) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
CIS RedHat OpenShift Container Platform v4 Benchmark 1.1.0 Checklist Details (Checklist Revisions)
Supporting Resources:
-
Download Prose - CIS RedHat OpenShift Container Platform v4 Benchmark v1.1.0
- Center for Internet Security (CIS)
Target:
| Target | CPE Name |
|---|---|
| Red Hat OpenShift Container Platform 4.12 | cpe:/a:redhat:openshift_container_platform:4.12 (View CVEs) |
Checklist Highlights
- Checklist Name:
- CIS RedHat OpenShift Container Platform v4 Benchmark
- Checklist ID:
- 1198
- Version:
- 1.1.0
- Type:
- Compliance
- Review Status:
- Final
- Authority:
- Third Party: Center for Internet Security (CIS)
- Original Publication Date:
- 03/26/2021
Checklist Summary:
This document provides prescriptive guidance for establishing a secure configuration posture for OpenShift 4. The set of configuration files mentioned throughout this benchmark are specific to Red Hat’s CNCF certified Kubernetes distribution, Red Hat OpenShift Container Platform. Each section includes information about the default configuration of an OpenShift cluster and a set of recommendations for hardening the configuration, inspired by the CIS Kubernetes benchmark. For each hardening recommendation, information on how to implement the control and/or how to verify or audit the control is provided. In some cases, remediation information is also provided. The majority of the settings in the hardening guide are in place by default. The audit information for these settings is provided so that you can verify that the cluster admin has not made changes that would be less secure than the OpenShift defaults. A small number of items require configuration. Finally, there are some recommendations that require decisions by the customer, such as audit log size, retention and related settings. The recommendations that require decisions based on your needs are: Configure encryption of data at rest in etcd datastore Manage Image Provenance Set the --event-qps argument as appropriate Configure the API server audit log retention Configure cluster logging to forward audit logs off the cluster Configure the audit log file size Adjust the garbage collection settings as needed Create custom Security Context Constraints as needed Configure Network Policies as appropriate In OCP 4.6 and above, configure audit policies as appropriate
Checklist Role:
- Virtualization Server
Known Issues:
Not provided.
Target Audience:
This document is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate OpenShift 4.
Target Operational Environment:
- Managed
- Specialized Security-Limited Functionality (SSLF)
Testing Information:
Not provided.
Regulatory Compliance:
Not provided.
Comments/Warnings/Miscellaneous:
Not provided.
Disclaimer:
Not provided.
Product Support:
Not provided.
Point of Contact:
feedback@cisecurity.org
Sponsor:
Not provided.
Licensing:
Not provided.
Change History:
new checklist - 3/1/24 Candidate to Final - 4/19/24
Dependency/Requirements:
| URL | Description |
|---|
References:
| Reference URL | Description |
|---|