Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Configure Kubernetes API Server Maximum Audit Log Size
To rotate audit logs upon reaching a maximum size, edit the <code>openshift-kube-apiserver</code> configmap and set the <code>audit-log-maxsize</code> parameter to an appropriate size in MB. For ex...Rule Medium Severity -
Configure the Audit Log Path
To enable auditing on the Kubernetes API Server, the audit log path must be set. Edit the <code>openshift-kube-apiserver</code> configmap and set the <code>audit-log-path</code> to a suitable path ...Rule High Severity -
The authorization-mode cannot be AlwaysAllow
Do not always authorize all requests.Rule Medium Severity -
Ensure authorization-mode Node is configured
Restrict kubelet nodes to reading only objects associated with them.Rule Medium Severity -
Ensure authorization-mode RBAC is configured
To ensure OpenShift restricts different identities to a defined set of operations they are allowed to perform, check that the API server's <code>authorization-mode</code> configuration option list ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Capacity
Modules