Ensure that the OpenShift OAuth provider selection is set

An XCCDF Rule

Description

Custom login pages can be helpful to show users a branded page that they trust and expect before being redirected to the authentication provider.
This is achievable via the OAuth object by creating a custom login template, storing it in a Kubernetes Secret and referencing it in the appropriate field as described in the documentation

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}{{else}}/apis/config.openshift.io/v1/oauths/cluster{{end}} API endpoint, filter with with the jq utility using the following filter {{if ne .hypershift_cluster "None"}}.spec.configuration.oauth{{else}}.spec{{end}} and persist it to the local /apis/config.openshift.io/v1/oauths/cluster#489c53adb0325a207f2120d4dee0ef775dad56dceaa74bafc10bf32c1da46e9e file.

Rationale

Displays to users organization-defined IdP selection

ID: xccdf_org.ssgproject.content_rule_oauth_provider_selection_set
Severity: Medium
References: AC-8

SRG-APP-000068-CTR-000120

CCE-90666-9
Updated: about 1 year ago