Skip to content

CIS Red Hat OpenShift Container Platform 4 Benchmark

Rules and Groups employed by this XCCDF Profile

  • Ensure that use-service-account-credentials is enabled

    To ensure individual service account credentials are used, set the <code>use-service-account-credentials</code> option to <code>true</code> in the <code>openshift-kube-controller-manager</code> con...
    Rule Medium Severity
  • OpenShift etcd Settings

    Contains rules that check correct OpenShift etcd settings.
    Group
  • Disable etcd Self-Signed Certificates

    To ensure the <code>etcd</code> service is not using self-signed certificates, run the following command: <pre>$ oc get cm/etcd-pod -n openshift-etcd -o yaml</pre> The etcd pod configuration contai...
    Rule Medium Severity
  • Ensure That The etcd Client Certificate Is Correctly Set

    To ensure the etcd service is serving TLS to clients, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace contain the following argument for the <code>etcd<...
    Rule Medium Severity
  • Enable The Client Certificate Authentication

    To ensure the <code>etcd</code> service is serving TLS to clients, make sure the <code>etcd-pod*</code> <code>ConfigMaps</code> in the <code>openshift-etcd</code> namespace contain the follo...
    Rule Medium Severity
  • Ensure That The etcd Key File Is Correctly Set

    To ensure the etcd service is serving TLS to clients, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace contain the following argument for the <code>etcd<...
    Rule Medium Severity
  • Disable etcd Peer Self-Signed Certificates

    To ensure the <code>etcd</code> service is not using self-signed certificates, run the following command: <pre>$ oc get cm/etcd-pod -n openshift-etcd -o yaml</pre> The etcd pod configuration contai...
    Rule Medium Severity
  • Ensure That The etcd Peer Client Certificate Is Correctly Set

    To ensure the etcd service is serving TLS to peers, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace contain the following argument for the <code>etcd</c...
    Rule Medium Severity
  • Enable The Peer Client Certificate Authentication

    To ensure the <code>etcd</code> service is serving TLS to clients, make sure the <code>etcd-pod*</code> <code>ConfigMaps</code> in the <code>openshift-etcd</code> namespace contain the follo...
    Rule Medium Severity
  • Ensure That The etcd Peer Key File Is Correctly Set

    To ensure the etcd service is serving TLS to peers, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace contain the following argument for the <code>etcd</c...
    Rule Medium Severity
  • Kubernetes - General Security Practices

    Contains evaluations for general security practices for operating a Kubernetes environment.
    Group
  • Apply Security Context to Your Pods and Containers

    Apply Security Context to your Pods and Containers
    Rule Medium Severity
  • The default namespace should not be used

    Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.
    Rule Medium Severity
  • Ensure Seccomp Profile Pod Definitions

    Enable default seccomp profiles in your pod definitions.
    Rule Medium Severity
  • Create administrative boundaries between resources using namespaces

    Use namespaces to isolate your Kubernetes objects.
    Rule Medium Severity
  • Ensure that the kubeadmin secret has been removed

    The kubeadmin user is meant to be a temporary user used for bootstrapping purposes. It is preferable to assign system administrators whose users are backed by an Identity Provider. <br> Make sure ...
    Rule Medium Severity
  • This is a helper rule to fetch the required api resource for detecting HyperShift OCP version

    no description
    Rule Medium Severity
  • This is a helper rule to fetch the required api resource for detecting OCP version

    no description
    Rule Medium Severity
  • Kubernetes Kubelet Settings

    The Kubernetes Kubelet is an agent that runs on each node in the cluster. It makes sure that containers are running in a pod. The kubelet takes a set of PodSpecs that are provided through various ...
    Group
  • Ensure That The kubelet Client Certificate Is Correctly Set

    To ensure the kubelet TLS client certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet certificate file. <pre>tlsCertFil...
    Rule Medium Severity
  • Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers

    Ensure that the Ingress Controller is configured to only use strong cryptographic ciphers.
    Rule Medium Severity
  • Ensure That The kubelet Server Key Is Correctly Set

    To ensure the kubelet TLS private server key certificate is configured, edit the kubelet configuration file <code>/etc/kubernetes/kubelet.conf</code> and configure the kubelet private key file. <pr...
    Rule Medium Severity
  • kubelet - Disable the Read-Only Port

    To disable the read-only port, edit the kubelet configuration Edit the <code>openshift-kube-apiserver</code> configmap and set the <code>kubelet-read-only-port</code> parameter to 0: <pre> "apiServ...
    Rule Medium Severity
  • OpenShift - Logging Settings

    Contains evaluations for the cluster's logging configuration settings.
    Group
  • Ensure that the cluster's audit profile is properly set

    <p> OpenShift can audit the details of requests made to the API server through the standard Kubernetes audit capabilities. </p> <p> In OpenShift, auditing of the API S...
    Rule Medium Severity
  • Kubernetes - Network Configuration and Firewalls

    Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking wh...
    Group
  • Ensure that the CNI in use supports Network Policies

    There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster. OpenShift sup...
    Rule High Severity
  • Ensure that HyperShift Hosted Namespaces have Network Policies defined.

    Use network policies to isolate traffic in your cluster network.
    Rule High Severity
  • Ensure that application Namespaces have Network Policies defined.

    Use network policies to isolate traffic in your cluster network.
    Rule High Severity
  • OpenShift API Server

    This section contains recommendations for openshift-apiserver configuration.
    Group
  • Configure the OpenShift API Server Maximum Retained Audit Logs

    To configure how many rotations of audit logs are retained, edit the <code>openshift-apiserver</code> configmap and set the <code>audit-log-maxbackup</code> parameter to <code>10</code> or to an or...
    Rule Low Severity
  • Configure OpenShift API Server Maximum Audit Log Size

    To rotate audit logs upon reaching a maximum size, edit the <code>openshift-apiserver</code> configmap and set the <code>audit-log-maxsize</code> parameter to an appropriate size in MB. For example...
    Rule Medium Severity
  • Configure the Audit Log Path

    To enable auditing on the OpenShift API Server, the audit log path must be set. Edit the <code>openshift-apiserver</code> configmap and set the <code>audit-log-path</code> to a suitable path and fi...
    Rule High Severity
  • Role-based Access Control

    Role-based access control (RBAC) objects determine whether a user is allowed to perform a given action within a project. Cluster administrators can use the cluster roles and bindings to control wh...
    Group
  • Profiling is protected by RBAC

    Ensure that the cluster-debugger cluster role includes the /debug/pprof resource URL. This demonstrates that profiling is protected by RBAC, with a specific cluster role to allow access.
    Rule Medium Severity
  • Ensure that the RBAC setup follows the principle of least privilege

    Role-based access control (RBAC) objects determine whether a user is allowed to perform a given action within a project. If users or groups exist that are bound to roles they must not have, modify...
    Rule High Severity
  • Ensure that the cluster-admin role is only used where required

    The RBAC role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed.
    Rule Medium Severity
  • Limit Access to Kubernetes Secrets

    The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the sm...
    Rule Medium Severity
  • Minimize Access to Pod Creation

    The ability to create pods in a namespace can provide a number of opportunities for privilege escalation. Where applicable, remove <code>create</code> access to <code>pod</code> objects in the clus...
    Rule Medium Severity
  • Minimize Wildcard Usage in Cluster and Local Roles

    Kubernetes Cluster and Local Roles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these using a wildcard <code>...
    Rule Medium Severity
  • Kubernetes - Registry Security Practices

    Contains evaluations for Kubernetes registry security practices, and cluster-wide registry configuration.
    Group
  • Allowed registries are configured

    The configuration <code>registrySources.allowedRegistries</code> determines the permitted registries that the OpenShift container runtime can access for builds and pods. This configuration setting ...
    Rule Medium Severity
  • Allowed registries for import are configured

    The configuration <code>allowedRegistriesForImport</code> limits the container image registries from which normal users may import images. This is important to control, as a user who can stand up a...
    Rule Medium Severity
  • Check configured allowed registries for import uses secure protocol

    The configuration <code>allowedRegistriesForImport</code> limits the container image registries from which normal users may import images. This is a list of the registries that can be trusted to co...
    Rule Medium Severity
  • Check if any insecure registry sources is configured

    The configuration <code>registrySources.insecureRegistries</code> determines the insecure registries that the OpenShift container runtime can access for builds and pods. This configuration setting ...
    Rule Medium Severity
  • Security Context Constraints (SCC)

    Similar to the way that RBAC resources control user access, administrators can use Security Context Constraints (SCCs) to control permissions for pods. These permissions include actions that a pod,...
    Group
  • Drop Container Capabilities

    Containers should not enable more capabilities than needed as this opens the door for malicious use. To disable the capabilities, the appropriate Security Context Constraints (SCCs) should set all ...
    Rule Medium Severity
  • Limit Container Capabilities

    <p> Containers should not enable more capabilites than needed as this opens the door for malicious use. To enable only the required capabilities, the appropriate Security Context Con...
    Rule Medium Severity
  • Limit Access to the Host IPC Namespace

    Containers should not be allowed access to the host's Interprocess Communication (IPC) namespace. To prevent containers from getting access to a host's IPC namespace, the appropriate Security Conte...
    Rule Medium Severity
  • Limit Use of the CAP_NET_RAW

    Containers should not enable more capabilities than needed as this opens the door for malicious use. <code>CAP_NET_RAW</code> enables a container to launch a network attack on another container or ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules