Skip to content

NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level

Rules and Groups employed by this XCCDF Profile

  • Do Not Use htpasswd-based IdP

    <p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer i...
    Rule Medium Severity
  • Only Use LDAP-based IdPs with TLS

    <p> For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer i...
    Rule High Severity
  • OpenShift Controller Settings

    This section contains recommendations for the kube-controller-manager configuration
    Group
  • Ensure Controller insecure port argument is unset

    To ensure the Controller Manager service is bound to secure loopback address and a secure port, set the <code>RotateKubeletServerCertificate</code>...
    Rule Low Severity
  • Ensure that the RotateKubeletServerCertificate argument is set

    To enforce kubelet server certificate rotation on the Controller Manager, set the <code>RotateKubeletServerCertificate</code> option to <code>true<...
    Rule Medium Severity
  • Ensure Controller secure-port argument is set

    To ensure the Controller Manager service is bound to secure loopback address using a secure port, set the <code>RotateKubeletServerCertificate</cod...
    Rule Low Severity
  • Configure the Service Account Certificate Authority Key for the Controller Manager

    To ensure the API Server utilizes its own key pair, set the <code>masterCA</code> parameter to the public key file for service accounts in the <cod...
    Rule Medium Severity
  • Configure the Service Account Private Key for the Controller Manager

    To ensure the API Server utilizes its own key pair, set the <code>privateKeyFile</code> parameter to the public key file for service accounts in th...
    Rule Medium Severity
  • Ensure that use-service-account-credentials is enabled

    To ensure individual service account credentials are used, set the <code>use-service-account-credentials</code> option to <code>true</code> in the ...
    Rule Medium Severity
  • OpenShift etcd Settings

    Contains rules that check correct OpenShift etcd settings.
    Group
  • Disable etcd Self-Signed Certificates

    To ensure the <code>etcd</code> service is not using self-signed certificates, run the following command: <pre>$ oc get cm/etcd-pod -n openshift-et...
    Rule Medium Severity
  • Ensure That The etcd Client Certificate Is Correctly Set

    To ensure the etcd service is serving TLS to clients, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace ...
    Rule Medium Severity
  • Enable The Client Certificate Authentication

    To ensure the <code>etcd</code> service is serving TLS to clients, make sure the <code>etcd-pod*</code> <code>ConfigMaps</code> in the <code>opensh...
    Rule Medium Severity
  • Ensure That The etcd Key File Is Correctly Set

    To ensure the etcd service is serving TLS to clients, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace ...
    Rule Medium Severity
  • Disable etcd Peer Self-Signed Certificates

    To ensure the <code>etcd</code> service is not using self-signed certificates, run the following command: <pre>$ oc get cm/etcd-pod -n openshift-et...
    Rule Medium Severity
  • Ensure That The etcd Peer Client Certificate Is Correctly Set

    To ensure the etcd service is serving TLS to peers, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace co...
    Rule Medium Severity
  • Enable The Peer Client Certificate Authentication

    To ensure the <code>etcd</code> service is serving TLS to clients, make sure the <code>etcd-pod*</code> <code>ConfigMaps</code> in the <code>opensh...
    Rule Medium Severity
  • Ensure That The etcd Peer Key File Is Correctly Set

    To ensure the etcd service is serving TLS to peers, make sure the <code>etcd-pod*</code> ConfigMaps in the <code>openshift-etcd</code> namespace co...
    Rule Medium Severity
  • Kubernetes - General Security Practices

    Contains evaluations for general security practices for operating a Kubernetes environment.
    Group
  • Ensure the alert receiver is configured

    In OpenShift Container Platform, an alert is fired when the conditions defined in an alerting rule are true. An alert provides a notification that ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules