Ensure all admission control plugins are enabled
An XCCDF Rule
Description
To make sure none of them is explicitly disabled except PodSecurity, run the following command:
$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '[.data."config.yaml" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]'
and make sure the output is empty.
warning alert: Warning
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-
{{if ne .hypershift_cluster "None"}}/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config{{else}}/api/v1/namespaces/openshift-kube-apiserver/configmaps/config{{end}}API endpoint, filter with with thejqutility using the following filter{{if ne .hypershift_cluster "None"}}[.data."config.json" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]{{else}}[.data."config.yaml" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]{{end}}and persist it to the local
Rationale
Several hardening controls depend on certain API server admission plugins being enabled. Checking that no admission control plugins are disabled helps assert that all the critical admission control plugins are indeed enabled and providing the security benefits required.
- ID
- xccdf_org.ssgproject.content_rule_api_server_no_adm_ctrl_plugins_disabled
- Severity
- Medium
- References
- Updated