Skip to content
Log In

Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4

Rules, Groups, and Values defined within the XCCDF Benchmark

  • OpenShift Kube APIServer TLS cert

    OpenShift Kube APIServer TLS cert
    Value
    Show

  • OpenShift Kube APIServer TLS private key

    OpenShift Kube APIServer TLS private key
    Value
    Show

  • OpenShift Kube APIServer kubelet certificate authority

    OpenShift Kube APIServer kubelet certificate authority
    Value
    Show

  • OpenShift Kube APIServer kubelet client cert

    OpenShift Kube APIServer kubelet client cert
    Value
    Show

  • Root of files obtained from OCP nodes

    When scanning OpenShift clusters, some settings are not exposed as files. In the case that they are exported from the cluster (typically as yaml files), this variable determines the directory where...
    Value
    Show

  • OpenShift Kube APIServer kubelet client key

    OpenShift Kube APIServer kubelet client key
    Value
    Show

  • Kubernetes Settings

    Each section of this configuration guide includes information about the configuration of a Kubernetes cluster and a set of recommendations for hardening the configuration. For each hardening recomm...
    Group
    Show

  • HyperShift Cluster Name

    When this parameter is set, we will assume the cluster is a HyperShift cluster, and we will fetch the OCP version api resource for HyperShift cluster
    Value
    Show

  • HyperShift Cluster Namespace Prefix

    The prefix to use for HyperShift Hosted Clusters Namespace. This value will be used when a non-default namespace naming scheme is used. The default scheme is `clusters-(cluster-name)`.
    Value
    Show

  • OCP version api path

    When scanning OpenShift clusters, not all type of cluster has same api resource path for ocp version, ex. HyperShift OCP version api resource path is different than a regular OpenShift Cluster. Thi...
    Value
    Show

  • OCP version yaml path

    When scanning OpenShift clusters, not all type of cluster has same api resource path for ocp version, ex. HyperShift OCP version api resource path is different than a regular OpenShift Cluster. Thi...
    Value
    Show

  • System and Software Integrity

    System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...
    Group
    Show

  • Ensure that Cluster Version Operator is deployed

    Integrity of the OpenShift platform is handled to start by the cluster version operator. Cluster Version Operator will by default GPG verify the integrity of the release image before applying it. ...
    Rule Medium Severity
    Show

  • Ensure that Cluster Version Operator verifies integrity

    Integrity of the OpenShift platform is handled to start by the cluster version operator. Cluster Version Operator will by default GPG verify the integrity of the release image before applying it. ...
    Rule Medium Severity
    Show

  • Ensure that File Integrity Operator is scanning the cluster

    <a href="https://docs.openshift.com/container-platform/4.7/security/file_integrity_operator/file-integrity-operator-understanding.html">The File Integrity Operator</a> continually runs file integri...
    Rule Medium Severity
    Show

  • System Cryptographic Policies

    OpenShift has the capability to centrally configure cryptographic polices.
    Group
    Show

  • Ensure that the MachineSets provisioned by Azure have disk encryption enabled

    OpenShift has an option to provide the Disk Encryption Set [1] when deploying nodes on Azure. This enabled disk encryption and ensures that the OpenShift nodes have that enabled. [1] https://docs....
    Rule High Severity
    Show

  • Ensure that EBS volumes use by cluster nodes are encrypted

    OpenShift MachineSets can be configured to enable EBS encryption on EBS storage used by cluster nodes. By using EBS encryption, disk contents are encrypted using a AWS KMS key.
    Rule High Severity
    Show

  • Ensure that FIPS mode is enabled on all cluster nodes

    OpenShift has an installation-time flag that can enable FIPS mode for the cluster. The flag 
    fips: true
    must be enabled at install time in the 
    install-config.yaml
    file.
    Rule High Severity
    Show

  • Ensure that the MachineSets provisioned by GCP have disk encryption enabled

    OpenShift has an option to provide the Disk Encryption Set [1] when deploying nodes on GCP. This enabled disk encryption and ensures that the OpenShift nodes have that enabled. [1] https://docs.op...
    Rule High Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules