PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
Rules and Groups employed by this XCCDF Profile
-
Only Use LDAP-based IdPs with TLS
<p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user associated with requests to the...Rule High Severity -
OpenShift Controller Settings
This section contains recommendations for the kube-controller-manager configurationGroup -
Ensure Controller insecure port argument is unset
To ensure the Controller Manager service is bound to secure loopback address and a secure port, set the <code>RotateKubeletServerCertificate</code> option to <code>true</code> in the <code>openshif...Rule Low Severity -
Ensure Controller secure-port argument is set
To ensure the Controller Manager service is bound to secure loopback address using a secure port, set the <code>RotateKubeletServerCertificate</code> option to <code>true</code> in the <code>opensh...Rule Low Severity -
Configure the Service Account Certificate Authority Key for the Controller Manager
To ensure the API Server utilizes its own key pair, set the <code>masterCA</code> parameter to the public key file for service accounts in the <code>openshift-kube-controller-manager</code> configm...Rule Medium Severity -
Configure the Service Account Private Key for the Controller Manager
To ensure the API Server utilizes its own key pair, set the <code>privateKeyFile</code> parameter to the public key file for service accounts in the <code>openshift-kube-controller-manager</code> c...Rule Medium Severity -
Ensure that use-service-account-credentials is enabled
To ensure individual service account credentials are used, set the <code>use-service-account-credentials</code> option to <code>true</code> in the <code>openshift-kube-controller-manager</code> con...Rule Medium Severity -
OpenShift etcd Settings
Contains rules that check correct OpenShift etcd settings.Group -
Disable etcd Self-Signed Certificates
To ensure the <code>etcd</code> service is not using self-signed certificates, run the following command: <pre>$ oc get cm/etcd-pod -n openshift-etcd -o yaml</pre> The etcd pod configuration contai...Rule Medium Severity -
Ensure That The etcd Client Certificate Is Correctly Set
To ensure the etcd service is serving TLS to clients, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace contain the following argument for the <code>etcd<...Rule Medium Severity -
Ensure ETCD has correct cipher suite
Check the current cipher suite used in ETCD.Rule Medium Severity -
Enable The Client Certificate Authentication
To ensure the <code>etcd</code> service is serving TLS to clients, make sure the <code>etcd-pod*</code> <code>ConfigMaps</code> in the <code>openshift-etcd</code> namespace contain the follo...Rule Medium Severity -
Ensure That The etcd Key File Is Correctly Set
To ensure the etcd service is serving TLS to clients, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace contain the following argument for the <code>etcd<...Rule Medium Severity -
Disable etcd Peer Self-Signed Certificates
To ensure the <code>etcd</code> service is not using self-signed certificates, run the following command: <pre>$ oc get cm/etcd-pod -n openshift-etcd -o yaml</pre> The etcd pod configuration contai...Rule Medium Severity -
Ensure That The etcd Peer Client Certificate Is Correctly Set
To ensure the etcd service is serving TLS to peers, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace contain the following argument for the <code>etcd</c...Rule Medium Severity -
Enable The Peer Client Certificate Authentication
To ensure the <code>etcd</code> service is serving TLS to clients, make sure the <code>etcd-pod*</code> <code>ConfigMaps</code> in the <code>openshift-etcd</code> namespace contain the follo...Rule Medium Severity -
Ensure That The etcd Peer Key File Is Correctly Set
To ensure the etcd service is serving TLS to peers, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace contain the following argument for the <code>etcd</c...Rule Medium Severity -
Kubernetes - General Security Practices
Contains evaluations for general security practices for operating a Kubernetes environment.Group -
Ensure the notification is enabled for file integrity operator
The OpenShift platform provides the File Integrity Operator to monitor for unwanted file changes, and this control ensures proper notification alert is enabled so that system administrators and sec...Rule Medium Severity -
Apply Security Context to Your Pods and Containers
Apply Security Context to your Pods and ContainersRule Medium Severity -
The default namespace should not be used
Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.Rule Medium Severity -
Ensure Seccomp Profile Pod Definitions
Enabledefaultseccomp profiles in your pod definitions.Rule Medium Severity -
Create administrative boundaries between resources using namespaces
Use namespaces to isolate your Kubernetes objects.Rule Medium Severity -
Ensure that the kubeadmin secret has been removed
The kubeadmin user is meant to be a temporary user used for bootstrapping purposes. It is preferable to assign system administrators whose users are backed by an Identity Provider. <br> Make sure ...Rule Medium Severity -
Ensure TLS v1.2 is minimum for Openshift APIServer
Verify tls version for the openshift APIServer.Rule Medium Severity -
Ensure TLS v1.2 is minimum for Openshift Router
Verify tls version for the Openshift Router.Rule Medium Severity -
This is a helper rule to fetch the required api resource for detecting HyperShift OCP version
no descriptionRule Medium Severity -
This is a helper rule to fetch the required api resource for detecting OCP version
no descriptionRule Medium Severity -
Kubernetes Kubelet Settings
The Kubernetes Kubelet is an agent that runs on each node in the cluster. It makes sure that containers are running in a pod. The kubelet takes a set of PodSpecs that are provided through various ...Group -
Ensure That The kubelet Client Certificate Is Correctly Set
To ensure the kubelet TLS client certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet certificate file. <pre>tlsCertFil...Rule Medium Severity -
Ensure That The kubelet Client Certificate Is Correctly Set
To ensure the kubelet TLS client certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet certificate file. <pre>tlsCertFil...Rule Medium Severity -
Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers
Ensure that the Ingress Controller is configured to only use strong cryptographic ciphers.Rule Medium Severity -
Ensure That The kubelet Server Key Is Correctly Set
To ensure the kubelet TLS private server key certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet private key file. <pr...Rule Medium Severity -
Ensure That The kubelet Server Key Is Correctly Set
To ensure the kubelet TLS private server key certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet private key file. <pr...Rule Medium Severity -
kubelet - Disable the Read-Only Port
To disable the read-only port, edit the kubelet configuration Edit the <code>openshift-kube-apiserver</code> configmap and set the <code>kubelet-read-only-port</code> parameter to 0: <pre> "apiServ...Rule Medium Severity -
OpenShift - Logging Settings
Contains evaluations for the cluster's logging configuration settings.Group -
Ensure that the cluster's audit profile is properly set
<p> OpenShift can audit the details of requests made to the API server through the standard Kubernetes audit capabilities. </p> <p> In OpenShift, auditing of the API S...Rule Medium Severity -
Kubernetes - Network Configuration and Firewalls
Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...Group -
Ensure that the CNI in use supports Network Policies
There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster. OpenShift sup...Rule High Severity -
Ensure that HyperShift Hosted Namespaces have Network Policies defined.
Use network policies to isolate traffic in your cluster network.Rule High Severity -
Ensure that application Namespaces have Network Policies defined.
Use network policies to isolate traffic in your cluster network.Rule High Severity -
Ensure that all OpenShift Routes prefer TLS
OpenShift Container Platform provides methods for communicating from outside the cluster with services running in the cluster. TLS must be used to protect these communications. OpenShift Routes pro...Rule Medium Severity -
OpenShift API Server
This section contains recommendations for openshift-apiserver configuration.Group -
Configure the OpenShift API Server Maximum Retained Audit Logs
To configure how many rotations of audit logs are retained, edit the <code>openshift-apiserver</code> configmap and set the <code>audit-log-maxbackup</code> parameter to <code>10</code> or to an or...Rule Low Severity -
Configure OpenShift API Server Maximum Audit Log Size
To rotate audit logs upon reaching a maximum size, edit the <code>openshift-apiserver</code> configmap and set the <code>audit-log-maxsize</code> parameter to an appropriate size in MB. For example...Rule Medium Severity -
Configure the Audit Log Path
To enable auditing on the OpenShift API Server, the audit log path must be set. Edit the <code>openshift-apiserver</code> configmap and set the <code>audit-log-path</code> to a suitable path and fi...Rule High Severity -
Role-based Access Control
Role-based access control (RBAC) objects determine whether a user is allowed to perform a given action within a project. Cluster administrators can use the cluster roles and bindings to control wh...Group -
Ensure cluster roles are defined in the cluster
<p> RBAC is a critical feature in terms of security for Kubernetes and OpenShift. It enables administrators to segment the privileges granted to a service account, and thus allows us...Rule Medium Severity -
Profiling is protected by RBAC
Ensure that the cluster-debugger cluster role includes the /debug/pprof resource URL. This demonstrates that profiling is protected by RBAC, with a specific cluster role to allow access.Rule Medium Severity -
Ensure that the RBAC setup follows the principle of least privilege
Role-based access control (RBAC) objects determine whether a user is allowed to perform a given action within a project. If users or groups exist that are bound to roles they must not have, modify...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.