PCI-DSS v4.0.0 Control Baseline for Red Hat OpenShift Container Platform 4
Rules and Groups employed by this XCCDF Profile
-
Configure An Identity Provider
<p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer i...Rule Medium Severity -
Configure OAuth tokens to expire after a set period of inactivity
<p> You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set. </p> ...Rule Medium Severity -
Do Not Use htpasswd-based IdP
<p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer i...Rule Medium Severity -
Only Use LDAP-based IdPs with TLS
<p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer i...Rule High Severity -
OpenShift Controller Settings
This section contains recommendations for the kube-controller-manager configurationGroup -
Ensure Controller insecure port argument is unset
To ensure the Controller Manager service is bound to secure loopback address and a secure port, set the <code>RotateKubeletServerCertificate</code>...Rule Low Severity -
Ensure Controller secure-port argument is set
To ensure the Controller Manager service is bound to secure loopback address using a secure port, set the <code>RotateKubeletServerCertificate</cod...Rule Low Severity -
Configure the Service Account Certificate Authority Key for the Controller Manager
To ensure the API Server utilizes its own key pair, set the <code>masterCA</code> parameter to the public key file for service accounts in the <cod...Rule Medium Severity -
Configure the Service Account Private Key for the Controller Manager
To ensure the API Server utilizes its own key pair, set the <code>privateKeyFile</code> parameter to the public key file for service accounts in th...Rule Medium Severity -
Ensure that use-service-account-credentials is enabled
To ensure individual service account credentials are used, set the <code>use-service-account-credentials</code> option to <code>true</code> in the ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.