Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4
Rules, Groups, and Values defined within the XCCDF Benchmark
-
OpenShift Kube APIServer TLS cert
OpenShift Kube APIServer TLS certValue -
OpenShift Kube APIServer TLS private key
OpenShift Kube APIServer TLS private keyValue -
OpenShift Kube APIServer kubelet certificate authority
OpenShift Kube APIServer kubelet certificate authorityValue -
OpenShift Kube APIServer kubelet client cert
OpenShift Kube APIServer kubelet client certValue -
Root of files obtained from OCP nodes
When scanning OpenShift clusters, some settings are not exposed as files. In the case that they are exported from the cluster (typically as yaml files), this variable determines the directory where...Value -
OpenShift Kube APIServer kubelet client key
OpenShift Kube APIServer kubelet client keyValue -
Kubernetes Settings
Each section of this configuration guide includes information about the configuration of a Kubernetes cluster and a set of recommendations for hardening the configuration. For each hardening recomm...Group -
HyperShift Cluster Name
When this parameter is set, we will assume the cluster is a HyperShift cluster, and we will fetch the OCP version api resource for HyperShift clusterValue -
HyperShift Cluster Namespace Prefix
The prefix to use for HyperShift Hosted Clusters Namespace. This value will be used when a non-default namespace naming scheme is used. The default scheme is `clusters-(cluster-name)`.Value -
OCP version api path
When scanning OpenShift clusters, not all type of cluster has same api resource path for ocp version, ex. HyperShift OCP version api resource path is different than a regular OpenShift Cluster. Thi...Value -
OCP version yaml path
When scanning OpenShift clusters, not all type of cluster has same api resource path for ocp version, ex. HyperShift OCP version api resource path is different than a regular OpenShift Cluster. Thi...Value -
System and Software Integrity
System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevent...Group -
Ensure that Cluster Version Operator is deployed
Integrity of the OpenShift platform is handled to start by the cluster version operator. Cluster Version Operator will by default GPG verify the integrity of the release image before applying it. ...Rule Medium Severity -
Ensure that Cluster Version Operator verifies integrity
Integrity of the OpenShift platform is handled to start by the cluster version operator. Cluster Version Operator will by default GPG verify the integrity of the release image before applying it. ...Rule Medium Severity -
Ensure that File Integrity Operator is scanning the cluster
<a href="https://docs.openshift.com/container-platform/4.7/security/file_integrity_operator/file-integrity-operator-understanding.html">The File Integrity Operator</a> continually runs file integri...Rule Medium Severity -
System Cryptographic Policies
OpenShift has the capability to centrally configure cryptographic polices.Group -
Ensure that the MachineSets provisioned by Azure have disk encryption enabled
OpenShift has an option to provide the Disk Encryption Set [1] when deploying nodes on Azure. This enabled disk encryption and ensures that the OpenShift nodes have that enabled. [1] https://docs....Rule High Severity -
Ensure that EBS volumes use by cluster nodes are encrypted
OpenShift MachineSets can be configured to enable EBS encryption on EBS storage used by cluster nodes. By using EBS encryption, disk contents are encrypted using a AWS KMS key.Rule High Severity -
Ensure that FIPS mode is enabled on all cluster nodes
OpenShift has an installation-time flag that can enable FIPS mode for the cluster. The flagfips: true
must be enabled at install time in theinstall-config.yaml
file.Rule High Severity -
Ensure that the MachineSets provisioned by GCP have disk encryption enabled
OpenShift has an option to provide the Disk Encryption Set [1] when deploying nodes on GCP. This enabled disk encryption and ensures that the OpenShift nodes have that enabled. [1] https://docs.op...Rule High Severity -
Ensure that LUKS is configured on worker nodes
OpenShift has an installation-time flag that can enable LUKS (TPM2 or TANG) full disk encryption at installation. The object <pre>luks</pre> must be present at install time in the <pre>machineconfi...Rule High Severity -
Ensure that full disk encryption is configured on cluster nodes
When full disk encryption is chosen as a way to protect card data at rest, OpenShift can provide several solutions depending on the hosting environment. While LUKS (with TPM2 or Tang) can be used ...Rule High Severity -
Ensure that EBS volumes declared in storageclasses are encrypted
OpenShift StorageClasses can be configured to enable EBS encryption on EBS volumes that are used later as persistent volumes. By using EBS encryption, disk contents are encrypted using an AWS KMS key.Rule High Severity -
Kubernetes - Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. The same idea applies to...Group -
Restrict Automounting of Service Account Tokens
Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server. To ensure pods do not automatically mount tok...Rule Medium Severity -
OpenShift Kube API Server
This section contains recommendations for kube-apiserver configuration.Group -
API Server Request Timeout
Enter API Server Request TimeoutValue -
Bind Address of secure API endpoint
Bind Address of secure API endpointValue -
OpenShift Kube APIServer client CA
OpenShift Kube APIServer client CAValue -
OpenShift Kube APIServer etcd CA
OpenShift Kube APIServer etcd CAValue -
Disable the AlwaysAdmit Admission Control Plugin
To ensure OpenShift only responses to requests explicitly allowed by the admission control plugin. Check that theconfigConfigMap object does not contain the AlwaysAdmit plugin.Rule Medium Severity -
Ensure that the Admission Control Plugin AlwaysPullImages is not set
TheAlwaysPullImagesadmission control plugin should be disabled, since it can introduce new failure modes for control plane components if an image registry is unreachable.Rule High Severity -
Enable the NamespaceLifecycle Admission Control Plugin
OpenShift enables theNamespaceLifecycleplugin by default.Rule Medium Severity -
Enable the SecurityContextConstraint Admission Control Plugin
To ensure pod permissions are managed, make sure that theSecurityContextConstraintadmission control plugin is used.Rule Medium Severity -
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
Instead of using a customized SecurityContext for pods, a Pod Security Policy (PSP) or a SecurityContextConstraint should be used. These are cluster-level resources that control the actions that a ...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Enable the APIPriorityAndFairness feature gate
To limit the rate at which the API Server accepts requests, make sure that the API Priority and Fairness feature is enabled. Using <code>APIPriorityAndFairness</code> feature provides a fine-graine...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Ensure catch-all FlowSchema object for API Priority and Fairness Exists
Using <code>APIPriorityAndFairness</code> feature provides a fine-grained way to control the behaviour of the Kubernetes API server in an overload situation. The well-known FlowSchema <code>catch-a...Rule Medium Severity -
Configure the Kubernetes API Server Maximum Retained Audit Logs
To configure how many rotations of audit logs are retained, edit the <code>openshift-kube-apiserver</code> configmap and set the <code>audit-log-maxbackup</code> parameter to <code>10</code> or to ...Rule Low Severity -
Configure Kubernetes API Server Maximum Audit Log Size
To rotate audit logs upon reaching a maximum size, edit the <code>openshift-kube-apiserver</code> configmap and set the <code>audit-log-maxsize</code> parameter to an appropriate size in MB. For ex...Rule Medium Severity -
Configure the Audit Log Path
To enable auditing on the Kubernetes API Server, the audit log path must be set. Edit the <code>openshift-kube-apiserver</code> configmap and set the <code>audit-log-path</code> to a suitable path ...Rule High Severity -
The authorization-mode cannot be AlwaysAllow
Do not always authorize all requests.Rule Medium Severity -
Ensure authorization-mode Node is configured
Restrict kubelet nodes to reading only objects associated with them.Rule Medium Severity -
Ensure authorization-mode RBAC is configured
To ensure OpenShift restricts different identities to a defined set of operations they are allowed to perform, check that the API server's <code>authorization-mode</code> configuration option list ...Rule Medium Severity -
Disable basic-auth-file for the API Server
Basic Authentication should not be used for any reason. If needed, edit API Edit the <code>openshift-kube-apiserver</code> configmap and remove the <code>basic-auth-file</code> parameter: <pre> "ap...Rule Medium Severity -
Ensure that the bindAddress is set to a relevant secure port
The bindAddress is set by default to0.0.0.0:6443, and listening with TLS enabled.Rule Low Severity -
Ensure the openshift-oauth-apiserver service uses TLS
By default, the OpenShift API Server uses TLS. HTTPS should be used for connections between openshift-apiserver and kube-apiserver. By default, the OpenShift OAuth API Server uses Intermediate prof...Rule Medium Severity -
Configure the etcd Certificate Authority for the API Server
To ensure etcd is configured to make use of TLS encryption for client connections, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify that...Rule Medium Severity -
Configure the etcd Certificate for the API Server
To ensure etcd is configured to make use of TLS encryption for client communications, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify t...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.