Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure that application Namespaces have Network Policies defined.
Use network policies to isolate traffic in your cluster network.Rule High Severity -
Ensure that the default Ingress CA (wildcard issuer) has been replaced
Check that the default Ingress CA has been replaced.Rule Medium Severity -
Ensure that the default Ingress certificate has been replaced
Check that the default Ingress certificate has been replaced.Rule Medium Severity -
Ensure IngressController is configured to use secure tlsSecurityProfile
<p> The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transp...Rule Medium Severity -
Ensure custom tlsSecurityProfile configured for IngressController uses secure TLS version
The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transport mode is used fo...Rule Medium Severity -
Ensure IngressController is not configured to use Old tlsSecurityProfile
The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transport mode is used fo...Rule Medium Severity -
Ensure that project templates autocreate Network Policies
Configure a template for newly created projects to use default network policies and make sure this template is referenced from the default project template. The OpenShift Container Platform API se...Rule Medium Severity -
Ensure that project templates autocreate Network Policies
Configure a template for newly created projects to use default network policies. For more information, follow <a href="https://docs.openshift.com/container-platform/latest/networking/network_policy...Rule Medium Severity -
Ensure that all OpenShift Routes prefer TLS
OpenShift Container Platform provides methods for communicating from outside the cluster with services running in the cluster. TLS must be used to protect these communications. OpenShift Routes pro...Rule Medium Severity -
Configure OpenShift API Server Maximum Audit Log Size
To rotate audit logs upon reaching a maximum size, edit the <code>openshift-apiserver</code> configmap and set the <code>audit-log-maxsize</code> parameter to an appropriate size in MB. For example...Rule Medium Severity -
Configure the Audit Log Path
To enable auditing on the OpenShift API Server, the audit log path must be set. Edit the <code>openshift-apiserver</code> configmap and set the <code>audit-log-path</code> to a suitable path and fi...Rule High Severity -
Role-based Access Control
Role-based access control (RBAC) objects determine whether a user is allowed to perform a given action within a project. Cluster administrators can use the cluster roles and bindings to control wh...Group -
Ensure cluster roles are defined in the cluster
<p> RBAC is a critical feature in terms of security for Kubernetes and OpenShift. It enables administrators to segment the privileges granted to a service account, and thus allows us...Rule Medium Severity -
Profiling is protected by RBAC
Ensure that the cluster-debugger cluster role includes the /debug/pprof resource URL. This demonstrates that profiling is protected by RBAC, with a specific cluster role to allow access.Rule Medium Severity -
Ensure that the RBAC setup follows the principle of least privilege
Role-based access control (RBAC) objects determine whether a user is allowed to perform a given action within a project. If users or groups exist that are bound to roles they must not have, modify...Rule High Severity -
Ensure that the cluster-admin role is only used where required
The RBAC role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed.Rule Medium Severity -
Limit Access to Kubernetes Secrets
The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the sm...Rule Medium Severity -
Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized deletion
The ClusterLogging and ClusterLoggingForwarder Custom Resources provide a way to configure the logging forwarding subsystem and delete access to it should be restricted to as-needed basis. Remove...Rule Medium Severity -
Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized modification
The ClusterLogging and ClusterLoggingForwarder Custom Resources provide a way to configure the logging forwarding subsystem and modification access to it should be restricted to as-needed basis. ...Rule Medium Severity -
Ensure that the ClusterLogging and ClusterLoggingForwarder resources are protected from unauthorized access
The ClusterLogging and ClusterLoggingForwarder Custom Resources provide a way to configure the logging forwarding subsystem and view access to it should be restricted to as-needed basis. Remove v...Rule Medium Severity -
Minimize Access to Pod Creation
The ability to create pods in a namespace can provide a number of opportunities for privilege escalation. Where applicable, remove <code>create</code> access to <code>pod</code> objects in the clus...Rule Medium Severity -
Minimize Wildcard Usage in Cluster and Local Roles
Kubernetes Cluster and Local Roles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these using a wildcard <code>...Rule Medium Severity -
Kubernetes - Registry Security Practices
Contains evaluations for Kubernetes registry security practices, and cluster-wide registry configuration.Group -
Limit Access to the Host IPC Namespace
Containers should not be allowed access to the host's Interprocess Communication (IPC) namespace. To prevent containers from getting access to a host's IPC namespace, the appropriate Security Conte...Rule Medium Severity -
All configured ImageStreams are configured to periodically check for updates
<p> The configuration <code>imagestream.spec.tags.importPolicy.scheduled</code> determines whether the imagestream is configured to periodically check for updates. This is useful whe...Rule Medium Severity -
Allowed registries are configured
The configuration <code>registrySources.allowedRegistries</code> determines the permitted registries that the OpenShift container runtime can access for builds and pods. This configuration setting ...Rule Medium Severity -
Allowed registries for import are configured
The configuration <code>allowedRegistriesForImport</code> limits the container image registries from which normal users may import images. This is important to control, as a user who can stand up a...Rule Medium Severity -
Check configured allowed registries for import uses secure protocol
The configuration <code>allowedRegistriesForImport</code> limits the container image registries from which normal users may import images. This is a list of the registries that can be trusted to co...Rule Medium Severity -
Check if any insecure registry sources is configured
The configuration <code>registrySources.insecureRegistries</code> determines the insecure registries that the OpenShift container runtime can access for builds and pods. This configuration setting ...Rule Medium Severity -
OpenShift - Risk Assessment Settings
Contains evaluations for the cluster's risk assessment configuration settings.Group -
Verify User Who Owns the Worker Certificate Authority File
To properly set the owner of/etc/kubernetes/kubelet-ca.crt, run the command:$ sudo chown root /etc/kubernetes/kubelet-ca.crt
Rule Medium Severity -
Ensure that Compliance Operator is scanning the cluster
<a href="https://docs.openshift.com/container-platform/latest/security/compliance_operator/compliance-operator-understanding.html#compliance-operator-understanding">The Compliance Operator</a> scan...Rule Medium Severity -
Ensure that Compliance Operator scans are running periodically
<a href="https://docs.openshift.com/container-platform/latest/security/compliance_operator/compliance-operator-understanding.html#compliance-operator-understanding">The Compliance Operator</a> scan...Rule Medium Severity -
Security Context Constraints (SCC)
Similar to the way that RBAC resources control user access, administrators can use Security Context Constraints (SCCs) to control permissions for pods. These permissions include actions that a pod,...Group -
Permitted SCCs with allowedCapabilities
A regular expression that lists all SCCs that are permitted to set the allowedCapabilities attributeValue -
Drop Container Capabilities
Containers should not enable more capabilities than needed as this opens the door for malicious use. To disable the capabilities, the appropriate Security Context Constraints (SCCs) should set all ...Rule Medium Severity -
Limit Containers Ability to use the HostDir volume plugin
Containers should be allowed to use the <code>hostPath</code> volume type unless necessary. To prevent containers from using the host filesystem the appropriate Security Context Constraints (SCCs) ...Rule Medium Severity -
Limit Containers Ability to bind to privileged ports
Containers should be limited to bind to non-privileged ports directly on the hosts. To prevent containers from binding to privileged ports on the host the appropriate Security Context Constraints (...Rule Medium Severity -
Limit Use of the CAP_NET_RAW
Containers should not enable more capabilities than needed as this opens the door for malicious use. <code>CAP_NET_RAW</code> enables a container to launch a network attack on another container or ...Rule Medium Severity -
Limit Access to the Host Network Namespace
Containers should not be allowed access to the host's network namespace. To prevent containers from getting access to a host's network namespace, the appropriate Security Context Constraints (SCCs)...Rule Medium Severity -
Limit Containers Ability to Escalate Privileges
Containers should be limited to only the privileges required to run and should not be allowed to escalate their privileges. To prevent containers from escalating privileges, the appropriate Securit...Rule Medium Severity -
Limit Privileged Container Use
Containers should be limited to only the privileges required to run. To prevent containers from running as privileged containers, the appropriate Security Context Constraints (SCCs) should set <cod...Rule Medium Severity -
Limit Access to the Host Process ID Namespace
Containers should not be allowed access to the host's process ID namespace. To prevent containers from getting access to a host's process ID namespace, the appropriate Security Context Constraints ...Rule Medium Severity -
Limit Container Running As Root User
Containers should run as a random non-privileged user. To prevent containers from running as root user, the appropriate Security Context Constraints (SCCs) should set <code>.runAsUser.type</code> t...Rule Medium Severity -
OpenShift - Kubernetes - Scheduler Settings
Contains evaluations for kube-scheduler configuration settings.Group -
Ensure that the bind-address parameter is not used
The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound t...Rule Medium Severity -
Ensure that the port parameter is zero
The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound t...Rule Medium Severity -
Kubernetes Secrets Management
Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Such information might otherwise be put in a Pod specification or in an image.Group -
Consider external secret storage
Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires a...Rule Medium Severity -
Do Not Use Environment Variables with Secrets
Secrets should be mounted as data volumes instead of environment variables.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.