch Database Server PID
To properly set the owner of/run/openvswitch/ovsdb-server.pid, run the command:$ sudo chown openvswitch /run/openvswitch/ovsdb-server.pid
Rule Medium Severity -
Verify User Who Owns The OpenShift etcd Data Directory
To properly set the owner of/var/lib/etcd, run the command:$ sudo chown root /var/lib/etcd
Rule Medium Severity -
Verify Permissions on the OpenShift Container Network Interface Files
To properly set the permissions of/etc/cni/net.d/*, run the command:$ sudo chmod 0600 /etc/cni/net.d/*
Rule Medium Severity -
Verify Permissions on the OpenShift Controller Manager Kubeconfig File
To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</code>, run the command: <pre>$ sudo...Rule Medium Severity -
Verify Permissions on the Etcd Database Directory
To properly set the permissions of/var/lib/etcd, run the command:$ sudo chmod 0700 /var/lib/etcd
Rule Medium Severity -
Verify Permissions on the Etcd Write-Ahead-Log Files
To properly set the permissions of/var/lib/etcd/member/wal/*, run the command:$ sudo chmod 0600 /var/lib/etcd/member/wal/*
Rule Medium Severity -
Verify Permissions on the Etcd PKI Certificate Files
To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt</code>, run the command: <pre>$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/etcd-*/sec...Rule Medium Severity -
Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
To properly set the permissions of/var/lib/cni/networks/openshift-sdn/*, run the command:$ sudo chmod 0644 /var/lib/cni/networks/openshift-sdn/*
Rule Medium Severity -
Verify Permissions on the Kubernetes API Server Pod Specification File
To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</code>, run the command: <pre>$ sudo chmod 0600 /etc/kubernetes/static-po...Rule Medium Severity -
Verify Permissions on the Kubernetes Controller Manager Pod Specification File
To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</code>, run the command: <pre>$ sudo chmod 0600 /etc/ku...Rule Medium Severity -
Ensure that all Routes has rate limit enabled
OpenShift has an option to set the rate limit for Routes [1] when creating new Routes. All routes outside the openshift namespaces and the kube namespaces should use the rate-limiting annotations. ...Rule Medium Severity -
Verify Permissions on the OpenShift Admin Kubeconfig File
To properly set the permissions of/etc/kubernetes/kubeconfig, run the command:$ sudo chmod 0600 /etc/kubernetes/kubeconfig
Rule Medium Severity -
Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files
To properly set the permissions of/var/run/multus/cni/net.d/*, run the command:$ sudo chmod 0644 /var/run/multus/cni/net.d/*
Rule Medium Severity -
Verify Permissions on the OpenShift PKI Certificate Files
To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt</code>, run the command: <pre>$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-*/s...Rule Medium Severity -
Verify Permissions on the OpenShift PKI Private Key Files
To properly set the permissions of/etc/kubernetes/static-pod-resources/*/*/*/*.key, run the command:$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/*/*/*/*.key
Rule Medium Severity -
Verify Permissions on the OpenShift Open vSwitch Files
To properly set the permissions of/etc/openvswitch/.*, run the command:$ sudo chmod 0644 /etc/openvswitch/.*
Rule Medium Severity -
Verify Permissions on the OVNKubernetes socket
To properly set the permissions of/run/ovn-kubernetes/cni/ovn-cni-server.sock, run the command:$ sudo chmod 0600 /run/ovn-kubernetes/cni/ovn-cni-server.sock
Rule Medium Severity -
Verify Permissions on the OVNKubernetes DB files
To properly set the permissions of/var/lib/ovn/etc/*.db, run the command:$ sudo chmod 0640 /var/lib/ovn/etc/*.db
Rule Medium Severity -
Verify Permissions on the Open vSwitch Configuration Database
To properly set the permissions of/etc/openvswitch/conf.db, run the command:$ sudo chmod 0640 /etc/openvswitch/conf.db
Rule Medium Severity -
OpenShift API Server
This section contains recommendations for openshift-apiserver configuration.Group -
Verify Permissions on the Open vSwitch Process ID File
To properly set the permissions of/var/run/openvswitch/ovs-vswitchd.pid, run the command:$ sudo chmod 0644 /var/run/openvswitch/ovs-vswitchd.pid
Rule Medium Severity -
Verify Permissions on the Open vSwitch Persistent System ID
To properly set the permissions of/etc/openvswitch/system-id.conf, run the command:$ sudo chmod 0644 /etc/openvswitch/system-id.conf
Rule Medium Severity -
Verify Permissions on the Open vSwitch Daemon PID File
To properly set the permissions of/run/openvswitch/ovs-vswitchd.pid, run the command:$ sudo chmod 0644 /run/openvswitch/ovs-vswitchd.pid
Rule Medium Severity -
Verify Permissions on the Open vSwitch Database Server PID
To properly set the permissions of/run/openvswitch/ovsdb-server.pid, run the command:$ sudo chmod 0644 /run/openvswitch/ovsdb-server.pid
Rule Medium Severity -
Verify Permissions on the Kubernetes Scheduler Kubeconfig File
To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</code>, run the command: <pre>$ sudo chmod 0600 /etc/k...Rule Medium Severity -
The OpenShift etcd Data Directory Must Have Mode 0700
To properly set the permissions of/var/lib/etcd, run the command:$ sudo chmod 0700 /var/lib/etcd
Rule Medium Severity -
Verify Permissions on the OpenShift SDN CNI Server Config
To properly set the permissions of/var/run/openshift-sdn/cniserver/config.json, run the command:$ sudo chmod 0444 /var/run/openshift-sdn/cniserver/config.json
Rule Medium Severity -
Kubernetes - Network Configuration and Firewalls
Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...Group -
Verify User Who Owns The OpenShift Node Service File
' To properly set the owner of/etc/systemd/system/kubelet.service, run the command:$ sudo chown root /etc/systemd/system/kubelet.service
'Rule Medium Severity -
Ensure that the CNI in use supports Network Policies
There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster. OpenShift sup...Rule High Severity -
Ensure that HyperShift Hosted Namespaces have Network Policies defined.
Use network policies to isolate traffic in your cluster network.Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.