Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Ensure the openshift-oauth-apiserver service uses TLS
By default, the OpenShift OAuth API Server uses TLS. HTTPS should be used for connections between openshift-oauth-apiserver and kube-apiserver. By default, the OpenShift OAuth API Server uses Inter...Rule Medium Severity -
OAuth Token Inactivity Timeout
Enter OAuth Token Inactivity TimeoutValue -
Ensure that the service-account-lookup argument is set to true
Validate service account before validating token.Rule Medium Severity -
Configure the Service Account Public Key for the API Server
To ensure the API Server utilizes its own key pair, edit the <code>openshift-kube-apiserver</code> configmap and set the <code>serviceAccountPublicKeyFiles</code> parameter to the public key file f...Rule Medium Severity -
Configure the Certificate for the API Server
To ensure the API Server utilizes its own TLS certificates, the <code>tls-cert-file</code> must be configured. Verify that the <code>apiServerArguments</code> section has the <code>tls-cert-file</c...Rule Medium Severity -
Use Strong Cryptographic Ciphers on the API Server
To ensure that the API Server is configured to only use strong cryptographic ciphers, verify the <code>openshift-kube-apiserver</code> configmap contains the following set of ciphers, with no addit...Rule Medium Severity -
Configure the Certificate Key for the API Server
To ensure the API Server utilizes its own TLS certificates, the <code>tls-private-key-file</code> must be configured. Verify that the <code>apiServerArguments</code> section has the <code>tls-priva...Rule Medium Severity -
Ensure custom tlsSecurityProfile configured for APIServer uses secure TLS version
The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transport mode is used fo...Rule Medium Severity -
Ensure APIServer is not configured with Old tlsSecurityProfile
The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transport mode is used fo...Rule Medium Severity -
Ensure that Audit Log Webhook Is Configured
Audit is on by default and the best practice is to ship audit logs off an cluster for retention. HyperShift is able to do this with the a audit webhook, which is configured in the HostedCluster cus...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.