Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Namespaces exempt of Network Policies
Namespaces regular expression explicitly allowed through network policy filters, e.g. setting value to "namespace1|namespace2" will exempt namespace "namespace1" and "namespace2" for network polici...Value -
Ensure that cluster-wide proxy is set
<p> Production environments can deny direct access to the Internet and instead have an HTTP or HTTPS proxy available. </p> <p> The Proxy object is used to manage the cl...Rule Medium Severity -
Ensure that all Routes has IP whitelist annotation
OpenShift has an option to set the IP whitelist for Routes [1] when creating new Routes. All routes outside the openshift namespaces and the kube namespaces should use the IP whitelist annotations...Rule Medium Severity -
Configure the OpenShift API Server Maximum Retained Audit Logs
To configure how many rotations of audit logs are retained, edit the <code>openshift-apiserver</code> configmap and set the <code>audit-log-maxbackup</code> parameter to <code>10</code> or to an or...Rule Low Severity -
Ensure roles are defined in the cluster
<p> RBAC is a critical feature in terms of security for Kubernetes and OpenShift. It enables administrators to segment the privileges granted to a service account, and thus allows us...Rule Medium Severity -
Configure ImagePruner so that images that are no longer needed are automatically removed
<p> Images from the internal registry that are no longer required by the system due to age, status, or exceed limits are automatically pruned. Cluster administrators can configure th...Rule Medium Severity -
Make sure the Container Security Operator is installed
<p> Using the Red Hat Quay Container Security Operator, you can access vulnerability scan results from the OpenShift Container Platform web console for container images used in activ...Rule Medium Severity -
Enable AutoApplyRemediation for at least One ScanSetting
<a href="https://docs.openshift.com/container-platform/latest/security/compliance_operator/compliance-operator-understanding.html#compliance-operator-understanding">The Compliance Operator</a> scan...Rule Medium Severity -
Limit Container Capabilities
<p> Containers should not enable more capabilites than needed as this opens the door for malicious use. To enable only the required capabilities, the appropriate Security Context Con...Rule Medium Severity -
Verify that the scheduler API service is protected by RBAC
Do not bind the scheduler service to non-loopback insecure addresses.Rule Medium Severity -
Verify that the scheduler API service is protected by RBAC
Do not bind the scheduler service to non-loopback insecure addresses.Rule Medium Severity -
Verify Group Who Owns The Kubelet Configuration File
To properly set the group owner of/etc/kubernetes/kubelet.conf, run the command:$ sudo chgrp root /etc/kubernetes/kubelet.conf
Rule Medium Severity -
Verify Group Who Owns the Worker Certificate Authority File
To properly set the group owner of/etc/kubernetes/kubelet-ca.crt, run the command:$ sudo chgrp root /etc/kubernetes/kubelet-ca.crt
Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.