DISA STIG for Red Hat OpenShift Container Platform 4 - Platform level
Rules and Groups employed by this XCCDF Profile
-
Ensure that the OpenShift OAuth logout URL is set
The user can be redirected to a configured URL upon logout <br> This is achievable via the OAuth object by setting the <code>logoutRedirect</code> attribute. Refer to <a href="https://docs.openshi...Rule Medium Severity -
Ensure that the OpenShift OAuth provider selection is set
Custom login pages can be helpful to show users a branded page that they trust and expect before being redirected to the authentication provider. <br> This is achievable via the OAuth object by cr...Rule Medium Severity -
Ensure that the OpenShift MOTD is set
To configure OpenShift's MOTD, create a <b>ConfigMap</b> called <code>motd</code> in the <code>openshift</code> namespace. The object should look as follows: <pre> --- apiVersion: v1 kind: Config...Rule Medium Severity -
Ensure that project templates autocreate Resource Quotas
<p> Configure a template for newly created projects to use default resource quotas and make sure this template is referenced from the default project template. </p> <p>...Rule Medium Severity -
Ensure workloads use resource requests and limits per namespace
There are two ways to enable resource requests and limits. To create either: A multi-project quota, defined by a ClusterResourceQuota object, allows quotas to be shared across multiple projects. ...Rule Medium Severity -
This is a helper rule to fetch the required api resource for detecting HyperShift OCP version
no descriptionRule Medium Severity -
This is a helper rule to fetch the required api resource for detecting OCP version
no descriptionRule Medium Severity -
Kubernetes Kubelet Settings
The Kubernetes Kubelet is an agent that runs on each node in the cluster. It makes sure that containers are running in a pod. The kubelet takes a set of PodSpecs that are provided through various ...Group -
kubelet - Disable the Read-Only Port
To disable the read-only port, edit the kubelet configuration Edit the <code>openshift-kube-apiserver</code> configmap and set the <code>kubelet-read-only-port</code> parameter to 0: <pre> "apiServ...Rule Medium Severity -
OpenShift - Logging Settings
Contains evaluations for the cluster's logging configuration settings.Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.