Ensure that the default Ingress CA (wildcard issuer) has been replaced

An XCCDF Rule

Description

Check that the default Ingress CA has been replaced.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/proxies/cluster API endpoint to the local /apis/config.openshift.io/v1/proxies/cluster file.

Rationale

OpenShift auto-generates several PKIs to serve TLS on different endpoints of the system. It is possible and necessary to configure a custom PKI which allows external clients to trust the endpoints. The Ingress Operator is the component responsible for enabling external access to OpenShift Container Platform cluster services. The aforementioned operator creates an internal CA and issues a wildcard certificate that is valid for applications under the .apps sub-domain. Both the web console and CLI use this certificate as well. The certificate and key would need to be replaced since a certificate coming from a trusted provider is needed. https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html

ID: xccdf_org.ssgproject.content_rule_default_ingress_ca_replaced
Severity: Medium
References: CIP-007-3 R5.1

SC-17
Updated: about 1 year ago