Ensure that all OpenShift Routes prefer TLS

An XCCDF Rule

Description

OpenShift Container Platform provides methods for communicating from outside the cluster with services running in the cluster. TLS must be used to protect these communications. OpenShift Routes provide the ability to configure the needed TLS settings. With these, one is able to configure that any request coming from the outside must use TLS. To verify this, ensure that every Route in the system has a policy of Disable or Redirect to ensure a secure endpoint is used. The aforementioned policy will be set in a Routes .spec.tls.insecureEdgeTerminationPolicy setting.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/route.openshift.io/v1/routes API endpoint, filter with with the jq utility using the following filter [.items[] | select(.spec.tls.insecureEdgeTerminationPolicy != null) | select(.spec.tls.insecureEdgeTerminationPolicy | test("^(^$|None|Redirect)$"; "") | not) | .metadata.name] and persist it to the local /apis/route.openshift.io/v1/routes#7e8388627b1179db3e5e6aa75ac4f55c09c2a68f1f3e8888e0e96bb139a21b61 file.

Rationale

Using clear-text in communications coming to or from outside the cluster's network may leak sensitive information.

ID: xccdf_org.ssgproject.content_rule_routes_protected_by_tls
Severity: Medium
References: CIP-003-8 R4 CIP-003-8 R4.2 CIP-003-8 R5 CIP-004-6 R3 CIP-007-3 R5.1 CIP-007-3 R7.1

AC-17(3) AC-4 AC-4(21) SC-8 SC-8(1) SC-8(2) SI-4 SI-4(22)

Req-6.5.4

SRG-APP-000441-CTR-001090 SRG-APP-000442-CTR-001095

CCE-84225-2
Updated: about 1 year ago