IBM Cloud Docs
4.15 compliance operator benchmark

4.15 compliance operator benchmark

Review the compliance operator benchmark results for Red Hat OpenShift on IBM Cloud version 4.15.

1 Control plane components

1.1 Master node configuration files

The master node configuration is not stored as a set of files; therefore, rules in section 1.1 are out of the scope of the automated check by the compliance operator.

1.2 API server

Table 1. Benchmarks for api server. Section 1.2 API server benchmark results
Section Recommendation Manual/Automated Level Result
1.2.1 Ensure that anonymous requests are authorized Manual 1 Pass
1.2.2 Ensure that the --basic-auth-file argument is not set Automated 1 Pass
1.2.3 Ensure that the --token-auth-file parameter is not set Automated 1 Pass
1.2.4 Use https for kubelet connections Automated 1 Pass
1.2.5 Ensure that the kubelet uses certificates to authenticate Automated 1 Not checked
1.2.6 Verify that the kubelet certificate authority is set as appropriate Automated 1 Pass
1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow Automated 1 Pass
1.2.8 Verify that the Node authorizer is enabled Automated 1 Pass
1.2.9 Verify that RBAC is enabled Automated 1 Pass
1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled Manual 1 Pass
1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set Automated 1 Pass
1.2.12 Ensure that the admission control plugin AlwaysPullImages is not set Manual 1 Pass
1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set Manual 1 Pass
1.2.14 Ensure that the admission control plugin ServiceAccount is set Automated 1 Pass
1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set Automated 1 Pass
1.2.16 Ensure that the admission control plugin SecurityContextConstraint is set Automated 1 Pass
1.2.17 Ensure that the admission control plugin NodeRestriction is set Automated 1 Pass
1.2.18 Ensure that the --insecure-bind-address argument is not set Automated 1 Pass
1.2.19 Ensure that the --insecure-port argument is set to 0 Automated 1 Not checked
1.2.20 Ensure that the --secure-port argument is not set to 0 Automated 1 Pass
1.2.21 Ensure that the healthz endpoint is protected by RBAC Automated 1 Pass
1.2.22 Ensure that the --audit-log-path argument is set Automated 1 Pass
1.2.23 Ensure that the audit logs are forwarded off the cluster for retention Automated 1 Not checked
1.2.24 Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate Automated 1 Not checked
1.2.25 Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate Automated 1 Not checked
1.2.26 Ensure that the --request-timeout argument is set as appropriate Automated 1 Pass
1.2.27 Ensure that the --service-account-lookup argument is set to true Automated 1 Pass
1.2.28 Ensure that the --service-account-key-file argument is set as appropriate Automated 1 Pass
1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate Automated 1 Pass
1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate Automated 1 Pass
1.2.31 Ensure that the --client-ca-file argument is set as appropriate Automated 1 Pass
1.2.32 Ensure that the --etcd-cafile argument is set as appropriate Automated 1 Pass
1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate Manual 1 Not checked
1.2.34 Ensure that encryption providers are appropriately configured Manual 1 Not checked
1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers Manual 1 Pass

1.3 Controller manager

Section 1.3 Controller manager benchmark results
Section Recommendation Manual/Automated Level Result
1.3.1 Ensure that garbage collection is configured as appropriate Manual 1 Not checked
1.3.2 Ensure that controller manager healthz endpoints are protected by RBAC Automated 1 Pass
1.3.3 Ensure that the --use-service-account-credentials argument is set to true Automated 1 Pass
1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate Automated 1 Pass
1.3.5 Ensure that the --root-ca-file argument is set as appropriate Automated 1 Pass
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true Automated 2 Pass
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 Automated 1 Pass

1.4 Scheduler

Section 1.4 Scheduler benchmark results
Section Recommendation Manual/Automated Level Result
1.4.1 Ensure that the healthz endpoints for the scheduler are protected by RBAC Automated 1 Pass
1.4.2 Verify that the scheduler API service is protected by authentication and authorization Automated 1 Pass

2 etcd

Section 2 etcd benchmark results
Section Recommendation Manual/Automated Level Result
2.1 Ensure that the --cert-file and --key-file options are set as appropriate. Automated 1 Pass
2.2 Ensure that the --client-cert-auth option is set to true. Automated 1 Pass
2.3 Ensure that the --auto-tls option is not set to true. Automated 1 Pass
2.4 Ensure that the --peer-cert-file and --peer-key-file options are set as appropriate. Automated 1 Pass
2.5 Ensure that the --peer-client-cert-auth option is set to true. Automated 1 Pass
2.6 Ensure that the --peer-auto-tls option is not set to true. Automated 1 Pass
2.7 Ensure that a unique Certificate Authority is used for etcd. Manual 2 Not checked

3 Control plane configuration

3.1 Authentication and authorization

Section 3.1 Authentication and Authorization benchmark results
Section Recommendation Manual/Automated Level Result
3.1.1 Do not use client certificate authentication for users. Manual 2 Pass

3.2 Logging

Section 3.3 Logging benchmark results
Section Recommendation Manual/Automated Level Result
3.2.1 Ensure that a minimal audit policy is created. Automated 1 Pass
3.2.2 Ensure that the audit policy covers key security concerns. Manual 2 Pass

4 Worker Nodes

Follow the instruction in Using the compliance operator to perform automated check for worker node configuration.

5 Policies

5.1 RBAC and service accounts

Section 5.1 RBAC and Service Accounts benchmark results
Section Recommendation Manual/Automated Level Result
5.1.1 Ensure that the cluster-admin role is used only where required. Manual 1 Pass
5.1.2 Minimize access to secrets. Manual 1 Not checked
5.1.3 Minimize wildcard use in roles and ClusterRoles. Manual 1 Not checked
5.1.4 Minimize access to create pods. Manual 1 Not checked
5.1.5 Ensure that default service accounts are not actively used. Automated 1 Not checked
5.1.6 Ensure that Service Account Tokens are mounted only where necessary. Manual 1 Not checked

5.2 Pod Security Policies

Section 5.2 Pod Security Policies benchmark results
Section Recommendation Manual/Automated Level Result
5.2.1 Minimize the admission of privileged containers. Manual 1 Not checked
5.2.2 Minimize the admission of containers wanting to share the host process ID namespace. Automated 1 Not checked
5.2.3 Minimize the admission of containers wanting to share the host IPC namespace. Automated 1 Not checked
5.2.4 Minimize the admission of containers wanting to share the host network namespace. Automated 1 Not checked
5.2.5 Minimize the admission of containers with allowPrivilegeEscalation. Automated 1 Not checked
5.2.6 Minimize the admission of root containers. Manual 2 Not checked
5.2.7 Minimize the admission of containers with the NET_RAW capability. Manual 1 Not checked
5.2.8 Minimize the admission of containers with added capabilities. Manual 1 Not checked
5.2.9 Minimize the admission of containers with capabilities assigned. Manual 2 Not checked

5.3 Network policies and CNI

Section 5.3 Network policies and CNI benchmark results
Section Recommendation Manual/Automated Level Result
5.3.1 Ensure that the CNI in use supports network policies. Manual 1 Pass
5.3.2 Ensure that all namespaces have network policies defined. Automated 2 Not checked

5.4 Secrets management

Section 5.4 Secrets management benchmark results
Section Recommendation Manual/Automated Level Result
5.4.1 Prefer to use secrets as files over secrets as environment variables. Manual 1 Not checked
5.4.2 Consider external secret storage. Manual 2 Not checked

5.5 Extensible admission control

Section 5.5 Extensible admission control benchmark results
Section Recommendation Manual/Automated Level Result
5.5.1 Configure image provenance by using image controller configuration parameters. Manual 2 Not checked

5.7 General policies

Section 5.7 General policies benchmark results
Section Recommendation Manual/Automated Level Result
5.7.1 Create administrative boundaries between resources by using namespaces. Manual 1 Not checked
5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions. Manual 2 Not checked
5.7.3 Apply security context to your pods and containers. Manual 2 Not checked
5.7.4 Do not use the default namespace. Automated 2 Not checked

Remediations and explanations

Remediations and explanations
Section Recommendation/Explanation
1.2.23 Red Hat OpenShift on IBM Cloud can optionally enable Kubernetes API server auditing.
1.2.24 Red Hat OpenShift on IBM Cloud sets the maximumRetainedFiles argument to 1.
1.2.25 Red Hat OpenShift on IBM Cloud sets the maximumFileSizeMegabytes argument to 10.
1.2.33 Red Hat OpenShift on IBM Cloud can optionally enable a Kubernetes Key Management Service (KMS) provider.
1.2.34 Red Hat OpenShift on IBM Cloud can optionally enable a Kubernetes Key Management Service (KMS) provider.
2.7 Red Hat OpenShift on IBM Cloud configures a unique Certificate Authority for etcd.
5.2.8 Red Hat OpenShift on IBM Cloud installs custom SCCs.
5.3.2 Red Hat OpenShift on IBM Cloud has a set of default Calico network policies defined and additional network policies can optionally be added.