| 1.2.1 |
Ensure that the --anonymous-auth option is set to false. |
Ensure that anonymous requests are authorized. |
Different approaches to achieve the same purpose. |
| 1.2.10 |
Ensure that the admission control plug-in EventRateLimit is set. |
Ensure that the APIPriorityAndFairness feature gate is enabled. |
Different approaches to achieve the same purpose. |
| 1.2.12 |
Ensure that the admission control plug-in AlwaysPullImages is set. |
Ensure that the admission control plug-in AlwaysPullImages is not set |
AlwaysPullImages causes error on Red Hat OpenShift. |
| 1.2.13 |
Ensure that the admission control plug-in SecurityContextDeny is set if PodSecurityPolicy is not used. |
Ensure that the admission control plug-in SecurityContextDeny is not set |
SecurityContextDeny admission controller can't be enabled as it conflicts with the SecurityContextConstraint admission controller. |
| 1.2.16 |
Ensure that the admission control plug-in PodSecurityPolicy is set. |
Ensure that the admission control plug-in SecurityContextConstraint is set. |
SecurityContextConstraint is unique to Red Hat OpenShift |
| 1.2.21 |
Ensure that the --profiling option is set to false. |
Ensure that the healthz endpoint is protected by RBAC. |
Profiling is enabled by default in Red Hat OpenShift, but the profiling data is sent through the healthz port and the port must be protected by RBAC. |
| 1.2.23 |
Ensure that the --audit-log-maxage option is set to 30 or as appropriate. |
Ensure that the audit logs are forwarded off the cluster for retention. |
Red Hat OpenShift has an operator for logging instead of retaining logs in the cluster. |
| 1.2.24 |
Ensure that the --audit-log-maxbackup option is set to 10 or as appropriate. |
Ensure that the maximumRetainedFiles option is set to 10 or as appropriate. |
Different parameter names. |
| 1.2.25 |
Ensure that the --audit-log-maxsize option is set to 100 or as appropriate. |
Ensure that the maximumFileSizeMegabytes option is set to 100 or as appropriate. |
Different parameter names. |
| 1.3.1 |
Ensure that the --terminated-pod-gc-threshold option is set as appropriate. |
Ensure that garbage collection is configured as appropriate. |
Different parameter names. |
| 1.3.2 |
Ensure that the --profiling option is set to false. |
Ensure that controller manager healthz endpoints are protected by RBAC. |
Profiling is enabled by default in Red Hat OpenShift, but the profiling data is sent through the healthz port and the port must be protected by RBAC. |
| 1.4.1 |
Ensure that the --profiling option is set to false. |
Ensure that the healthz endpoints for the scheduler are protected by RBAC. |
Profiling is enabled by default in Red Hat OpenShift, but the profiling data is sent via healthz port and the port must be protected by RBAC. |
| 1.4.2 |
Ensure that the --bind-address option is set to 127.0.0.1. |
Verify that the scheduler API service is protected by authentication and authorization. |
Red Hat OpenShift has different operator than vanilla kubernetes, and configuration for its security differs |
| 4.1.3 |
Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive. |
If proxy kubeconfig file exists,ensure that permissions are set to 644 or more restrictive. |
In Red Hat OpenShift, the file is automatically created by sdn controller in a secure manner. |
| 4.1.4 |
Ensure that the proxy kubeconfig file ownership is set to root:root. |
If proxy kubeconfig file exists,ensure that ownership is set to root:root |
In Red Hat OpenShift, the file is automatically created by sdn controller in a secure manner. |