Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Namespaces exempt of Statefulset Resource Limit
Namespaces regular expression explicitly allowed through statefulset resource filters, e.g. setting value to "namespace1|namespace2" will exempt namespace "namespace1" and "namespace2" for stateful...Value -
Ensure that Advanced Cluster Security (ACS) Sensor is deployed
Red Hat Advanced Cluster Security (ACS) for Kubernetes provides comprehensive security for containerized environments. It offers deep visibility into deployed resources across Kubernetes clusters, ...Rule Medium Severity -
Ensure that a OpenShift OAuth login template or a classification banner is set
A legal notice must be configured. <br> This is achievable via the OAuth object by creating a custom login page, storing it in a Kubernetes Secret and referencing it in the appropriate field as <a...Rule Medium Severity -
A Backup Solution Has To Be Installed
Backup and Restore are fundamental practices when it comes to disaster recovery. By utilizing a Backup Software you are able to backup (and restore) data, which is lost, if your cluster crashes bey...Rule Medium Severity -
Manage Image Provenance Using ImagePolicyWebhook
OpenShift administrators can control which images can be imported, tagged, and run in a cluster. There are two facilities for this purpose: (1) Allowed Registries, allowing administrators to restri...Rule Medium Severity -
Each Namespace should only host one application
Use namespaces to isolate your Kubernetes objects.Rule Medium Severity -
Create Network Boundaries between Functional Different Nodes
Use different Networks for Control Plane, Worker and Individual Application Services.Rule Medium Severity -
Create Boundaries between Resources using Nodes or Clusters
Use Nodes or Clusters to isolate Workloads with high protection requirements. Run the following command and review the pods and how they are deployed on Nodes. <pre>$ oc get pod -o=custom-columns=...Rule Medium Severity -
Ensure that the LifecycleAndUtilization Profile for the Kube Descheduler Operator is Enabled
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. No pod should run for more than 24 hours. The availability ...Rule Medium Severity -
Ensure that the Kube Descheduler operator is deployed
If there is an increased risk of external influences and a very high need for protection, pods should be stopped and restarted regularly. No pod should run for more than 24 hours. The availability ...Rule Medium Severity -
Ensure that all workloads have liveness and readiness probes
Configuring Kubernetes liveness and readiness probes is essential for ensuring the security and reliability of a system. These probes actively monitor container health and readiness, facilitating a...Rule Medium Severity -
Ensure that the OpenShift OAuth logout URL is set
The user can be redirected to a configured URL upon logout <br> This is achievable via the OAuth object by setting the <code>logoutRedirect</code> attribute. Refer to <a href="https://docs.openshi...Rule Medium Severity -
Ensure that the OpenShift MOTD is set
To configure OpenShift's MOTD, create a <b>ConfigMap</b> called <code>motd</code> in the <code>openshift</code> namespace. The object should look as follows: <pre> --- apiVersion: v1 kind: Config...Rule Medium Severity -
Ensure workloads use resource requests and limits
There are two ways to enable resource requests and limits. To create either: A multi-project quota, defined by a ClusterResourceQuota object, allows quotas to be shared across multiple projects. ...Rule Medium Severity -
Ensure workloads use cluster resource requests and limits
There are two ways to enable resource requests and limits. To create either: A multi-project quota, defined by a ClusterResourceQuota object, allows quotas to be shared across multiple projects. ...Rule Medium Severity -
Ensure TLS v1.2 is minimum for Openshift master and worker nodes
Ensure that the Kubelet is configured to only use strong cryptographic ciphers. To set the cipher suites for the kubelet, create new or modify existing <code>KubeletConfig</code> object along these...Rule Medium Severity -
Disable Anonymous Authentication to the Kubelet
By default, anonymous access to the Kubelet server is enabled. This configuration check ensures that anonymous requests to the Kubelet server are disabled. Edit the Kubelet server configuration fil...Rule Medium Severity -
Kubelet - Ensure Event Creation Is Configured
Security relevant information should be captured. The eventRecordQPS Kubelet option can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events ...Rule Medium Severity -
Ensure That The kubelet Server Key Is Correctly Set
To ensure the kubelet TLS private server key certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet private key file. <pr...Rule Medium Severity -
kubelet - Disable the Read-Only Port
To disable the read-only port, edit the kubelet configuration Edit the <code>openshift-kube-apiserver</code> configmap and set the <code>kubelet-read-only-port</code> parameter to 0: <pre> "apiServ...Rule Medium Severity -
kubelet - Allow Automatic Firewall Configuration
The kubelet has the ability to automatically configure the firewall to allow the containers required ports and connections to networking resources and destinations parameters potentially creating a...Rule Medium Severity -
kubelet - Enable Protect Kernel Defaults
<p> Protect tuned kernel parameters from being overwritten by the kubelet. </p> <p> Before enabling this kernel parameter, it's important and necessary to first create ...Rule Medium Severity -
kubelet - Set Up Sysctl to Enable Protect Kernel Defaults
<p> Setup required tuned kernel parameters before enabling overwritten protection. Note that depending on the Linux distribution and its version that your cluster nodes are running, ...Rule Medium Severity -
kubelet - Enable Server Certificate Rotation
To enable the kubelet to rotate server certificates, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> on the kubelet node(s) and set the below parameter: <pre> serverTL...Rule Medium Severity -
kubelet - Do Not Disable Streaming Timeouts
Timouts for streaming connections should not be disabled as they help to prevent denial-of-service attacks. To configure streaming connection timeouts To set the <code>streamingConnectionIdleTimeou...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Verify User Who Owns The Etcd PKI Certificate Files
To properly set the owner of/etc/kubernetes/static-pod-resources/*/*/*/*.crt, run the command:$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.crt
Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree
<p>Two types of garbage collection are performed on an OpenShift Container Platform node:</p> <ul> <li>Container garbage collection: Removes terminated ...Rule Medium Severity -
Ensure that Audit Log Errors Emit Alerts
<p> OpenShift audit works at the API server level, logging all requests coming to the server. However, if API server instance is unable to write errors, an alert must be issued in order for the org...Rule High Severity -
Ensure that API server audit logging is enabled
OpenShift has the ability to audit API server requests. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individua...Rule Medium Severity -
Ensure that the cluster's audit profile is properly set
<p> OpenShift can audit the details of requests made to the API server through the standard Kubernetes audit capabilities. </p> <p> In OpenShift, auditing of the API S...Rule Medium Severity -
Ensure /var/log/kube-apiserver Located On Separate Partition
Kubernetes API server audit logs are stored in the <code>/var/log/kube-apiserver</code> directory. <p> Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For documen...Rule Medium Severity -
Ensure /var/log/openshift-apiserver Located On Separate Partition
Openshift API server audit logs are stored in the <code>/var/log/openshift-apiserver</code> directory. <p> Partitioning Red Hat CoreOS is a Day 1 operation and cannot be changed afterwards. For doc...Rule Medium Severity -
Verify Group Who Owns The etcd Member Pod Specification File
To properly set the group owner of/etc/kubernetes/manifests/etcd-pod.yaml, run the command:$ sudo chgrp root /etc/kubernetes/manifests/etcd-pod.yaml
Rule Medium Severity -
Verify Group Who Owns The Etcd PKI Certificate Files
To properly set the group owner of/etc/kubernetes/static-pod-resources/*/*/*/*.crt, run the command:$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.crt
Rule Medium Severity -
Verify Group Who Owns The OpenShift Admin Kubeconfig Files
To properly set the group owner of <code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</code>, run the command: <pre>$ sudo chgrp root /etc/kubern...Rule Medium Severity -
Verify Group Who Owns The OpenShift SDN CNI Server Config
To properly set the group owner of/var/run/openshift-sdn/cniserver/config.json, run the command:$ sudo chgrp root /var/run/openshift-sdn/cniserver/config.json
Rule Medium Severity -
Verify Group Who Owns The Open vSwitch Persistent System ID
To properly set the group owner of/etc/openvswitch/system-id.conf, run the command:$ sudo chgrp hugetlbfs /etc/openvswitch/system-id.conf
Rule Medium Severity -
Verify User Who Owns The Etcd Member Pod Specification File
To properly set the owner of/etc/kubernetes/manifests/etcd-pod.yaml, run the command:$ sudo chown root /etc/kubernetes/manifests/etcd-pod.yaml
Rule Medium Severity -
Verify Permissions on the OpenShift Admin Kubeconfig Files
To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</code>, run the command: <pre>$ sudo chmod 0600 /etc/kubern...Rule Medium Severity -
Verify Permissions on the Open vSwitch Configuration Database Lock
To properly set the permissions of/etc/openvswitch/.conf.db.~lock~, run the command:$ sudo chmod 0600 /etc/openvswitch/.conf.db.~lock~
Rule Medium Severity -
Verify Permissions on the Kubernetes Scheduler Pod Specification File
To properly set the permissions of <code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</code>, run the command: <pre>$ sudo chmod 0644 /etc/kubernetes/static-po...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.