Ensure the openshift-oauth-apiserver service uses TLS

An XCCDF Rule

Description

By default, the OpenShift OAuth API Server uses TLS. HTTPS should be used for connections between openshift-oauth-apiserver and kube-apiserver. By default, the OpenShift OAuth API Server uses Intermediate profile which requires a minimum TLS version of 1.2.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/config.openshift.io/v1/apiservers/cluster API endpoint to the local /apis/config.openshift.io/v1/apiservers/cluster file.

Rationale

Connections between the kube-apiserver and the extension openshift-oauth-apiserver could potentially carry sensitive data such as secrets and keys. It is important to use in-transit encryption for any communication between the kube-apiserver and the extension openshift-apiserver.

ID: xccdf_org.ssgproject.content_rule_api_server_oauth_https_serving_cert
Severity: Medium
References: CIP-003-8 R4.2 CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R5.1 CIP-007-3 R6.1

CM-6 CM-6(1) SC-8 SC-8(1)

Req-2.2 Req-2.2.3 Req-2.3

SRG-APP-000516-CTR-001325

1.2.4
Updated: about 1 year ago