OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.
An XCCDF Rule
Description
OpenShift allows administrators to define resource quotas on a namespace basis. This allows tailoring of the shared resources based on a project needs. However, when a new project is created, unless a default project resource quota is configured, that project will not have any limits or quotas defined. This could allow someone to create a new project and then deploy services that exhaust or overuse the shared cluster resources. Thus, it is necessary to ensure that there is a default resource quota configured for all new projects. A Cluster Admin may increase resource quotas on a given project namespace, if that project requires additional resources at any time.
- ID
- SV-257554r961152_rule
- Version
- CNTR-OS-000620
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Configure a default resource quota to protect resource over utilization by performing the following steps:
1. Create a bootstrap project template (if not already created) by executing the following:
oc adm create-bootstrap-project-template -o yaml > template.yaml