Do Not Use htpasswd-based IdP

An XCCDF Rule

Description

For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the OpenShift Container Platform API. The authorization layer then uses information about the requesting user to determine if the request is allowed. Understanding authentication | Authentication | OpenShift Container Platform

The OpenShift Container Platform includes a built-in OAuth server for token-based authentication. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API. It is recommended for an administrator to configure OAuth to specify an identity provider after the cluster is installed. User access to the cluster is managed through the identity provider. Understanding identity provider configuration | Authentication | OpenShift Container Platform

However, not all Identity Providers supported by OpenShift provide the same level of capabilities. As an example, the htpasswd Identity Provider only checks the username and password match and provides no means of 2FA, account lockout or notification mechanism. This rule therefore only allows a subset of identity providers.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}{{else}}/apis/config.openshift.io/v1/oauths/cluster{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.spec.configuration.oauth{{else}}.spec{{end}} and persist it to the local /apis/config.openshift.io/v1/oauths/cluster#489c53adb0325a207f2120d4dee0ef775dad56dceaa74bafc10bf32c1da46e9e file.

Rationale

With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation.

OpenShift's built-in OAuth server allows credential revocation by relying on the Identity provider, as well as giving the administrators the ability to revoke any tokens given to a specific user.

In addition, using an external Identity provider allows for setting up notifications on account creation or deletion, multi-factor authentication, disabling inactive accounts or other features required by different compliance standards.

ID: xccdf_org.ssgproject.content_rule_ocp_idp_no_htpasswd
Severity: Medium
References: CIP-003-8 R5.1.1 CIP-003-8 R5.3 CIP-004-6 R2.2.2 CIP-004-6 R2.2.3 CIP-004-6 R2.3 CIP-007-3 R.1.3 CIP-007-3 R5 CIP-007-3 R5.1 CIP-007-3 R5.1.1 CIP-007-3 R5.1.2 CIP-007-3 R5.1.3 CIP-007-3 R5.2 CIP-007-3 R5.2.1 CIP-007-3 R5.2.3 CIP-007-3 R5.3.1 CIP-007-3 R5.3.2 CIP-007-3 R5.3.3

AC-2(1) AC-2(2) AC-2(3) AC-2(4) AC-2(7) AC-2(8) AC-7 IA-2 IA-2(1) IA-2(12) IA-2(2) IA-2(3) IA-2(5) IA-2(8) IA-2(9) IA-5(4) SC-12(1)

SRG-APP-000023-CTR-000055

CCE-84209-6
Updated: about 1 year ago