Only Use LDAP-based IdPs with TLS
An XCCDF Rule
Description
For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the OpenShift Container Platform API. The authorization layer then uses information about the requesting user to determine if the request is allowed. Understanding authentication | Authentication | OpenShift Container Platform
The OpenShift Container Platform includes a built-in OAuth server for token-based authentication. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API. It is recommended for an administrator to configure OAuth to specify an identity provider after the cluster is installed. User access to the cluster is managed through the identity provider. Understanding identity provider configuration | Authentication | OpenShift Container Platform
If the identity provider is LDAP, setting the insecure flag to true
would mean that passwords, such as the one used to authenticate the OAuth
proxy to the LDAP server would be transmitted in the clear, potentially
allowing an attacker to read the password if they captured the network
traffic.
warning alert: Warning
-
{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}{{else}}/apis/config.openshift.io/v1/oauths/cluster{{end}}API endpoint, filter with with thejqutility using the following filter{{if ne .hypershift_cluster "None"}}.spec.configuration.oauth{{else}}.spec{{end}}and persist it to the local
Rationale
Transmitting authentication tokens as clear-text may leak them to an attacker.
- ID
- xccdf_org.ssgproject.content_rule_ocp_no_ldap_insecure
- Severity
- High
- References
- Updated