An XCCDF Group - A logical subset of the XCCDF Benchmark
The OpenShift Platform allows for verifying the signature of a container image before pulling it. this is done via the policy.json file [1] which needs to be configured via the Machine Config Operator [2].
Ensure that the default policy is "reject" in /etc/containers/policy.json, which should look as follows:
/etc/containers/policy.json
{ "default": [{"type": "reject"}], "transports": ... }
[1] https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md
[2] https://docs.openshift.com/container-platform/latest/security/container_security/security-container-signature.html
fips: true
install-config.yaml
luks
machineconfig