Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Kubernetes - Worker Node Settings
Contains evaluations for the worker node configuration settings.Group -
Verify Group Who Owns The Worker Proxy Kubeconfig File
To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the correct ownership, make sure that the <code>sdn-config</code> ConfigMap is mounted using a ConfigMap at the <code>...Rule Medium Severity -
Verify Group Who Owns The Worker Kubeconfig File
To properly set the group owner of/var/lib/kubelet/kubeconfig, run the command:$ sudo chgrp root /var/lib/kubelet/kubeconfig
Rule Medium Severity -
Verify Group Who Owns The OpenShift Node Service File
' To properly set the group owner of/etc/systemd/system/kubelet.service, run the command:$ sudo chgrp root /etc/systemd/system/kubelet.service
'Rule Medium Severity -
Verify User Who Owns The Kubelet Configuration File
To properly set the owner of/var/lib/kubelet/config.json, run the command:$ sudo chown root /var/lib/kubelet/config.json
Rule Medium Severity -
Verify User Who Owns The Kubelet Configuration File
To properly set the owner of/etc/kubernetes/kubelet.conf, run the command:$ sudo chown root /etc/kubernetes/kubelet.conf
Rule Medium Severity -
Verify User Who Owns The Worker Proxy Kubeconfig File
To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the correct ownership, make sure that the <code>sdn-config</code> ConfigMap is mounted using a ConfigMap at the <code>...Rule Medium Severity -
Verify Permissions on The Kubelet Configuration File
To properly set the permissions of/var/lib/kubelet/config.json, run the command:$ sudo chmod 0600 /var/lib/kubelet/config.json
Rule Medium Severity -
Verify Permissions on the Worker Proxy Kubeconfig File
To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the correct permissions, make sure that the <code>sdn-config</code> ConfigMap is mounted using restrictive permissions...Rule Medium Severity -
Verify Permissions on the Worker Certificate Authority File
To properly set the permissions of/etc/kubernetes/kubelet-ca.crt, run the command:$ sudo chmod 0644 /etc/kubernetes/kubelet-ca.crt
Rule Medium Severity -
Verify Permissions on the Worker Kubeconfig File
To properly set the permissions of/var/lib/kubelet/kubeconfig, run the command:$ sudo chmod 0600 /var/lib/kubelet/kubeconfig
Rule Medium Severity -
Verify Permissions on the OpenShift Node Service File
To properly set the permissions of/etc/systemd/system/kubelet.service, run the command:$ sudo chmod 0644 /etc/systemd/system/kubelet.service
Rule Medium Severity -
OpenShift APIServer etcd encryption type
OpenShift APIServer etcd encryption provider type to use for remediation. This variable is only applicable to remediations, and does not affect checks. This variable is set to 'aescbc' by default, ...Value -
Set Pod Lifetime for the Deschedulers
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. No pod should run for more than 24 hours. The availability ...Rule Medium Severity -
Verify User Who Owns The Worker Kubeconfig File
To properly set the owner of/var/lib/kubelet/kubeconfig, run the command:$ sudo chown root /var/lib/kubelet/kubeconfig
Rule Medium Severity -
Verify Permissions on The Kubelet Configuration File
To properly set the permissions of/etc/kubernetes/kubelet.conf, run the command:$ sudo chmod 0644 /etc/kubernetes/kubelet.conf
Rule Medium Severity -
Disable Token-based Authentication
To ensure OpenShift does not accept token-based authentication, follow the OpenShift documentation and configure alternate mechanisms for authentication. Then, edit the API Server pod specification...Rule High Severity -
Ensure the Container Runtime rejects unsigned images by default
<p> The OpenShift Platform allows for verifying the signature of a container image before pulling it. this is done via the policy.json file [1] which needs to be configured via the M...Rule Medium Severity -
Ensure no ClusterRoleBindings set for default Service Account
Using the <code>default</code> service account prevents accurate application rights review and audit tracing. Instead of <code>default</code>, create a new and unique service account and associate ...Rule Medium Severity -
Kubernetes Audit Logs Must Be Owned By Root
All audit logs must be owned by root user and group. By default, the path for the Kubernetes audit log is <pre>/var/log/kube-apiserver/</pre>. To properly set the owner of <code>/var/log/kube-apis...Rule Medium Severity -
Ensure no RoleBindings set for default Service Account
Using the <code>default</code> service account prevents accurate application rights review and audit tracing. Instead of <code>default</code>, create a new and unique service account and associate ...Rule Medium Severity -
Ensure Usage of Unique Service Accounts
Using the <code>default</code> service account prevents accurate application rights review and audit tracing. Instead of <code>default</code>, create a new and unique service account with the follo...Rule Medium Severity -
Enable the NodeRestriction Admission Control Plugin
To limit the <code>Node</code> and <code>Pod</code> objects that a kubelet could modify, ensure that the <code>NodeRestriction</code> plugin on kubelets is enabled in the api-server configuration b...Rule Medium Severity -
Enable the ServiceAccount Admission Control Plugin
To ensure <code>ServiceAccount</code> objects must be created and granted before pod creation is allowed, follow the documentation and create <code>ServiceAccount</code> objects as per your environ...Rule Medium Severity -
Ensure that anonymous requests to the API Server are authorized
By default, anonymous access to the OpenShift API is enabled, but at the same time, all requests must be authorized. If no authentication mechanism is used, the request is assigned the <code>system...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Ensure that Audit Log Forwarding Is Enabled
OpenShift audit works at the API server level, logging all requests coming to the server. Audit is on by default and the best practice is to ship audit logs off the cluster for retention. The clust...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Configure the Client Certificate Authority for the API Server
Certificates must be provided to fully setup TLS client certificate authentication. To ensure the API Server utilizes its own TLS certificates, the <code>clientCA</code> must be configured. Verify ...Rule Medium Severity -
Configure the Encryption Provider Cipher
<p> When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted: <ul> <li>Secrets</li> <li>ConfigMaps</li> <li>Routes</li> <...Rule Medium Severity -
Prevent Insecure Port Access
By default, traffic for the OpenShift API server is served over HTTPS with authentication and authorization, and the secure API endpoint is bound to <code>0.0.0.0:8443</code>. To ensure that the in...Rule Medium Severity -
Configure the API Server Minimum Request Timeout
The API server minimum request timeout defines the minimum number of seconds a handler must keep a request open before timing it out. To set this, edit the <code>openshift-kube-apiserver</code> con...Rule Medium Severity -
Ensure APIServer is configured with secure tlsSecurityProfile
<p> The configuration <code>tlsSecurityProfile</code> specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transp...Rule Medium Severity -
OAuth Token Maximum Age
Enter OAuth Token Maximum Age TimeoutValue -
Configure An Identity Provider
<p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the...Rule Medium Severity -
Configure OAuth server so that tokens expire after a set period of inactivity
<p> You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set. </p> <p> The inactivity timeout can be ei...Rule Medium Severity -
Configure OAuth clients so that tokens have a maximum age set
<p> You can configure OAuth tokens to have have a custom duration. By default, the tokens are valid for 24 hours (86400 seconds). </p> <p> The maximum age can be either...Rule Medium Severity -
Do Not Use htpasswd-based IdP
<p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the...Rule Medium Severity -
OpenShift - Confinement
Contains evaluations to configure and assess the confinement of the cluster's applications and workloads.Group -
Make sure the Security Profiles Operator is installed
Security Profiles Operator provides a way to define secure computing (seccomp) profiles and SELinux profiles as custom resources that are syncrhonized to every node in a given namespace. Using sec...Rule Medium Severity -
Ensure Controller insecure port argument is unset
To ensure the Controller Manager service is bound to secure loopback address and a secure port, set the <code>RotateKubeletServerCertificate</code> option to <code>true</code> in the <code>openshif...Rule Low Severity -
Ensure that the RotateKubeletServerCertificate argument is set
To enforce kubelet server certificate rotation on the Controller Manager, set the <code>RotateKubeletServerCertificate</code> option to <code>true</code> in the <code>openshift-kube-controller-mana...Rule Medium Severity -
Ensure that use-service-account-credentials is enabled
To ensure individual service account credentials are used, set the <code>use-service-account-credentials</code> option to <code>true</code> in the <code>openshift-kube-controller-manager</code> con...Rule Medium Severity -
Configure Recurring Backups For etcd
<p> Back up your clusters etcd data regularly and store in a secure location ideally outside the OpenShift Container Platform environment. Do not take an etcd backup before the first...Rule Medium Severity -
Enable The Client Certificate Authentication
To ensure the <code>etcd</code> service is serving TLS to clients, make sure the <code>etcd-pod*</code> <code>ConfigMaps</code> in the <code>openshift-etcd</code> namespace contain the follo...Rule Medium Severity -
Maximum number of seconds between descheduler runs
You can configure the maximum amount of time between descheduler runs in seconds.Value -
Known CRDs which are provided by backup solutions
'A regular expression that lists all CRDs that are known to be part of a backup solution'Value -
Namespaces exempt of Daemonset Resource Limit
Namespaces regular expression explicitly allowed through daemonset resource filters, e.g. setting value to "namespace1|namespace2" will exempt namespace "namespace1" and "namespace2" for daemonset ...Value -
Namespaces exempt of Deployment Resource Limit
Namespaces regular expression explicitly allowed through deployment resource filters, e.g. setting value to "namespace1|namespace2" will exempt namespace "namespace1" and "namespace2" for deploymen...Value -
Namespaces exempt of Resource Requests Quota per Project checks
Namespaces regular expression explicitly allowed through deployment resource filters, e.g. setting value to "namespace1|namespace2" will exempt namespace "namespace1" and "namespace2" for deploymen...Value
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.