Skip to content

Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Each Namespace should only host one application

    Use namespaces to isolate your Kubernetes objects.
    Rule Medium Severity
  • Create Network Boundaries between Functional Different Nodes

    Use different Networks for Control Plane, Worker and Individual Application Services.
    Rule Medium Severity
  • Create Boundaries between Resources using Nodes or Clusters

    Use Nodes or Clusters to isolate Workloads with high protection requirements. Run the following command and review the pods and how they are deployed on Nodes. <pre>$ oc get pod -o=custom-columns=...
    Rule Medium Severity
  • Ensure that the LifecycleAndUtilization Profile for the Kube Descheduler Operator is Enabled

    If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. No pod should run for more than 24 hours. The availability ...
    Rule Medium Severity
  • Ensure that the Kube Descheduler operator is deployed

    If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. No pod should run for more than 24 hours. The availability ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules