Skip to content
ATO Pathways
  Log In

Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4

Rules, Groups, and Values defined within the XCCDF Benchmark

  • OpenShift Kube APIServer TLS cert

    OpenShift Kube APIServer TLS cert
    Value
    Show

  • OpenShift Kube APIServer TLS private key

    OpenShift Kube APIServer TLS private key
    Value
    Show

  • OpenShift Kube APIServer kubelet certificate authority

    OpenShift Kube APIServer kubelet certificate authority
    Value
    Show

  • OpenShift Kube APIServer kubelet client cert

    OpenShift Kube APIServer kubelet client cert
    Value
    Show

  • Root of files obtained from OCP nodes

    When scanning OpenShift clusters, some settings are not exposed as files. In the case that they are exported from the cluster (typically as yaml fi...
    Value
    Show

  • OpenShift Kube APIServer kubelet client key

    OpenShift Kube APIServer kubelet client key
    Value
    Show

  • Introduction

    The purpose of this guidance is to provide security configuration recommendations and baselines for Red Hat OpenShift Container Platform 4. The gui...
    Group
    Show

  • General Principles

    The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not expli...
    Group
    Show

  • Encrypt Transmitted Data Whenever Possible

    Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such ...
    Group
    Show

  • Least Privilege

    Grant the least privilege necessary for user accounts and software to perform tasks. For example, <code>sudo</code> can be implemented to limit aut...
    Group
    Show

  • Run Different Network Services on Separate Systems

    Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compro...
    Group
    Show

  • Configure Security Tools to Improve System Robustness

    Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve rob...
    Group
    Show

  • How to Use This Guide

    Readers should heed the following points when using the guide.
    Group
    Show

  • Formatting Conventions

    Commands intended for shell execution, as well as configuration file text, are featured in a <code>monospace font</code>. <i>Italics</i> are used t...
    Group
    Show

  • Read Sections Completely and in Order

    Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instr...
    Group
    Show

  • Reboot Required

    A system or service reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the cha...
    Group
    Show

  • Root Shell Environment Assumed

    Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the <code>/bin/bash...
    Group
    Show

  • Test in Non-Production Environment

    This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which t...
    Group
    Show

  • Kubernetes Settings

    Each section of this configuration guide includes information about the configuration of a Kubernetes cluster and a set of recommendations for hard...
    Group
    Show

  • HyperShift Cluster Name

    When this parameter is set, we will assume the cluster is a HyperShift cluster, and we will fetch the OCP version api resource for HyperShift cluster
    Value
    Show

  • HyperShift Cluster Namespace Prefix

    The prefix to use for HyperShift Hosted Clusters Namespace. This value will be used when a non-default namespace naming scheme is used. The default...
    Value
    Show

  • OpenShift APIServer etcd encryption filter

    OpenShift APIServer etcd encryption config check jq filter
    Value
    Show

  • OCP version api path

    When scanning OpenShift clusters, not all type of cluster has same api resource path for ocp version, ex. HyperShift OCP version api resource path ...
    Value
    Show

  • OCP version yaml path

    When scanning OpenShift clusters, not all type of cluster has same api resource path for ocp version, ex. HyperShift OCP version api resource path ...
    Value
    Show

  • System and Software Integrity

    System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software,...
    Group
    Show

  • Ensure that Cluster Version Operator is deployed

    Integrity of the OpenShift platform is handled to start by the cluster version operator. Cluster Version Operator will by default GPG verify the in...
    Rule Medium Severity
    Show

  • Ensure that Cluster Version Operator verifies integrity

    Integrity of the OpenShift platform is handled to start by the cluster version operator. Cluster Version Operator will by default GPG verify the in...
    Rule Medium Severity
    Show

  • Ensure that File Integrity Operator is scanning the cluster

    <a href="https://docs.openshift.com/container-platform/4.7/security/file_integrity_operator/file-integrity-operator-understanding.html">The File In...
    Rule Medium Severity
    Show

  • Ensure the Container Runtime rejects unsigned images by default

    <p> The OpenShift Platform allows for verifying the signature of a container image before pulling it. this is done via the policy.js...
    Rule Medium Severity
    Show

  • System Cryptographic Policies

    OpenShift has the capability to centrally configure cryptographic polices.
    Group
    Show

  • Ensure that the MachineSets provisioned by Azure have disk encryption enabled

    OpenShift has an option to provide the Disk Encryption Set [1] when deploying nodes on Azure. This enabled disk encryption and ensures that the Ope...
    Rule High Severity
    Show

  • Ensure that EBS volumes use by cluster nodes are encrypted

    OpenShift MachineSets can be configured to enable EBS encryption on EBS storage used by cluster nodes. By using EBS encryption, disk contents are ...
    Rule High Severity
    Show

  • OpenShift APIServer etcd encryption path

    OpenShift APIServer etcd encryption config check api path
    Value
    Show

  • Ensure that FIPS mode is enabled on all cluster nodes

    OpenShift has an installation-time flag that can enable FIPS mode for the cluster. The flag <pre>fips: true</pre> must be enabled at install time i...
    Rule High Severity
    Show

  • Ensure that the MachineSets provisioned by GCP have disk encryption enabled

    OpenShift has an option to provide the Disk Encryption Set [1] when deploying nodes on GCP. This enabled disk encryption and ensures that the OpenS...
    Rule High Severity
    Show

  • Ensure that LUKS is configured on worker nodes

    OpenShift has an installation-time flag that can enable LUKS (TPM2 or TANG) full disk encryption at installation. The object <pre>luks</pre> must b...
    Rule High Severity
    Show

  • Ensure that full disk encryption is configured on cluster nodes

    When full disk encryption is chosen as a way to protect card data at rest, OpenShift can provide several solutions depending on the hosting environ...
    Rule High Severity
    Show

  • Ensure that EBS volumes declared in storageclasses are encrypted

    OpenShift StorageClasses can be configured to enable EBS encryption on EBS volumes that are used later as persistent volumes. By using EBS encrypti...
    Rule High Severity
    Show

  • Kubernetes - Account and Access Control

    In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which...
    Group
    Show

  • Restrict Automounting of Service Account Tokens

    Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API ser...
    Rule Medium Severity
    Show

  • Ensure Usage of Unique Service Accounts

    Using the <code>default</code> service account prevents accurate application rights review and audit tracing. Instead of <code>default</code>, crea...
    Rule Medium Severity
    Show

  • OpenShift Kube API Server

    This section contains recommendations for kube-apiserver configuration.
    Group
    Show

  • API Server Request Timeout

    Enter API Server Request Timeout
    Value
    Show

  • API Server audit log max size

    API Server audit log max size
    Value
    Show

  • Bind Address of secure API endpoint

    Bind Address of secure API endpoint
    Value
    Show

  • OpenShift Kube APIServer client CA

    OpenShift Kube APIServer client CA
    Value
    Show

  • OpenShift Kube APIServer etcd CA

    OpenShift Kube APIServer etcd CA
    Value
    Show

  • OpenShift API Server config name

    OpenShift API Server config name
    Value
    Show

  • OpenShift APIServer etcd encryption filter

    OpenShift APIServer etcd encryption config check jq filter
    Value
    Show

  • OpenShift APIServer namespace

    OpenShift APIServer namespace
    Value
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules