CIS Red Hat OpenShift Container Platform 4 Benchmark
Rules and Groups employed by this XCCDF Profile
-
Kubernetes Settings
Each section of this configuration guide includes information about the configuration of a Kubernetes cluster and a set of recommendations for hardening the configuration. For each hardening recomm...Group -
Kubernetes - Account and Access Control
In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. The same idea applies to...Group -
Restrict Automounting of Service Account Tokens
Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server. To ensure pods do not automatically mount tok...Rule Medium Severity -
Ensure Usage of Unique Service Accounts
Using the <code>default</code> service account prevents accurate application rights review and audit tracing. Instead of <code>default</code>, create a new and unique service account with the follo...Rule Medium Severity -
OpenShift Kube API Server
This section contains recommendations for kube-apiserver configuration.Group -
Disable the AlwaysAdmit Admission Control Plugin
To ensure OpenShift only responses to requests explicitly allowed by the admission control plugin. Check that theconfigConfigMap object does not contain the AlwaysAdmit plugin.Rule Medium Severity -
Ensure that the Admission Control Plugin AlwaysPullImages is not set
TheAlwaysPullImagesadmission control plugin should be disabled, since it can introduce new failure modes for control plane components if an image registry is unreachable.Rule High Severity -
Enable the NamespaceLifecycle Admission Control Plugin
OpenShift enables theNamespaceLifecycleplugin by default.Rule Medium Severity -
Enable the NodeRestriction Admission Control Plugin
To limit the <code>Node</code> and <code>Pod</code> objects that a kubelet could modify, ensure that the <code>NodeRestriction</code> plugin on kubelets is enabled in the api-server configuration b...Rule Medium Severity -
Enable the SecurityContextConstraint Admission Control Plugin
To ensure pod permissions are managed, make sure that theSecurityContextConstraintadmission control plugin is used.Rule Medium Severity -
Enable the ServiceAccount Admission Control Plugin
To ensure <code>ServiceAccount</code> objects must be created and granted before pod creation is allowed, follow the documentation and create <code>ServiceAccount</code> objects as per your environ...Rule Medium Severity -
Ensure that anonymous requests to the API Server are authorized
By default, anonymous access to the OpenShift API is enabled, but at the same time, all requests must be authorized. If no authentication mechanism is used, the request is assigned the <code>system...Rule Medium Severity -
Configure the Kubernetes API Server Maximum Retained Audit Logs
To configure how many rotations of audit logs are retained, edit the <code>openshift-kube-apiserver</code> configmap and set the <code>audit-log-maxbackup</code> parameter to <code>10</code> or to ...Rule Low Severity -
Configure Kubernetes API Server Maximum Audit Log Size
To rotate audit logs upon reaching a maximum size, edit the <code>openshift-kube-apiserver</code> configmap and set the <code>audit-log-maxsize</code> parameter to an appropriate size in MB. For ex...Rule Medium Severity -
Configure the Audit Log Path
To enable auditing on the Kubernetes API Server, the audit log path must be set. Edit the <code>openshift-kube-apiserver</code> configmap and set the <code>audit-log-path</code> to a suitable path ...Rule High Severity -
The authorization-mode cannot be AlwaysAllow
Do not always authorize all requests.Rule Medium Severity -
Ensure authorization-mode RBAC is configured
To ensure OpenShift restricts different identities to a defined set of operations they are allowed to perform, check that the API server's <code>authorization-mode</code> configuration option list ...Rule Medium Severity -
Disable basic-auth-file for the API Server
Basic Authentication should not be used for any reason. If needed, edit API Edit the <code>openshift-kube-apiserver</code> configmap and remove the <code>basic-auth-file</code> parameter: <pre> "ap...Rule Medium Severity -
Ensure that the bindAddress is set to a relevant secure port
The bindAddress is set by default to0.0.0.0:6443, and listening with TLS enabled.Rule Low Severity -
Configure the Client Certificate Authority for the API Server
Certificates must be provided to fully setup TLS client certificate authentication. To ensure the API Server utilizes its own TLS certificates, the <code>clientCA</code> must be configured. Verify ...Rule Medium Severity -
Configure the Encryption Provider Cipher
<p> When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted: <ul> <li>Secrets</li> <li>ConfigMaps</li> <li>Routes</li> <...Rule Medium Severity -
Configure the etcd Certificate Authority for the API Server
To ensure etcd is configured to make use of TLS encryption for client connections, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify that...Rule Medium Severity -
Configure the etcd Certificate for the API Server
To ensure etcd is configured to make use of TLS encryption for client communications, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify t...Rule Medium Severity -
Configure the etcd Certificate Key for the API Server
To ensure etcd is configured to make use of TLS encryption for client communications, follow the OpenShift documentation and setup the TLS connection between the API Server and etcd. Then, verify t...Rule Medium Severity -
Ensure that the --kubelet-https argument is set to true
The kube-apiserver ensures https to the kubelet by default. The apiserver flag "--kubelet-https" is deprecated and should be either set to "true" or omitted from the argument list.Rule Medium Severity -
Disable Use of the Insecure Bind Address
OpenShift should not bind to non-loopback insecure addresses. Edit the <code>openshift-kube-apiserver</code> configmap and remove the <code>insecure-bind-address</code> if it exists: <pre> "apiServ...Rule Medium Severity -
Configure the kubelet Certificate Authority for the API Server
To ensure OpenShift verifies kubelet certificates before establishing connections, follow the OpenShift documentation and setup the TLS connection between the API Server and kubelets. Edit the <co...Rule High Severity -
Configure the kubelet Certificate File for the API Server
To enable certificate based kubelet authentication, edit the <code>config</code> configmap in the <code>openshift-kube-apiserver</code> namespace and set the below parameter in the <code>config.yam...Rule High Severity -
Configure the kubelet Certificate File for the API Server
To enable certificate based kubelet authentication, edit the <code>config</code> configmap in the <code>openshift-kube-apiserver</code> namespace and set the below parameter in the <code>config.yam...Rule High Severity -
Configure the kubelet Certificate Key for the API Server
To enable certificate based kubelet authentication, edit the <code>config</code> configmap in the <code>openshift-kube-apiserver</code> namespace and set the below parameter in the <code>config.yam...Rule High Severity -
Configure the kubelet Certificate Key for the API Server
To enable certificate based kubelet authentication, edit the <code>config</code> configmap in the <code>openshift-kube-apiserver</code> namespace and set the below parameter in the <code>config.yam...Rule High Severity -
Ensure the openshift-oauth-apiserver service uses TLS
By default, the OpenShift OAuth API Server uses TLS. HTTPS should be used for connections between openshift-oauth-apiserver and kube-apiserver. By default, the OpenShift OAuth API Server uses Inter...Rule Medium Severity -
Ensure the openshift-oauth-apiserver service uses TLS
By default, the OpenShift API Server uses TLS. HTTPS should be used for connections between openshift-apiserver and kube-apiserver. By default, the OpenShift OAuth API Server uses Intermediate prof...Rule Medium Severity -
Profiling is protected by RBAC
Ensure that the cluster-debugger cluster role includes the /metrics resource URL. This demonstrates that profiling is protected by RBAC, with a specific cluster role to allow access.Rule Medium Severity -
Configure the API Server Minimum Request Timeout
The API server minimum request timeout defines the minimum number of seconds a handler must keep a request open before timing it out. To set this, edit the <code>openshift-kube-apiserver</code> con...Rule Medium Severity -
Ensure that the service-account-lookup argument is set to true
Validate service account before validating token.Rule Medium Severity -
Configure the Service Account Public Key for the API Server
To ensure the API Server utilizes its own key pair, edit the <code>openshift-kube-apiserver</code> configmap and set the <code>serviceAccountPublicKeyFiles</code> parameter to the public key file f...Rule Medium Severity -
Configure the Certificate for the API Server
To ensure the API Server utilizes its own TLS certificates, the <code>tls-cert-file</code> must be configured. Verify that the <code>apiServerArguments</code> section has the <code>tls-cert-file</c...Rule Medium Severity -
Use Strong Cryptographic Ciphers on the API Server
To ensure that the API Server is configured to only use strong cryptographic ciphers, verify the <code>openshift-kube-apiserver</code> configmap contains the following set of ciphers, with no addit...Rule Medium Severity -
Configure the Certificate Key for the API Server
To ensure the API Server utilizes its own TLS certificates, the <code>tls-private-key-file</code> must be configured. Verify that the <code>apiServerArguments</code> section has the <code>tls-priva...Rule Medium Severity -
Disable Token-based Authentication
To ensure OpenShift does not accept token-based authentication, follow the OpenShift documentation and configure alternate mechanisms for authentication. Then, edit the API Server pod specification...Rule High Severity -
Ensure that Audit Log Forwarding Is Enabled
OpenShift audit works at the API server level, logging all requests coming to the server. Audit is on by default and the best practice is to ship audit logs off the cluster for retention. The clust...Rule Medium Severity -
Ensure that Audit Log Webhook Is Configured
Audit is on by default and the best practice is to ship audit logs off an cluster for retention. HyperShift is able to do this with the a audit webhook, which is configured in the HostedCluster cus...Rule Medium Severity -
Authentication
In cloud workloads, there are many ways to create and configure to multiple authentication services. Some of these authentication methods by not be secure or common methodologies, or they may not b...Group -
Configure An Identity Provider
<p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the...Rule Medium Severity -
OpenShift Controller Settings
This section contains recommendations for the kube-controller-manager configurationGroup -
Ensure Controller insecure port argument is unset
To ensure the Controller Manager service is bound to secure loopback address and a secure port, set the <code>RotateKubeletServerCertificate</code> option to <code>true</code> in the <code>openshif...Rule Low Severity -
Ensure Controller secure-port argument is set
To ensure the Controller Manager service is bound to secure loopback address using a secure port, set the <code>RotateKubeletServerCertificate</code> option to <code>true</code> in the <code>opensh...Rule Low Severity -
Configure the Service Account Certificate Authority Key for the Controller Manager
To ensure the API Server utilizes its own key pair, set the <code>masterCA</code> parameter to the public key file for service accounts in the <code>openshift-kube-controller-manager</code> configm...Rule Medium Severity -
Configure the Service Account Private Key for the Controller Manager
To ensure the API Server utilizes its own key pair, set the <code>privateKeyFile</code> parameter to the public key file for service accounts in the <code>openshift-kube-controller-manager</code> c...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.