U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CIS RedHat OpenShift Container Platform v4 Benchmark 1.1.0 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Red Hat OpenShift Container Platform 4.12 cpe:/a:redhat:openshift_container_platform:4.12 (View CVEs)

Checklist Highlights

Checklist Name:
CIS RedHat OpenShift Container Platform v4 Benchmark
Checklist ID:
1198
Version:
1.1.0
Type:
Compliance
Review Status:
Final
Authority:
Third Party: Center for Internet Security (CIS)
Original Publication Date:
03/26/2021

Checklist Summary:

This document provides prescriptive guidance for establishing a secure configuration posture for OpenShift 4. The set of configuration files mentioned throughout this benchmark are specific to Red Hat’s CNCF certified Kubernetes distribution, Red Hat OpenShift Container Platform. Each section includes information about the default configuration of an OpenShift cluster and a set of recommendations for hardening the configuration, inspired by the CIS Kubernetes benchmark. For each hardening recommendation, information on how to implement the control and/or how to verify or audit the control is provided. In some cases, remediation information is also provided. The majority of the settings in the hardening guide are in place by default. The audit information for these settings is provided so that you can verify that the cluster admin has not made changes that would be less secure than the OpenShift defaults. A small number of items require configuration. Finally, there are some recommendations that require decisions by the customer, such as audit log size, retention and related settings. The recommendations that require decisions based on your needs are: Configure encryption of data at rest in etcd datastore Manage Image Provenance Set the --event-qps argument as appropriate Configure the API server audit log retention Configure cluster logging to forward audit logs off the cluster Configure the audit log file size Adjust the garbage collection settings as needed Create custom Security Context Constraints as needed Configure Network Policies as appropriate In OCP 4.6 and above, configure audit policies as appropriate

Checklist Role:

  • Virtualization Server

Known Issues:

Not provided.

Target Audience:

This document is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate OpenShift 4.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

feedback@cisecurity.org

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

new checklist - 3/1/24
Candidate to Final - 4/19/24

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 04/19/2024